Drones spotted circling French nuclear plants in the latter part of last year were a clear reminder of how the connected world facilitates anonymous intrusions into our critical utilities infrastructure. Meanwhile, recent events involving Sony are a stark reminder that the threat posed by cyber criminals to corporations around the world is very real.
No matter the motive, the ability to remotely attack or to infiltrate water, power, and telecoms infrastructure is an opportunity for massive disruption or destruction to would-be attackers – whether that be terrorists, activists, or hackers.
We have also seen a lot more openness this year around the threats that nation-states pose. Admiral Mike Rogers, the director or the U.S. National Security Agency recently claimed China and “one or two” other countries have the capability to mount cyber-attacks that could shut down parts of the electric grid and other critical national infrastructure (CNI).
Admiral Rogers also testified to the House of Representatives Intelligence Committee on cyber threats, saying that attackers have been able to penetrate and perform reconnaissance missions to determine how CNI networks are put together.
The targets
There are two clear targets when attacking CNI: control systems and data.
Control system attacks are rare but not unheard of. Famously, the Stuxnet virus was able to hijack the control system at Iran’s Natanz nuclear facility. Had it not been discovered, it could have gone on changing the speed of the centrifuges to wear them out prematurely whilst sending back signals saying everything was OK.
The threat of having data stolen for competitive advantage is marginally less devastating but much more common. Utilities data can be very attractive to nation states, to activists looking to cause embarrassment, and to individuals or groups who want to prove their skills or gain commercial data to sell or use for blackmail.
To date, the former is rare, but potentially devastating. However, the gravity of the latter should not be underestimated.
The challenge
The enormity of the challenge of securing utilities against cyber-attacks could not have been foreseen when much of our current infrastructure was built. Furthermore, the range of legacy equipment used within a country’s utilities, ranges from very old to brand new technology.
Connectivity, whilst essential for efficient operations, poses an increasing challenge for security. It is therefore necessary to consider how you secure the people, process, physical and cyber aspects of that network to ensure the security boundary is maintained.
The concern is that there is a growing body of evidence to suggest that these systems, in significant numbers, have already been penetrated and there needs to be a concerted effort to address the issues.
The following steps are an essential starting point to consider when looking to secure utilities or when building them anew:
Threat Assessments and Vulnerability Audits: Understanding your vulnerabilities – especially those relating to the Industrial Control Systems (ICS) – is a crucial starting point. Whilst time-consuming, it is absolutely essential.
The complex nature of the cyber threat landscape has led to the development of the concept of “cyber mission assurance”. The objective is to ensure that ICS and IT systems will support “The mission” in the face of different threats. Fundamentally this requires an organisation to understand the real nature of its mission and the infrastructure the mission depends upon.
Securing system also means identifying the ‘ground-truth’ – carrying out behavioural analytics of ICS assets to establish the ‘normal’ patterns-of-life for the environment. This will help you detect unwanted connectivity which might allow people in or data out. It will also give you a baseline or normal activity from which you can identify anything that looks suspicious in future.
Stop information leaving: Systems must be put in place to monitor traffic going out or across the security boundaries. This requires sophisticated data tagging and data management governance of anything that would cause a problem if it were to fall into the wrong hands. Then technology must be placed at outbound and transition boundaries that can inspect data packets and quarantine or remove (auto redaction) anything that you don’t want leaving.
Secure your critical environment: Ensure there are physical and digital air gaps between publicly accessible infrastructure and the industrial control systems. Make sure you trust everyone who is authorised to bridge these gaps; as most breaches are down to human intervention or error. However, they could plug a compromised USB stick into the ICS or connect to it with their phone. They could even be coerced, bribed or persuaded to compromise systems deliberately.
This must be addressed through technology, vetting, training and policies. Assumptions that the system is isolated and safe are naïve and can lead to dangerous, unintended complacency.
Secure your perimeter: Create a defence when constructing accessible networks by deploying Protective Monitoring Systems, to prevent anything dangerous getting into your system.
On the network, beyond the usual security (firewalls, intruder detection systems, etc.), real time malware detection software, is vital in critical industries.
Securing the physical perimeter includes obvious measures like security fences, but is more importantly about who goes where. Identification systems must be put in place to make sure people can only enter areas if they are they are cleared to do so.
Vet people: No matter how good the technological defences are, people will always present the greatest challenge. The insider threat requires you to constantly monitor your staff’s behaviour and sentiment – as an insider threat can appear overnight. Hackers who infiltrated the world’s biggest oil company, Saudi Aramco, in 2012 were thought to have been helped by at least one person with high level access.
Implement a cyber-incident response strategy: The unpleasant truth is that even when following best practice protocols, you can’t prevent everything. If things do go wrong, make sure you know what to do and how to respond and recover from the attack. Have a plan, be ready to act.
Whilst safety and security has always been paramount for utilities, the focus has tended to be on the physical aspects. Understanding the complex threat of cyber security is some way off where it needs to be.
When you’re controlling a nation’s water, gas, or nuclear power the cost of failure – even where the risk is fairly low – means security must be taken extremely seriously. A cyber-attack on our utilities would not just be embarrassing and costly, but possibly fatal.