The cyber-attack on Ukraine power centers last December — an event that took 30 substations offline and left more than 230,000 residents without power — was a rude awakening for power generation plants and distribution centers around the world. Despite being well-segmented from the control center business networks with robust firewalls — notably more secure than some U.S. operations — the network was still breached.
Following an extensive investigation, analysts found the perpetrators had carefully planned their assault over many months, studying the network for vulnerabilities and stealing operator credentials to eventually take control.
The question on many people’s mind—not if another critical infrastructure breach will happen, but when.
Why the Next Cyber Breach is Inevitable
Today, the “playing field” for hackers and nations states has widened. Public utilities and oil and gas companies that have believed themselves to be out of harm’s way are no longer safe from adversaries eager to find their vulnerabilities and take advantage of their unpreparedness. In fact, in a survey conducted by the Ponemon Institute, 84% of utilities reported the severity of cyber-attacks experienced by their organization is on the rise, and 74% said they’re becoming more frequent.
Unlike traditional security use cases where the goal is to steal data or monitor systems, Industrial Control System (ICS) breaches are meant to cause some physical action, such as stop a system or shut down an operation, like the Ukraine attack. Such incidents – whether malicious or unintentional – can cause the loss of intellectual property, disruption of service and processes, and physically dangerous scenarios leading to injury or loss of life.
Unfortunately, several factors are contributing to the vulnerability of ICS environments:
- Limited Visibility
Traditionally, ICS networks were segmented or physically air-gapped from the rest of the network. Therefore, actively monitoring these networks and collecting network activity details wasn’t possible. Even today, with increased awareness of cyber threats towards ICS networks, many organizations still do not monitor to detect security events. Vendors are often employed to perform maintenance and monitor the health of these complex networks, but security is an extra service which comes at a cost: one which many organizations may not be willing to pay.
- IT/OT Divide
To many IT folks, ICS is a very obscure and varied technology. There are thousands of ICS networks in operation from fire alarm systems to nuclear reactors that are often unique. Similarly, the ICS engineers on the Operational Technology (OT) side may simply not be in a position to assist given their limited exposure to conventional IT systems. Simply put, the two groups speak different languages and have different priorities.
- Lack of Cybersecurity Expertise/Culture
Historically, OT protocols and architectures were not implemented with security in mind making it necessary to “bolt on” security controls. In addition to the IT/OT divide, expertise in cybersecurity within the OT environment is limited. Those coming from an IT security background do not always fully appreciate the potential consequences of implementing security controls in an OT environment, such as latency concerns, brittle protocols, and real-time considerations.
- Long Update Cycle
Control systems are often deployed for decades with limited ability to upgrade components. Additionally, because of uptime requirements (many of these systems operate 24x7) security patches and configuration changes require extensive testing and often can only be implemented during scheduled outages that sometimes take 18 months to happen.
Managed Detection and Response Services Provide Support
Given the consistency of ICS network activity, detecting “abnormal” activity is much easier than with traditional IT environments. However, detection can only happen with network visibility and an understanding of what actions are “normal.” As outlined above, most organizations lack the people, process, and technologies to effectively manage cybersecurity themselves. Therefore, many utility, oil, and gas companies are turning to ICS management solutions, such as Leidos’ Industrial Defender Automation Systems Manager® (ASM). These management platforms aggregate data from industrial endpoints across all vendor systems to provide:
- Asset Management: A single, unified view of all assets enables onboarding and decommissioning of assets, as well as provides device status reporting, information access, and state information.
- Security Event Management: Provides visibility into control systems asset base at a single site and across the fleet to monitor trends, manage events, and investigate anomalies. To provide context, visibility, and anomaly detection, Leidos combines its work with an ICS capable partner to collect, parse, and detect abnormal events and pass these alerts onto the Netwitness platform, which correlates those alerts against events occurring at and above the network’s next level.
- Configuration Management: Automated asset configuration collection and ability to track and audit device settings, software, firewall rules, and user accounts reduces cybersecurity risks.
- Policy Management: Communicates new policies, tracks acceptance, and manages conformance.
- Compliance Reporting: Comprehensive suite of standard configurable reports to meet audit requirements, both internal and external. Additionally, these solutions enable users to define, generate and automate reports as needed, as well as archive artifacts relevant to regulatory requirements.
- Work Automation Suite: Integrated document management, ticketing, and reporting as part of a structured workflow enable ICS professionals to initiate, track, approve, document, and report on changes made to control system assets.
While many organizations have sought to cobble together a combination of manual processes and technology solutions, the result has been labor intensive, slow, and spotty. As the recent WannaCry and NotPetya ransomware attacks revealed, many critical infrastructure organizations had failed to apply patches that had been available for months to prevent those attacks. Many didn’t even know which of their systems were vulnerable.
With operations staff already stretched to the breaking point, it’s simply not realistic to expect those scarce resources to drop what they’re doing to track down vulnerabilities to the latest threats. That’s why automated tools like Industrial Defender ASM are really the only option to keep control networks safe and secure.
To hear more details on how to protect your critical infrastructure against the next cyber breach, we invite you to listen to our webcast, Securing Critical Infrastructure Organizations Against the Next Cyber Breach, or contact us to talk to one of our cybersecurity experts today.