Critical Infrastructure

Power, Water, Transportation

How can critical infrastructure be protected from cyber-attacks?

Imagine that you have almost finished your shift at a control center distributing power to a couple hundred thousand homes and businesses. Then you notice something odd on your screen. The mouse cursor is moving by itself and not just randomly. Before you can react, the runaway cursor has opened a circuit breaker at a substation and the realization that someone else is remotely controlling the SCADA system is setting in. Before long, the machine has logged you out and as you desperately try to get back in, you notice your password has been changed leaving you helplessly watching as substation after substation goes offline.
This was the scenario at the operations center serving the Ivano-Frankivsk region in Ukraine two days before Christmas 2015. The power grid had been hacked, the intruders were in full control and staged a large-scale breakdown, leaving 220 000 subscribers without electricity for several hours. Thanks to manual backup functionality, the power was restored later the same day. The control center was however not fully operational until moths later, a wake-up call for the many infrastructure owners around the world that do not have manual options available.

Threats to critical infrastructure

Before and after this event, several similar attacks have targeted control systems. This includes critical infrastructure, industrial manufacturing automation systems and safety systems.  As owners and operators find themselves faced with security challenges that were unthinkable to most less than a decade ago, society’s concern is rising for good reason. Critical Infrastructure around the world is completely dependent on automated control systems, often referred to as Operational Technology (OT) or Industrial Automation and Control Systems (IACS). Examples include power production and distribution, railway signaling, flight control, traffic light control, water management and many more. Some of these systems may be vital to a nation’s security. For all, safe and reliable operation is essential.

Today there are various threats to worry about. Infrastructure owners risk becoming a selected target

from foreign states intelligence or criminal groups. Targeted attacks can also come from hacktivists and disgruntled employees. In many cases however, the infrastructure owner becomes a victim of malware that accidentally makes its way into OT system.

Hacking, malware and viruses have now been around for several decades. Why is it that these just recently pose a real threat to industrial infrastructure?

Traditionally, security risks to such systems have been mitigated through maintaining an “air-gap” from other computer systems. Increased digitalization and modernization of the control systems has benefits such as safer, more reliable and efficient operations. Smart grids and automation allowing robots to take over harmful tasks are good examples. The price to pay however is increased vulnerability:

Proprietary, often serial, communication protocols are rapidly being replaced by Ethernet/IP-based communication. Ethernet is cheaper, vendor neutral and compatible with modern technology. This does however leave controllers more accessible for a perpetrator or malware that has made its way into the infrastructure.
Remote control and maintenance capabilities are being more widely utilized. Remote access to critical infrastructure can be set up to be very secure, but also in less secure ways. Remote access however always represents a possible entry point for attacks.
Technology used by various industrial services are becoming more similar, allowing the same attack to be repeated to target many different infrastructure sectors. IT platforms such as Windows and Linux, are today common in industrial systems and may allow IT type attacks to affect and propagate through these systems. At the same time implementing IT security best practices, such as keeping systems patched and endpoint protection up to date, is often hard and even impossible in industrial settings.
Going back to the situation in the Ukranian power grid in 2015, all of these elements played a role in making it possible for an attacker to remote control physical equipment like circuit switches.

How to protect critical infrastructure from cyberattacks

All protection strategies and attack response have to be based on sufficient situational awareness. This means being aware of possible security holes and knowing the vulnerabilities in your specific infrastructure. Next, you have to know when someone has started a silent reconnaissance campaign in your network. They might look around for IP addresses to OT machines, credentials, firewall settings etc. You would also need to know if malware has been transferred to your OT machines via and engineering laptop of USB, and is now lying dormant waiting for a signal to execute.

There are several standards designed specifically to help industrial infrastructure owners manage cyber risk:

The ISA/IEC 62443 series define procedures for implementing IACS systems in a secure way. This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
The NIST Cybersecurity Framework (NIST CSF) was originally aimed at operators of critical infrastructure. Today it is also used by various organizations for example in the private sectors. NIST, being the US National Institute of Standards and Technology, has its main user base in the USA. The NIST CSF standard is however gaining wider traction and increasingly being used and referenced by other standards and organizations globally.
Many organizations use ISO 27001 to build an Information Security Management System and want to use the same system to manager cyber risk to infrastructure. When selecting the best method for securing critical infrastructure from cyberattacks, it is however important to find a solution that is specific to industrial purposes and solves logistics and practical challenges as well as meeting security needs. Protection strategies for a large plant will have differences from those of a distributed infrastructure, for example with numerous remote unmanned sites. Technology and work processes to protect Windows servers may be completely different for servers in the enterprise network and production network.

Credit: N. Hanacek/NIST

NIST CSF provides a methodology for an organization to assess its security needs and manage the outcomes. The structure and language of the framework makes it a particularly useful tool in communication between top management and technical personnel in an organization. The core part of NIST CSF is organized in five Functions – key activities to achieve desired cybersecurity outcomes. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. The Functions are again organized in Categories, Subcategories and Informative References. The five Functions are:
Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
Detect – “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”

Read more about how you can protect your infrastructure in the white paper written together with our partner, Siemens: How to safeguard sophisticated operational technology for targeted, highly dangerous cyber threats.

Secure-NOK specializes in operational technology security

Regardless of which standard you choose to guide your efforts, the key is to achieve sufficient situational awareness and maintaining that continually. This has to play together with an ability to protect yourself and respond to threats accordingly. The control center in Ukraine had several months of opportunity to discover that something fishy was going on. Unfortunately, there has, in the past, been little tradition for paying attention to the security status of OT systems. Numerous infrastructure owners still operate completely in the blind.
In Secure-NOK we specialize in operational technology security. All our solutions are especially developed for industrial purposes, they are not based on modified IT security solutions. Our passion lies with helping infrastructure owners and operators understand and manage their risk. We put our pride in providing real time situational awareness were it really matters: in the core of the physical operation.