Last month I spoke at a cybersecurity forum of public power utilities. Many were fairly small, and for the most part, were subjected to the provisions of the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards that many of their larger brethren have been struggling to comply with. Nonetheless, I was struck by how many were trying to “do the right thing” with respect to cybersecurity. Given their limited budgets, much of that commitment was centered on the efforts of their employees rather than the purchase of expensive technologies. But I was still heartened by that effort when many larger utilities seem to be checking the box. Some of that is an understandable exhaustion from multiple years of intensive scrutiny by NERC CIP auditors and their overseers at the Federal Energy Regulatory Commission (FERC). With the most recent deadline passing last April, it’s not surprising that some utilities may be taking a breather. At the very least, the urgency is less now despite some passing news. For a while we thought that the Russians were hacking Burlington Electric, but that story fizzled, notwithstanding the utility’s laudable efforts to alert the industry to a threat. Potentially more serious were Turkey’s claims that someone in the United States hacked their grid and caused an outage, but weather was the more likely culprit. Finally, it seems we had a sort of a repeat of December 2015's power grid outage in Ukraine; this one being investigated as a cyber attack in Kiev.
Moreover, while the threat hasn’t gone away, it seems other industries are grabbing the headlines. Yahoo!, the current sacrificial lamb, has made news once again both for the size of its security breach of over one billion records and its apparent lack of diligence. Healthcare organizations continue to be victims of all sorts of ransomware and various other breaches. And of course who can resist the story of apparent Russian-sponsored election related hacking.
By contrast, electric utilities, and to a lesser extent other critical infrastructure operators in the energy, chemical, and manufacturing sectors have less juicy tidbits worth stealing, at least for now. While all store personally identifiable information (PII) on employees and customers, those databases don’t appear to be as vast or detailed as those of healthcare providers, retailers, or search engine operators. And of course, the real reason we are concerned about cybersecurity threats to critical infrastructure is not PII, but something more consequential: the loss of power, the discharge of hazardous substances, explosions, fires, and other direct harms to human life and physical property. It is one of the reasons that cyber insurance is plentiful for the theft of PII but often hard to come by for personal injury or property damage arising from cyber-attacks. The latter is potentially orders of magnitude larger with fewer actuarial data points to draw from. Additionally, since the attack on the Ukraine electrical grid a year ago, news of critical infrastructure attacks or even the threat of them hasn’t received much media attention.
But we can’t blame the media for an industry’s complacence. The events in other industries demonstrate that cybersecurity threats are not waning. If anything, the reverse is true. Due to heightened tensions with Russia and China, global economic stagnation, the continuing growth of political and religious extremism, and the general availability of advanced hacking tools, there seems little question that cyber-attacks will continue to grow. And many of those threats aren’t coming from groups looking to make a quick buck off a stolen credit card number or social security number. Their motivations are varied, and so will be their targets.
So how vigilant should critical infrastructure operators be? Besides complying with legal requirements, opinions vary on what should get emphasis and how much to spend. For most, the operational technology (OT) environments where power is generated and delivered, oil and gas are extracted and refined, and assembly lines operate, are largely isolated to some degree from both the Internet and the company’s enterprise network. Due to NERC CIP, electric utilities are hyper-focused on that isolation while the realities of other industries may dictate some of that isolation on purely practical matters. But isolation is a double-edged sword. While it implies that attackers may have to work harder to get into these networks, once they’re in the defenses and detection capabilities may not be as strong as on the enterprise side, which is used to constantly dealing with malware infections from employees clicking on suspicious links and opening questionable attachments. Because e-mail and web surfing are not that common for OT networks, a false sense of security may be prevalent. Stuxnet, the famous attack on an Iranian nuclear enrichment facility that was “air gapped” from outside networks, is perhaps the poster child for that false sense of security. Using an infected flash drive, attackers were able to burrow into that isolated network and compromise critical control systems that were used to manipulate running processes and cause the destruction of centrifuges over several weeks or months. That was clearly an advanced and persistent attack, but others are likely to follow as tools like Stuxnet, which were state of the art in 2009, are more commonplace today.
What Stuxnet proved is not that organizations need better ways of detecting malicious software. That’s a fool’s errand. Attackers will always have the upper hand despite some impressive developments in the new segment known as endpoint detection and response. Instead, the focus needs to be on the operating processes themselves. Bad things can only happen if those processes are changed. So if the pressure isn’t altered, the temperature doesn’t change, the voltage levels or frequency remain where they should be, or the numerous other set points are correct, a cyber-attack is likely to prove inconsequential in an OT environment. Most importantly, many of those settings are unique to a particular plant, power system, or even piece of equipment. Without inside knowledge, attackers have often struggled to cause any real harm. For example, in the December 2015 Ukraine electric grid attack, the attackers inadvertently hindered their progress by shutting off power to the computer they were using to deliver some of the attack’s commands. Simply having the tools to detect changes in what are fairly predictable processes can go a long way toward thwarting even some of the most advanced attackers.
For example, our Industrial Defender Automation Systems Manager monitors settings on a wide variety of control system equipment and alerts when changes are made. Many other products are also entering the market to complement this capability. While asset and change management may not seem that exciting, they are still our best hope. Contact us to learn more.