Why critical infrastructure is vulnerable to cyber-attacks
A new generation of malware is attacking the assets that keep modern society safe and functioning
A new generation of malware is specifically targeting the industrial automation and control systems (IACS) used in critical infrastructure. These systems include the supervisory control and data acquisition (SCADA) technology and human machine interfaces (HMI) that are at the very heart of the assets that keep modern society safe and functioning, affecting everything from food and water to manufacturing plants and power installations.
Probably the best-known cyber-attack on critical infrastructure took place in Ukraine in 2015, when hackers successfully infiltrated the electric utility’s SCADA system. Key circuit breakers were tripped, and the SCADA system was turned into a “brick”, causing a system-wide power blackout. It left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours. Critical infrastructure around the world continues to be at risk.
Last October, reports from India eventually confirmed, following several denials, that hackers had infiltrated the country’s biggest nuclear power station, at Kudankulam in the southern state of Tamil Nadu. According to the virus scanning website VirusTotal, the hackers had managed to infect at least one computer with the so-called DTrack spyware before the breach was detected. Criminals in India had previously planted the DTrack spyware in ATM machines to steal card numbers and other personally identifiable information (PII). It is feared that this time the perpetrators may have obtained a large amount of data from the nuclear plant, which could be sold to terrorists for nefarious purposes, such as sabotage or stealing radioactive material.
Meanwhile, according to reports, at least one oil installation in the Middle East is among the victims of a new kind of ransomware. As you might expect, the Ekans malware works by encrypting data and leaving a ransom note. The Duuzer malware used against South Korean manufacturing plants in 2015 worked in a similar way. What is new and more dangerous about Ekans is that it specifically targets industrial control systems. It blocks software processes that are specific to IACS, which could prevent operators from monitoring or controlling operations. The consequences could be devastating for human lives and for the environment.
IT vs. OT
Many power stations and industrial plants are not equipped to deal with these threats. A key issue, according to a recent IEC Technology Report, is that cybersecurity is too often understood only in terms of IT (information technology). Those responsible for security often overlook the operational constraints in sectors such as energy, manufacturing, healthcare or transport. The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT). From a cybersecurity perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks.
That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance. Priorities for OT environments focus on health and safety and protecting the environment. In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
Protecting SCADA systems
SCADA systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, often rely on “security by obscurity”, reflecting the ingrained mindset that since no one knows or cares about their communications systems or their data, they don’t need to protect it. However, SCADA systems can now have widespread communication networks increasingly reaching directly or indirectly into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment. The retrofitting of appropriate and effective security measures has therefore become quite difficult for these SCADA systems. In the world of IT, for example, intrusion detection and prevention systems (IDPSs), are on the frontline of defence against malware. IDPSs are usually software applications that eavesdrop on network traffic. Depending on how they are configured, IDPSs can do everything from reporting intrusions to taking actions aimed at preventing or mitigating the impact of breaches. The challenge with SCADA systems is how to distinguish between normal data and potentially intrusive data that could cause harm.
“If the intruder uses well-formed protocol messages, the IDPS may not recognize it as an intrusion,” explains smart grid cybersecurity expert Frances Cleveland, who is the convenor of IEC Technical Committee 57 Working Group 15 that develops IEC 62351 standards for power system operations.
“The best solution is for SCADA systems to use security with their communication protocols,” she says. “Security does not necessarily mean encrypting messages, but at least adding authentication and authorization as well data integrity checking, while still allowing packet-inspection of the messages themselves which can help IDPSs determine if invalid data is being passed.”
International standards and conformity assessment
International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cybersecurity programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cybersecurity in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
In an ideal world, power stations and other critical infrastructure would be secure-by-design. In addition to security standards for key communication protocols, IEC 62351 provides guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. The thinking is that trying to patch on security after the fact can at best be only a quick fix and at worst comes too late to prevent the damage being done.
A holistic approach
A recently published IEC report on cybersecurity recommends prioritizing resilience over other more traditional cyber-defence approaches. The report says that achieving resilience is largely about understanding and mitigating risks, as well as being able to detect and cope with security events when they happen. There is no way to prevent them completely. Even secure-by-design systems, although safer, require continuous and pervasive monitoring. IEC Standards for cybersecurity emphasize the importance of applying the right protection at the appropriate points in the system, while paying attention to safety, security and the reliability of processes.
It is vital that this process is closely aligned with organizational goals because decisions about what steps to take to mitigate the impact of an attack can have operational implications. “Resilience is not just a technical issue,” warns the IEC report, “but must involve an overall business approach that combines cybersecurity techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions”.
A version of this story has appeared in the print edition of e-tech
