IT security and new regulations needed to protect critical infrastructures
Week after week one company after another was breached with high profile impact. Unfortunately the public utilities industry was no different. In November 2011, the deputy assistant director of the FBI's Cyber Division, Michael Welch, told a London cyber security conference that hackers had recently accessed the critical infrastructure in three U.S. cities by compromising their internet-based control systems.
Around that same time separate reports surfaced regarding hacks into water utilities in Illinois and Texas. These incidents likely led to a reissued warning in December by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS). This warning was targeted to control system owners and operators addressing their potential vulnerability to cyber intrusion and attack mainly through their remote access and monitoring systems, which often have no firewall protection and weak authentication systems.
These recent incidents highlight concerns shared by many when it comes to cyber security practices and standards employed in the defense of critical infrastructure. Since American Presidential Directive PDD-63 concerning Critical Infrastructure Protection (CIP) was enacted in May of 1998, progress has been made. However, one has to question whether we’ve caught up or fallen further behind.
In fact, these recent attacks against critical infrastructure have led many officials in Washington to introduce cybersecurity legislation that could give the Department of Homeland Security power to enforce cybersecurity standards for critical infrastructure companies. And while no new legislation has been enacted, it is good to see that the federal government is taking this matter seriously and hopefully this increased awareness can lead to action from critical infrastructure companies on this matter.
The increasing connectedness of infrastructure not only makes us more vulnerable to cyber security attacks but increases the cascading effect an attack can have on other infrastructure sectors and capabilities. When PDD-63 was enacted, it’s likely those same hacked water utilities weren’t even accessible via the Internet. Today, much, if not most, of our critical infrastructure is either directly connected to the Internet or indirectly via corporate networks that are.
The critical infrastructures public utilities provide make them a target of interest for a variety of threats. The catalysts behind these threats fall into the following primary categories: cyberwar, cyberterrorism, cybercrime, and hacktivism.
The United States is the super power of cyberwarfare, however, we are not alone in the possession of these capabilities. As other countries have evaluated their offensive and defensive warfare postures, cyberwarfare has become a fundamental capability of most. Cyberwarfare is a unique and powerful weapon. It can provide a meaningful deterrence against countries with superior conventional forces. If a country were able to demonstrate the ability to bring down countries' energy grid, that countries military and diplomat options could be significant constrained and influenced.
While the threat of cyberwar might seem alarmist, it cannot be ignored. The United States has in the neighborhood of 20,000 cyberwarriors. China and Russia have similar numbers. Most European nations have forces along with bad actor nations such as North Korea and Iran. Our country and others would not be investing in training and maintaining cyberwar forces if these threats were not real.
Cyberterrorism poses a similar threat as cyberwarfare. The main difference between the two is resources and capabilities that can be applied. However, a cyberterrorist organization colluding with a nation state or criminal interests could be a potent threat. However, unlike nations, cyberterrorists do not concern themselves with international laws against targeting civilians or civilian infrastructure.
Cybercrime and hacktivism are two other threats utilities need to be concerned with. 2011 was a banner year for cybercriminals. Able to leverage a significantly mature cybercrime supply chain, an increasing number of companies found themselves targets as cybercriminals had more options and means of monetizing their illegal activities. 2011 was a defining year for the hacktivist as well with many government and corporate networks targeted in support of various social causes.
The reasons a cybercriminal or hacktivist might target a public utility are different. The prior might do so in an effort to extort money less services be disrupted. Insider threats must also be considered whether acting on their own (i.e., fraud) or in voluntary or forced collusion with another. A hacktvist might target a utility in support of environmental activism or other social causes deemed to be unseemly in the eyes of activists.
Regardless the type of threat, their target is most often the ICS/SCADA environments that support the core services utilities deliver. A fundamental challenge utilities face is that ICS/SCADA was not designed to be secure. Much of the existing infrastructure was developed and implemented prior to the rise of the Internet. Security was most often thought of in the physical sense. Nobody imaged ICS/SCADA devices and their associated serial protocols would later be converted to Internet Protocol (IP) and made accessible to untrusted networks. Many ICS/SCADA devices employ very basic, easily defeated authentication methods. They transmit data in clear text and have limited or non-existent logging capabilities. Furthering the challenge, ICS/SCADA devices employ proprietary operating systems and legacy CPUs where integrated security capabilities are hard if not impossible to introduce.
Fortunately, with focus and resources applied, ICS/SCADA can be secured. The approach to securing ICS/SCADA is similar to securing any high value cyber asset with a few notable differences. Because the primary operational objective of ICS/SCADA is availability, changes to existing infrastructure might not be possible or feasible in support of typical best practice security design. Introducing traditional network security devices may not be feasible based on network latency concerns. Installing security software directly on ICS/SCADA devices is most often not an option. For these reasons, an approach of protective monitoring must be taken.
A protective monitoring approach to security requires the deployment of typical preventative technologies (e.g., firewalls, IPS, anti-virus, etc.) where possible while introducing aggressive real-time monitoring practices across the IT infrastructure supporting high value cyber assets. The objectives of a protective monitoring approach are to: deflect attacks whenever possible, identify successful or pending breaches automatically and in real-time, provide effective situational awareness and intelligence around a breach, and enable swift remediation actions.
Of course technology is not enough by itself. Effective organizational process must be implemented to support responding to an incident in a timely and effective manner. Organizations that do not possess the internal capability of designing, implementing, and maintaining effective technology and process might want to consider a Managed Security Services Provider (MSSP) to help them fill organizational capability gaps.
Unfortunately, it is likely to only get worse for utilities when it comes to the threat landscape. Nation States will continue to test and hone their cyberwarfare capabilities. Cyberterrorist capabilities are likely to rapidly improve and critical infrastructure is an ideal target when it comes to low-risk, high-impact strikes. Cybercriminals continue to look for new ways to steal and extort. Hacktivists seem to get bolder by the day and some utilities will likely find their ire. Fortunately, taking a protective monitoring approach to securing ICS/SCADA environments is an extremely effective way to thwart these and other threats.
One can only hope that recent events will serve as a wakeup call and have a big impact on policy makers across the private and public sector. The infrastructure we rely on that enables our country to operate and to defend itself is vulnerable. The time to act is now.
biography
Chris Petersen is CTO and co-founder of LogRhythm, a leading log management and SIEM 2.0 IT security company based in Boulder, Colorado.