US Intelligence says Cyber Threat Warning Lights are Blinking Red
Why Industrial Operations are not Immune
Recently, US intelligence chief Dan Coats remarked in a talk at the Hudson Institute that ‘the warning lights are blinking red again’ on cyber attacks, as they were before the Sept 11 attacks in 2001.
While Coats addressed most of his comments to the country’s digital infrastructure, he mentioned that the targets include “elements of our critical infrastructure.”
Indeed, the warning lights in many critical infrastructures are flashing red daily because the industrial control systems (ICSs) at the heart of the country’s power grids, gas pipelines, and so on, are being attacked repeatedly. Problem is: these infrastructures are not designed to withstand breaches.
Constant Threats to ICS Networks
Threats come from individuals, organized crime, and state-sponsored actors. Just a few months ago, the United States Emergency Readiness Team issued an alert about Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.
The alert noted that since March 2016 Russian government cyber actors have targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including aviation, energy, nuclear, and water.
In addition, the alert detailed the Russian government’s actions in the DragonFly 2.0 campaign of 2017, in which hackers infiltrated energy facilities in North America and Europe and escalated their operations, possibly signaling a shift from intelligence gathering to industrial sabotage.
More recently, the Department of Homeland Security revealed that hackers working for Russia have breached the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. “They got to the point where they could have thrown switches” and disrupted power flows, according to Jonathan Homer, chief of industrial-control-system analysis for DHS. He said the campaign is likely continuing.
A recent Indegy survey found that nearly 60 percent of executives at critical infrastructure organizations believe they lack appropriate controls to protect their environments from security threats.
Other survey findings underscore the massive vulnerabilities organizations face. A whopping thirty-five percent of respondents said they have little visibility into the current state of security within their environments, while twenty-three percent reported they have no visibility.
The threats posed by cybercriminals are not limited to traditional industrial settings such as energy, manufacturing, utilities, and water treatment. For example, large data centers and smart buildings are vulnerable to attacks on their mechanical, electrical and plumbing control systems. There’s growing concern among organizations in compute intensive industries including financial services, cloud services, etc., that an attack on the air conditioning system could take a data center offline.
Challenges to Securing ICS
Unlike IT environments, securing industrial networks poses unique obstacles. ICSs were built before cyberthreats existed, and were not designed with built-in external security controls. This includes poor or non-existent visibility into SCADA (Supervisory Control and Data Acquisition) systems, which automate industrial processes and manage remote equipment devices.
The brains of all SCADA systems are programmable logic controllers (PLCs), dedicated industrial computers that make logic-based decisions to control industrial processes. Obviously, if a PLC is the victim of a cyber-attack (one that alters the logic or disables the unit), the effects could be physically and financially significant.
Another huge challenge for managers of operational networks is trying to do what IT managers take for granted — monitoring network activity for vulnerabilities, unexpected activity and changes, and indicators of compromise.
To make matters worse. The notion of connecting everything is being driven by the adoption IIoT. This new level of interconnectedness, is exposing OT infrastructures to risks and vulnerabilities that were never envisioned when they were first pressed into service.
In a nutshell, organizations need to improve their visibility into ICS network assets and activities, boost their security controls, and ramp-up their asset management. Without fully understanding which assets exist in an network, an organization cannot protect them. It is critical to know which firmware versions are installed on individual devices, what code and logic they are executing, what configurations are in place, etc.
In order to prevent unauthorized process changes and protect ICS networks from external attacks, organizations require specialized monitoring and control technologies that are not provided by device manufacturers.
For example, comprehensive, real-time visibility into the control-plane activities of industrial networks enables organizations to enforce effective security and access management policies that dictate who is allowed to make what changes, when and how.
Equally important is real-time monitoring of engineering changes made to industrial controllers either over the network or directly on the devices. This 360 degree visibility is the most effective way to detect unauthorized activities.
The cyber threat to our critical infrastructure has never been greater. Unfortunately, aside from physical controls, security for ICS environments has been an afterthought. The landscape has changed dramatically, and quickly. Our approach to protecting industrial environments from attacks must also change with it.
This article was written by Michael Rothschild, the director of product management for industrial security vendor Indegy. He has more than 20 years of experience in IT security with Thales, RSA, SafeNet (now Gemalto), Dell, Juniper Networks and Radware. In his spare time, Michael volunteers as an Emergency Medical Technician.