Digital Version of November/December 2014 Print Edition
Threats facing industrial control systems at critical infrastructure facilities
The practice of information assurance in industrial control and critical infrastructure systems has changed little in recent years, despite intensified awareness of exploitable vulnerabilities.
The greatest threats are those that seek to impair electronic control systems in industry and infrastructure, leading to economic losses (including espionage), public health risks and even loss of life.
The Stuxnet episode proved to many observers that cyber attacks can indeed be successful. Yet the danger to critical infrastructure in North America is not symmetrical.
The federal government, U.S. military and private sector entities in the U.S. defense industrial base (which account for the majority of critical infrastructure organizations) have all been aware of the growing threat for several years now. They have been formulating mitigation plans during that time. While such efforts are very far from complete, at least a reasonably well-resourced start has been made.
The situation is completely different in private industry. The current reality is that electronic control systems -- particularly those using various SCADA protocols -- are fundamentally unprotected from electronic attacks.
Such attacks must be carefully planned and crafted, and depend on arcane knowledge of specific large-scale industrial equipment. In addition, industrial control systems tend to be isolated, with well-guarded physical access points. For these reasons, it may be postulated that the threat to private sector critical infrastructure has been overstated.
This is emphatically incorrect. For nearly two decades, industrial control systems (ICS) have increasingly been integrated with the same computer networks that large businesses and other enterprises use to run their personal computers, databases and Websites. This movement is inevitable because it produces large management efficiencies, particularly given that enterprise networks enable broad sharing of fine-grained operational data.
Thus, the physical and electrical isolation that, for many decades, had been the basis of ICS security is no longer meaningful. This means that ICS systems are exposed to all of the same advanced and persistent threats (APT) faced by operators of corporate databases, Websites, etc.
APT threat actors expose critical infrastructure to the most dire threats. The inevitability of attack is undeniable. Attacks are today’s new reality, especially among larger organizations. Infiltration, via spear-phishing, mobile devices and other social engineering techniques, only serve to increase the threat exposure to enterprises.
APT activity features well-resourced, well-motivated, stealthy and patient actors who are adept at disguising their presence and their activities. While hacktivists dominate mainstream news cycles, the true threat to ICS and critical infrastructure is from APT attacks. APT actors bring persistence, knowledge and patience to methodically compromise complex and arcane industrial systems, over time.
While much attention is focused on the disruptive effects of catastrophic impacts to environments such as electrical grids, transportation and energy infrastructure sites and health systems, the economic losses from steady, quiet theft of operational data are, on the whole, perhaps even more damaging. An attacker in possession of detailed operational knowledge of critical infrastructure is in a very strong position to act in the event of geo-political tension or war.
Existing security technologies rely generally on laborious, purpose-built information assurance controls, augmented by certain categories of commercial products, such as IDS and SIEM analyzers, and endpoint sweepers (to detect compromised hosts). These technologies are far better than nothing, but they are crude, mostly reactive rather than proactive, and require large teams of experts.
In the private sector, the primary constraint is economic. No private sector entity can afford to mount an aggressive response to a poorly-understood threat, with a payoff that is defined negatively (avoidance of bad outcomes) rather than positively (increased business opportunities).
Government regulators are well-aware of this problem. The current model for managing advanced threats is for regulators and regulated entities to negotiate practical improvements that are not too costly.
We can see the results of this in the electrical power generation/transmission/distribution industries, which are perhaps the most vulnerable industrial sector. The grid is already fragile, as evidenced by blackouts, even without advanced threat infiltration.
Sadly, the end result of greater regulatory pressure is not a measurable increase in security, but rather a checkmarked increase in compliance activity. To take a heterodox view, the current approach to regulating better cyber security is, in fact, a well-intentioned but counterproductive waste of resources.
What do we need to improve security in enterprise environments? Based on our experience, improved incident response and general security best practices, better security technology, and automation of threat-intelligence responses.
Private enterprises don’t always have the resources to engage in extensive development of better ICS-type security practices. These will need to be developed by a nexus of regulators, industry groups and technology vendors. There is tremendous urgency to get this done in ways that are applicable to each specific critical infrastructure sector, and packaged as recommendations that can be followed by infrastructure operators.
Technology effectiveness is improving, but sadly at a snail’s pace. Remember the key attribute of APT actors is stealth. They go to great lengths (quite successfully) to masquerade quietly with perceived legitimate control and data-monitoring users.