The cybersecurity community has long warned of risks to critical infrastructure such as electrical grids, dams and oil and gas refineries. While these issues have sometimes been on the backburner for world governments and corporations, attention to them is now intensifying. Recent legislation has underscored the scope of the infrastructure challenge. For example, the U.S. House of Representatives recently passed three related bills, including the National Cybersecurity and Critical Infrastructure Protection Act of 2014 which codifies real-time information sharing between the Department of Homeland Security and the private sector.
Breaches, Stuxnet and Windows XP fuel concerns about critical infrastructure
Why the sudden uptick in action against critical infrastructure threats? There may be several reasons for the renewed concern:
- Last winter's string of high-profile retail breaches was a reminder that even massive, seemingly secure organizations are vulnerable to carefully planned cyberattacks. Retailers that were Payment Card Industry compliant were nevertheless breached via network intrusions and, in some cases, malware distribution through vital systems such as point-of-sale terminals. It's easy to imagine something similar happening to an electricity supplier or water treatment plant.
- Stuxnet broke ground as apparently state-supported malware capable of compromising infrastructure such as nuclear enrichment facilities in Iran. Similarly, Flame may have been used for advanced cyber espionage in the Middle East. Countries haven't yet resorted to overt cyberwarfare, although some have admitted to offensive capabilities. Meanwhile, covert activities continue in earnest, with groups such as APT1 – thought to be a unit of the People's Republic of China's People's Liberation Army – spreading advanced persistent threats.
- The end of mainstream support of Microsoft Windows XP shined a light on how many critical operations still depend on the PC operating system originally released in 2001. XP is tightly woven into electric and gas utilities, such that its removal and replacement can be tricky. Outdated OSes lack the hardened security of more recent iterations.
Critical infrastructure is undoubtedly an expanding area of interest for cybercriminals. In 2013, Trend Micro researchers set up honeypots that mirrored the characteristics of industrial control systems and supervisory control and data acquisition networks – including their known vulnerabilities – and saw a wave of attacks not long thereafter.
Over the next 28 days, there were almost 40 attempts on the honeypots. ICS/SCADA systems have gradually become more Internet-facing, but with such modernization comes elevated risks of surveillance and infiltration. The situation hasn't been helped by the bolt-on approach sometimes taken toward securing critical controls.
"[A]s things changed over time, most of these systems' purposes have been reestablished, along with the way they were configured," wrote Trend Micro's Kyle Wilhoit in the research paper "Who's Really Attacking Your ICS Equipment?," latter adding "A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the Internet, with very little hindrance."
What we can learn from the energy sector's difficulties in protecting critical infrastructure
Not all critical infrastructure is equally under pressure. Energy suppliers in particular are prime targets for ill-intentioned hackers, if only because successful attacks against their facilities have such visible consequences on economies and societies. Physical attacks like the early 2013 al-Qaeda raid of a Statoil natural gas plant in Algeria give a sense of the high stakes.
There haven't been many large-scale incidents in which malware or network infiltration was pivotal to disrupting energy facilities, excepting Stuxnet's isolated damage to Iran's nuclear sites, but accidents such as the 2003 U.S. blackouts show how a simple software glitch can snowball into a widespread outage. In that case, it was a bug in an energy management system, along with some overgrown trees near power lines, that plunged much of the northeastern U.S. and parts of Ontario into darkness.
Similar weaknesses persisted even a decade later. The U.S. Federal Energy Regulatory Commission estimated that the failure of just nine of the 55,000 electrical substations in the country would be enough to trigger a coast-to-coast blackout.
Today's electrical grids are vulnerable to attacks that could have similar effects to those blackouts. Ironically, a big part of their problem is the IP connectivity introduced into control systems ostensibly to make them more efficient. Energy facilities used to have relatively small attack surfaces, since they not only relied on a local access network but also were geographically isolated, making physical intrusion difficult.
While the Internet and other forms of connectivity have made remote site management and monitoring easier, they've also created new avenues for attack. In the aforementioned Trend Micro paper, Wilhoit demonstrated that some ICS/SCADA systems could be located via conventional Google searches.
The good news is that energy industry is increasingly aware of the changing risk landscape and what must be done to secure tightly connected infrastructure. A recent study from Black & Veatch, "2014 Strategic Directions: U.S. Electric Industry," discovered that energy companies were focusing on identifying and addressing critical vulnerabilities. Findings included:
- Cybersecurity was ranked as the sixth biggest concern for electric utilities in 2013 but rose to fourth place in 2014. It trailed only various regulations and reliability requirements.
- Aging infrastructure and physical security were ranked seventh and eighth on the same list, respectively.
- One-third of respondents reported that they had integrated security systems that would provide sufficient protection against a wide range of cyberthreats.
"The industry is paying attention and actively seeking ways to bolster security practices to limit power system vulnerability," stated the report authors. "We are seeing an industry that is actively moving forward with the deployment of comprehensive asset protection plans following several high-profile cyber and physical threat events."
ICS/SCADA systems and other critical infrastructure obviously deserve concerted attention from public and private sector entities everywhere. Firms can already get on the road toward better security by shoring up access controls and network access across their organizations. Strong authentication, SSL/TLS encryption and limits on Internet access to vital resources should be applied when and where necessary.