Securing Critical Infrastructure
The vulnerabilities of industrial control systems to cyber-threats must be recognized and understood before they can be mitigated.
By Alex Tarter, Ph.D.
Industrial control system owners should look at solutions that preserve availability while strengthening integrity against targeted cyber-attacks. PHOTO COURTESY ISTOCK/3ETI
Critical infrastructure systems have never been more advanced; they have also never been more at risk.
The potential impacts to critical infrastructure from cyber-attacks continues to increase due to a rise in published vulnerabilities, wider connectivity and adoption of open standards that can expose networks and critical edge devices to serious exploits.
A major issue is the lack of context for determining the scale and complexity of a cyber-attack. If critical infrastructure operators fail to accurately assess attack types, assumptions may be made incorrectly about system vulnerabilities and their mitigation. This is why growing concerns persist regarding uneven levels of response to cyber-securing critical infrastructure and underlying network assets.
ASSESSING THE ATTACK
To help operators mitigate attacks, and to more reliably inform the public, industry must differentiate more accurately among three types of attack: the unfocused attack, the targeted attack, and the targeted industrial control systems attack.
The Unfocused Attack. The most common type of threat is untargeted and non-specific to industrial control systems (ICS). Think of this as a seasonal flu. Almost everyone will come into contact with it. Some of us will catch it even if we are in good health. All industrial control systems use Windows PCs. Ubiquity makes them a favored target. Despite the most valiant efforts to identify and patch weaknesses upon detection, attacks will occur. The Conficker worm, for instance, acted as a digital flu indifferent to the ICS or defense industries. It exploited vulnerabilities in the Windows operating system to unleash a variety of ills that included user-account lock-outs, broken websites, and radically slowed processes. It affected large swaths of industry types. Throughout Europe it caused widespread industrial interruptions with varying degrees of impact to heavy-industrial businesses such as steel mills, as well as to power stations, military flight plans, naval command and control, and police investigations.
The Targeted Attack. Somewhat less common is the targeted attack. The focus remains the Windows PC—and other common equipment and platforms—but in this case the perpetrators actively target ICS businesses. A classic example is the Shamoon virus that infected at least 30,000 Windows-based machines on the Saudi Aramco network. The Shamoon authors specifically pursued that business' PCs, though not its control systems. Nevertheless, drilling and other operations were measurably and meaningfully impacted. Examples of this brand of attack exist across the industrial spectrum, with new cases emerging every few days or weeks, such as Sony Pictures, financial institutions, even the antivirus firm Kaspersky Labs. All were victims of guided cyber-assaults. In each case the method exploited enterprise system architectures. Specialized knowledge of industry-specific equipment was no prerequisite.
The ICS-Targeted Attack. The most worrying of all ICS threats is the targeted attack to the control-system's heart, sensors and other basic computers that comprise it. The best known of these was Stuxnet. The Stuxnet virus initially infected a target's Windows PCs in order to infiltrate and damage control system equipment. These attacks specifically disturb the control system through its most vulnerable, unprotected components.
These are invariably the controllers that enable essential operations such as water release and temperature regulation. The relentless assaults of these advanced persistent threats ultimately hit their mark. Prevention must be complemented by a plan that enables rapid intrusion detection and immediate remediation.
PLANNING IN ADVANCE
Today's ICS must have a well-documented and approved procedure when an advanced persistent threat infection has been discovered. Lacking such a plan, confusion can exacerbate impaired operations. Do you halt production and re-install each system? Must you preserve data for forensic purposes? Do you risk maintaining a "go" status while deciding the next steps? If these issues are not agreed upon in advance, they will be made in the heat of the moment with potentially ruinous results. Such an unplanned response promotes errors in judgment and technical execution that will slow comprehensive recovery to system integrity and organizational credibility.
Researchers, for instance, found that the Havex malware platform hosts an open platform communication (OPC) scanning tool, that, when installed, searches for and queries all the OPC equipment on a network. Interestingly, the OPC tool was poorly coded and caused numerous and varied servers to crash.
If a Havex-infected business responds in haste and without a plan, the wrong, possibly disastrous decision becomes a kind of coin toss. Should the operator leave a process running and contend with the crashing OPC equipment, or shut it down and disinfect each Windows machine, one by one? In the case of Saudi Aramco with Shamoon, managers shut down every enterprise computer. The decision could not have been made lightly and without a resulting impact on operations and profits.
Industry is best advised to expect an intrusion that is debilitating, annoying, embarrassing, or merely inconvenient. The first time may be a nuisance. The next may be disastrous. Industrial control operatives should prepare for the worst. Active monitoring of ICS systems is crucial, as is the assumption that, at some point, someone or something will breach the network perimeter. At this point, firewalls are useless. The only protection left is immediate detection and identification inside the network.
• • •
SECURITY ASSURED—U.S. NAVY SMART GRID PROGRAM
Challenge. Guided by a strategic mandate to improve energy security and efficiency, the U.S. Navy Smart Grid Program relies on cyber-secure technologies to monitor and mitigate threats to industrial control systems. To fulfill this directive across all installations within Naval District of Washington (NDW), the Navy required an enterprise-level solution that met rigid quality standards and cyber security requirements, while accommodating a mix of performance objectives.
Solution. Following a rigorous evaluation process, the Navy selected Ultra Electronics, 3eTI for advanced, cyber-secure sensor networking. The solution was tailored specifically to meet the Navy’s needs for reliability, simplicity, affordability and scalability. NDW integrates the region’s direct digital controls and supervisory control and data acquisition systems into an enterprise network. The architecture employs 3eTI’s VirtualFence system to enable critical infrastructure protection and to connect remote sensors to the Navy’s security operation centers. It facilitates alerts as well as response and analysis for security events with 3eTI’s system for secure and wireless video networking. Both systems are cyber-hardened by 3eTI’s CyberFence for high reliability and information assurance, and compliance with strict requirements for secure and consistent performance.
Outcome. NDW has met smart grid challenges while defending against cyber intrusions. Through continued sustainment efforts with industry, the agency remains protected by secure wireless sensor networks.
• • •
A constant stream of advisories from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team demonstrate that vulnerabilities exploited by Stuxnet and other malware persist. The industry is failing to commit to comprehensive mitigation. Some crippling attacks can be launched merely by sending a single malformed packet over the network. A Windows PC need not be infected first. An attacker can access the network simply by replacing a device or introducing another one. The best enterprise security practices—training, patching and antivirus tools—will not protect against these attacks because they affect the control equipment, not the PC. Traditional enterprise-security solutions offer no defense or remediation.
An ICS-oriented defense requires an additional layer of cyber security that is as robust as the protections applied to Windows systems. If an enterprise PC requires a host-based firewall and antivirus, so too should the control system sensor or programmable logic controller deep within the ICS. These computers are on the same network and are no less vulnerable.
ICS networks link devices that are designed to trust the communications running between them. There are virtually no methods for authentication or protection against malformed or malevolent commands. Once an attack penetrates a control network, the perpetrator can disrupt operations at will. While safety systems may limit physical damage leading to an explosion or melt down, an intrusion could disrupt a continuous process that shuts down power and costs millions in repairs or lost revenue. For an industry dependent on peak availability, such consequences are far from insignificant.
ADDRESSING THE RISK
ICS owners should look at solutions that preserve availability while strengthening integrity against targeted attacks. Operators must recognize that threats to industrial control equipment and software abound. Sound business practice demands a commitment to, and investments in, protection, rapid detection and response.
Operators must not forget that enterprise protections established for Windows PCs do not shield the industrial control network. There can be no assumption that barriers to unfocused or targeted PC attacks also will protect against ICS attacks. Just as the industry is becoming more exposed due to a growing list of equipment vulnerabilities, attackers are becoming bolder and more numerous.