There are few, if any, cliches in cybersecurity more long-lived than warning of an imminent "digital Pearl Harbor," namely a cyberattack that would devastate critical infrastructure. In such a scenario, attackers would not simply steal data from compromised endpoints or conduct cyberespionage, but also exploit the growing reliance of sectors like energy and transportation on computerized systems, causing widespread damage. But beyond all the doom-laden headlines on this subject, how great is the actual risk and where is it most likely to emerge?
Cyberattacks on infrastructure are nothing new: The legacy of ICS/SCADA
Potential vulnerabilities have been continually introduced into critical infrastructure over the past 30 years, as supervisory control and data acquisition networks have become interwoven with industrial control systems. From water treatment plants to automobile factories, the ICS/SCADA combination has facilitated increased automation, gathering of data from remote sites and more streamlined process management.
Going forward, these tangible benefits will only make ICS/SCADA more central to production around the world. In 2012, IMS Research estimated that the industrial automation market was worth almost $160 billion and predicted that it would balloon to more than $200 billion by 2015. Frost & Sullivan analysts looking at the same subject cited cloud computing, mobile devices and custom applications as key drivers of growth in this area.
Essentially, organizations have replaced manual workflows with ICS/SCADA, plus they are making some of these systems Internet-facing, which creates further openings for external attack. Notable examples of ICS/SCADA cybersecurity events include:
- The 2010 sabotage of uranium enrichment centrifuges at a facility in Natanz, Iran by the Stuxnet worm, one of the most sophisticated pieces of malware in history. It was introduced through a thumb drive and was designed to reduce the life of infected equipment while sowing confusion as to the cause.
- A 2008 train derailment in Lodz, Poland, initiated by a teenager using a modified TV remote control to manipulate track switching as a prank.
- An attack on a water utility station in Springfield, Illinois in 2011, possibly by Russian hackers. At the time, LogRhythm vice president noted that such "attacks in cyberspace can result [in] physical damage," and likened the incident to Stuxnet and the related Duqu framework.
In a 2013 Trend Micro research paper, The SCADA That Didn't Cry Wolf, Kyle Wilhoit noted that while ICS/SCADA have been around seemingly forever, their security mechanisms have lagged their feature sets, despite the growing burden for ensuring safety on networked infrastructure. The prevailing approach to securing ICS/SCADA is still one of bolt-on half-measures and band-aids, rather than complete security.
How much risk do enterprises face in securing their critical infrastructure?
Understandably, enterprises – not to mention national governments – are becoming aware of infrastructure security issues. A July 2014 Ponemon Institute survey of 599 security executives found that 57 percent of respondents believed that their ICS/SCADA implementations were vulnerable to attack. Governments in countries from the U.S. to Japan have also introduced institutions to oversee and shore up these environments.
However, organizations, especially in the private sector, have been slow to upgrade network security and patch lCS/SCADA, despite widespread realization of the associated risks. Slightly less than 30 percent of security practitioners included in the survey reported that cybersecurity was a top priority for their firms. Teams may be holding back out of fear that introducing new solutions could compromise the performance and cost-effectiveness of legacy systems, which were designed to last for decades and as such are often out of step with current security practices.
In this context, the lack of an event that lives up to the hyperbolic "digital Pearl Harbor" name – despite the ramifications of Stuxnet and its ilk – may be incubating complacency, leading stakeholders to put off upgrades until something truly damaging affects their interests. Commenting on the Trend Micro TrendLabs Q1 2014 Security Roundup, JD Sherry, vice president of technology and solutions at Trend Micro, listed critical infrastructure as one of many sectors struggling to fend off targeted attacks. Slowness to act has been compounded by increasingly advanced schemes.
"Organizations continued to struggle with attacks that were targeted in nature, which could be directly aimed at the energy, financial, healthcare, and retail industries or critical infrastructure," stated Sherry. "It came down to a simple equation – high-value targets that promised massive payouts were compromised despite the determined efforts of organizations to protect their valuable information."
Cloud security, encryption and data classification all key to protecting critical infrastructure
Shielding critical infrastructure from harm is a leading cybersecurity issue, with implications for both the public and private sector. In a keynote at the Cloud Security Alliance Summit earlier this year, Sherry looked at how broad uptake of cloud computing services was posing new risks to ICS/SCADA security while simultaneously creating prime opportunities for more proactive and effective defense.
Blanketly restricting usage of the cloud is becoming unfeasible. However, enterprises that are smart about how they manage cloud and on-premises systems can reap the benefits of a secure, scalable infrastructure:
- Data classification plans can determine what information passes through ICS/SCADA and what priority it deserves. Accordingly, organizations can better understand where to focus their security efforts and what risks they run.
- Building off that, specific measures like encryption can be implemented to protect sensitive assets. Since it may not be economical to encrypt everything, having priorities can save the firm money while improving its security posture.
- Not all cloud ecosystems are created equal. Enterprises may invest in someone else's hosted infrastructure (public cloud), build a scalable internal system (private cloud) or mix and match them (hybrid cloud). During procurement, it is imperative to ensure that the cloud service provider is diligent about security and spells out associated responsibilities in the contract.
On top of that, a combination of well-honed tactics such as application whitelisting and strategies like following the guidance of the National Institute of Standards and Technology can help organizations mitigate risks to critical infrastructure. The "digital Pearl Harbor" lingo may not go away anytime soon, but enterprises can ensure that they're well prepared in any event.