Once considered the unthinkable, real-life cyber attacks on critical infrastructure have taken center stage in the past three years. Advancing technologies, evolving cyber threats and a little piece of malware called Stuxnet have catapulted cybersecurity of real-world infrastructure from an academic backwater to a top government and industry priority. From power plants to water treatment sites to traffic control systems, critical infrastructure once thought invulnerable to targeted cyber attacks now lies squarely in the crosshairs.
Over the past two decades, asset owners and operators have added IT systems to help improve management of the ubiquitous industrial control systems (ICS) that perform essential mechanical functions of all kinds. These systems have led to improved service, lower costs and technological marvels such as smart grids. Unfortunately, they have also exposed critical infrastructure to software vulnerabilities that adversaries can exploit through malware and advanced persistent threats (APTs).
Critical infrastructure providers now find themselves in a harrowing position: They must protect both physical and digital assets, but often know less than their adversaries do about those assets’ vulnerabilities and how to remediate them. The complexity of IT-enabled critical infrastructure has multiplied the difficulty of protecting it, as have the skyrocketing frequency, sophistication and severity of cyber attacks over the past ten years. Consequences for failure can be catastrophic, but finding the right resources to improve protection can be challenging and expensive – making the decision to invest in security a painful business dilemma.
To protect themselves and their stakeholders from escalating cyber threats, critical infrastructure owners must first acknowledge five hard truths, according to Raju Dodhiawala, vice president and general manager at ManTech.
Click through for five truths that must be addressed to protect critical infrastructure from cyber threats, as identified by Raju Dodhiawala, vice president and general manager at ManTech.
Hard Truth: ‘Air gaps’ do not provide infallible protection against cyber threats and APTs.
Critical infrastructure protection has always been a high-stakes business with strong economic and national security implications. Until recently, critical infrastructure providers focused almost entirely on physical security, installing multiple layers or “rings” from the front gate all the way to the most critical inner recesses. The rings are physically separated and not connected to the Internet, creating what are commonly known as “air gaps.”
At the same time, providers are taking advantage of the IT revolution by adding IT systems to improve the management of their ICS systems and the supervisory control and data acquisition (SCADA) systems that monitor and control them. This development is important because SCADA and ICS systems are not so much soft targets as brittle ones, hardened against physical threats to operating reliably in one specific way for years or decades. Any deviations from accepted operating conditions – such as those malware can introduce – can jeopardize the controller and anything the controller affects.
Air gaps continued
Air gaps and brittle, unpatched IT systems make a dangerous combination. Many asset owners, operators and regulators worldwide believe air gaps provide fail-safe protection against cyber attacks and APTs. The physical air gaps have thus fostered mental ones, an “it can’t happen here” sense of invulnerability that can lead to negligent or even reckless behavior when it comes to cybersecurity.
The reason? Cyberattacks can pass through traditional safeguards – guards, guns and gates – like ghosts. Connectivity isn’t just via a hard line anymore. Whether intentionally or hoodwinked through social engineering, authorized facility personnel can personally deliver the means of potential exploitation, either by physical device or wireless connection, past every air gap.
Air gaps continued
In fact, data from the Security Incident Organization’s Repository for Industrial Security Incidents (RISI), one of the world’s largest databases of security incidents involving ICS and SCADA systems, indicates that three major factors related to air gaps contribute to successful cyber attacks on critical infrastructure:
- Proliferation of “soft” – that is, brittle – targets
- Multiple points of entry: Users can access control systems in many ways without a direct hard-line Internet connection, including:
— Remote maintenance/diagnostics connections
— Shared historian and manufacturing execution systems (MES) servers
— Serial connections
— Wireless systems
— Mobile laptops
— UUSB devices
- Poor network segmentation: Even as control networks extend to hundreds or even thousands of individual devices, most of those “flat” networks are not designed to quarantine security problems. That weakness makes it easy for attackers to enter the network in one place and quickly start wreaking havoc in many others.
Air gaps continued
Industry experts have known for years that air gap-hopping ICS/SCADA cyber attacks are not merely theoretical. Real-life proof of such attacks came in June 2010 with the discovery of the Stuxnet family of malware. Designed specifically to compromise and degrade SCADA and ICS systems in Iran’s nuclear program, Stuxnet bypassed air gaps by gaining access to facilities via flash drive and then exploited previously unknown (zero-day) vulnerabilities in Microsoft Windows® software. The malware lived undetected on Iranian networks for years, despite extensive security checks and fortifications. It also decisively showed that, air gaps or not, critical infrastructure providers have joined other large enterprises as successful targets for cyber attacks and APTs.
Hard Truth: Critical infrastructure is a prime target for cyber attacks and APTs.
Stuxnet painted a bulls-eye on critical infrastructure worldwide that will stick for years to come. It provided a how-to guide for anyone wanting to perform cyber attacks on critical infrastructure. Experts warn that it could spawn imitators, of which some will attack U.S. facilities. The “security through obscurity” that critical infrastructure providers have enjoyed for decades is no longer a viable option. Critical infrastructure cybersecurity has received too much attention since the Stuxnet story broke, and good guys and bad guys alike know cyber protection of critical infrastructure is a growth field.
Prime target continued
Idaho National Laboratory (INL) is one of the federal government’s main sources of expertise on cybersecurity of critical infrastructure. INL predicts that between 2010 and 2015, critical infrastructure providers will:
- Expand their use of control systems, digital and Internet protocol (IP) technologies and wireless communications
- Lag on implementing proper security for those technologies, increasing their overall unprotected exposure to cyber threats
- Run into much more frequent and complex cyber threats than ever before
- Serve as guinea pigs for attackers doing their own vulnerability research
Other factors will continue to make critical infrastructure providers attractive targets for cyber attacks. For instance, it’s notoriously hard, or even impossible, to change usernames and passwords or apply security patches to many ICS and SCADA systems. Consequently, providers’ networks are rife with older vulnerabilities – tempting targets for malicious hackers who then don’t have to incur high costs to develop exploits for undiscovered weaknesses.
Prime target continued
What’s more, successful cyber attacks on critical infrastructure will continue because Stuxnet proved such attacks could have profound economic and political ramifications – either by causing disasters on their own or multiplying the severity of existing crises. For example, severe storms in the summer of 2012 caused more than two million people from the Midwest to the Mid-Atlantic to lose power for up to a week. The outages resulted in more than 26 deaths and millions of people grappling with no air conditioning, refrigeration and more during one of the most dangerous heat waves in recent history. If nature could cause such damage, imagine the chaos and destruction a targeted cyber attack on a power grid could inflict.
Prime target continued
All these challenges – both for enterprises at large and for critical infrastructure providers in particular – are coming to a head as smart grid systems rapidly gain popularity across the country. These IT-heavy systems install home meters, neighborhood monitors and other network-connected equipment. The equipment provides power companies with much more granular control of services, down to adjusting environmental settings for HVAC systems remotely in individual structures.
The control smart grids offer can improve cost savings and service quality, but also introduces new security risks. The rush to network devices to gain other advantages has connected devices that have never been linked to the Internet before and weren’t designed for it. Not only that, but smart grids also exponentially increase the cyber attack surface by enabling attackers to target individual homes and buildings such as schools and hospitals, not just larger regional facilities. In these respects and others, smart grids could actually be more dangerous than the legacy infrastructure they are quickly replacing.
Hard Truth: No organization – critical infrastructure providers included – can keep up with the onslaught of new cyber attacks and APTs.
With connectivity comes access. This blunt fact has forced critical infrastructure providers, like any other sufficiently large enterprise, to assume that someone somewhere has already compromised their networks. Accordingly, providers have to address the same IT security challenges as other targeted organizations, as well as their own specific challenges.
Providers face adaptive attackers who customize attacks to individual targets, using specially crafted malware that doesn’t alert traditional IT security technologies that rely on prior knowledge of threats – antivirus signatures, blacklists, etc. They prefer tools that evade detection at the perimeter and exploit desktop application vulnerabilities and social engineering. These attackers will modify their methods to circumvent any countermeasures their targets implement. They also rely on multi-point attacks, hoping that targets won’t look at the whole enterprise picture to see what’s really happening.
Keeping up with the onslaught continued
In addition to creating such individualized, stealthy attacks, attackers also have incredible volume and diversity of attacks on their side. Malware has mushroomed into a multi-billion dollar criminal industry, growing from fewer than one million samples a year in 2007 to more than 100 million a year in 2012. In fact, 2012 saw more malware created each month than in the entire 25 years from 1982 to 2007.
Against this scale of attack, enterprises that focus solely on preventing infection are playing a losing game, because attackers’ options for infiltration are almost limitless. Enterprises therefore need cost-effective, scalable post-intrusion detection. Managed services options offer scalable, automated solutions that can help offset the cost for many organizations. If an organization has internal security teams, those teams are often small and develop proprietary tools that are crude and can’t scale.
Hard Truth: Most critical infrastructure providers don’t know what digital vulnerabilities they have, where to find them, or how to fix them.
Each critical infrastructure provider must develop and implement cybersecurity countermeasures tailored to its specific physical and digital infrastructure. This is hugely unfamiliar territory for most providers, who have relied on their equipment vendors to handle both ICS/SCADA and IT security.
Unfortunately, neither traditional critical infrastructure vendors nor IT security vendors are fully equipped to counter the unique hybrid threat of cyber-enabled critical infrastructure attacks: The former aren’t schooled in IT security, while the latter aren’t used to protecting non-IT physical assets. Even worse, sometimes ICS/SCADA vendors don’t reveal vulnerabilities or even purposely install capabilities – such as unremovable backdoors – that attackers could easily co-opt.
Digital vulnerabilities continued
Scared they might overlook dangerous threats already on their systems, providers are reaching out to private forensic analysis companies and government authorities for help. A key government component they trust is the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Control Systems Security Program (CSSP) at the U.S. Department of Homeland Security (DHS). ICS-CERT specializes in forensic incident response and vulnerability assessment throughout the critical infrastructure spectrum, from sectors as a whole to individual owners and operators.
Digital vulnerabilities continued
ICS-CERT’s June 2012 Incident Response Summary Report stated that the organization fielded nine incident reports in 2009, 41 in 2010 and 198 in 2011 – a 2,100-percent increase in only two years. Most incidents were not actual attacks, but of the 17 incidents that warranted on-site assessments:
- Seven were the result of spear phishing, with at least one incident involving infection from a USB device.
- 11 involved sophisticated threat actors seeking sensitive data.
- 12 could have been deterred, detected much faster or mitigated if the organizations had implemented IT security best practices.
The report noted that while none of the intrusions targeted control system networks, the flat and interconnected nature of many organizations’ networks made them potentially easy pickings for attackers. Another common weakness ICS-CERT discovered was that most providers lacked adequate detection technologies. “Properly developed and implemented detection methods are the best strategy to quickly identify intrusions and implement mitigation and recovery procedures,” the report stated.
Hard Truth: Most critical infrastructure providers lack the tools, skills and mindset to deal with cyber attacks and APTs.
Baking in an appreciation for security among organizations’ employees is just as important, if not more so, than baking security into IT systems themselves. Unfortunately, critical infrastructure providers face difficult personnel-related challenges when it comes to cybersecurity. A key obstacle is that certification requirements for control systems engineers – providers’ front-line troops in cyber-related conflicts – put little or no emphasis on cybersecurity for critical infrastructure.
For example, the certification exam to get a Control Systems Engineer (CSE) license from the International Society of Automation (ISA) devotes less than 10 percent – and possibly closer to just one or two percent – of its content to network security. The test makes no mention at all of cybersecurity for critical infrastructure. Neither do the audit criteria for certification by the Control Systems Integrators Association (CSIA), which do include risk management and configuration management as part of CSIA’s project management and supporting activities responsibilities.
Dealing with cyber attacks and APTs continued
This blind spot makes it difficult for providers to become more proactive and informed in applying cybersecurity best practices. “Until critical infrastructure organizations see themselves as probable targets and gain an understanding of the threat actor capability to penetrate, avoid detection, and maintain a presence on their networks, they will not make the necessary investments in cybersecurity,” the ICS-CERT report concluded.
Fortunately, the critical infrastructure and IT communities as a whole have taken numerous steps to improve training and education about cybersecurity. ISA has created ISA99, its Industrial Automation and Control System Security Committee, which is developing a series of American National Standards Institute (ANSI) standards. Additionally, many colleges, universities and professional organizations and conferences have created training programs and certifications. These options and others offer critical infrastructure providers the chance to educate employees and enable them to pick the right partners, processes and technology for their particular needs.