Digital Version of November/December 2014 Print Edition
Critical infrastructure vulnerable to attack, warns cyber security expert
“It has been proven routinely in one security test after another that any hacker with a bit of skill and time can take control of equipment on safety-critical networks,” said Andrew Ginter, vice president of industrial security at Waterfall Security. Waterfall, of Calgary, CA specializes in providing data diodes and unidirectional security gateways to critical infrastructure facilities such as nuclear power plants, water treatment facilities, and transportation systems. Many of their security solutions are compatible with industrial applications such as Siemens SIMATIC/Spectrum, GE OSM, Modbus, and the OSIsoft PI Historian.
Ginter has 25 years of experience developing industrial cyber security products and control system software for companies such as Hewlett-Packard, Honeywell, Develcon, and Industrial Defender. In addition to a bachelor’s of science in applied mathematics and a master’s of science in computer science, he is a Certified Information Systems Security Professional (CISSP), Information Technology Certified Professional (ITCP), and Industrial Security Professional (ISP).
“Cyberwarfare is the fifth domain of warfare, after land, sea, air and space,” he said. He explains that “what is really going on today with nation-state-sponsored cyberattacks is espionage, not open warfare,” and “includes information-stealing with the occasional select acts of sabotage, such as the Stuxnet attack on Iran's nuclear weapons program.”
Ginter adds that “there are obvious military risks -- in areas of open conflict, armies routinely act to disrupt each other's military computer systems and communications systems.” Despite those risks, he mentions that he’s more concerned about “the vulnerability of critical civilian infrastructures to cybersabotage, and not necessarily by nation-states.”
He explains, “if Iran or North Korea, for example, launched a cyberattack that triggered a massive release of toxic materials from a chemical plant and poisoned a large city, the target of that attack and their allies would respond militarily.” However, he adds that “many nations now have the ability to launch such attacks, but these potential responses have kept nation-states in check.”
When it comes to the actual cyber attacks, he says that “the attack techniques can be summarized as spear-phishing to get a foothold on corporate networks -- using low-volume malware to bypass anti-virus systems and steal accounts, passwords and password hashes, ultimately creating new highly privileged accounts.”
“Attackers no longer need to break into their targets, but simply stroll in through the front door using their brand new accounts and passwords,” Ginter explains. “This kind of attack is extremely effective as it easily bypasses conventional defenses, including encryption, firewalls, anti-virus systems, security update programs, long passwords and so on.”
The true danger is that “this class of attack has been proven to be effective at taking remote control of assets on industrial control systems as well. Safety systems in critical infrastructures are designed to protect against random patterns of failure,” but he explains that “the problem is that cyberattacks do not produce random patterns of failure -- far from it”.
What Ginter finds even more problematic is that “conventional defensive capabilities on IT networks have proven ineffective at stopping this class of attack,” and “proven designs for safety systems are inadequate to protect against cyberattacks.”
Contemporary hackers and “cybersoldiers” do not need a lot of money or sophisticated equipment to perform these types of attacks, he explains. “The biggest investment needed to mount this class of attack is the effort to produce a bit of custom remote-control malware” and “the techniques of cyberattacks attributed to Chinese intelligence agencies...have become widely known and are within the reach of not just nation-states, but amateur "hacktivists," organized crime and other actors.”
Ginter believes that one of the most effective ways to prevent these attacks is for critical infrastructure sites to utilize unidirectional gateways. “Unidirectional gateways are combinations of software and specialized communications hardware that allows business-critical information to leave industrial networks without allowing any attacks (or any information at all) back into those industrial networks.”
In fact, he mentions that a number of American nuclear power plants, water treatment facilities, and other types of critical infrastructure facilities currently use unidirectional gateways. Explaining how it works, he says “at American nuclear sites, where there is no network path from the Internet or business networks into control networks, removable media that may contain malware is very tightly controlled on these networks.”
When it comes to combating this issue, he says, “there is much more work to do, and while the nuclear industry has embraced this technology, it is still deployed in only a minority of critical infrastructure sites.” He recommends that governments around the world should “raise awareness about this class of attack and encourage the use of defensive capabilities such as unidirectional gateways.”
“Critical infrastructure owners need to wake up to this threat, and start deploying effective defensive technologies, starting with unidirectional gateways whose use has been pioneered and proven by our most sensitive industrial sites.”