Protecting Against Cyberthreats
Print Issue: January 2013
THE RELIABLE AND SECURE operation of critical infrastructure is of great importance to national security, economic vitality, and public safety. Threats to the infrastructure are both real and growing. For example, according to the U.S. Department of Homeland Security, during the five-month period between October 2011 and February 2012, there were dozens of reported attacks on computer systems in the United States that control critical infrastructure, up considerably from the number occurring during the same period a year earlier. While none caused significant damage, they were part of a spike in hacking attacks on networks and computers of all kinds during the same period. Understanding what attacks have been carried out, where the current threats lie, and what is being done to mitigate risk is vital to the security of critical infrastructure the world over.
A significant portion of the critical infrastructure that serves as the backbone of the electric, water, oil, and gas industries relies on industrial control systems (ICS) to function. ICSs are used to send automated or operator-driven supervisory commands to remote station control devices, which are often referred to as field devices. Field devices control local operations, such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions. ICSs include different types of industrial control systems—for example, distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLC). ICSs are highly interdependent—a disruption of one component can have a cascading effect on others.
Early ICS infrastructures were not necessarily designed with cybersecurity in mind. Instead, threat countermeasures were layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.
While many in the security press have been consumed with the more exotic attacks—such as malicious worms called Flame, Stuxnet, and Duqu—organizations relying on SCADA and ICS networks are likely more at risk from conventional network threats: buffer overflows, default passwords, phishing, and the ever-present denial-of-service attack. It is these exploits that have allowed hackers to take over PLCs by issuing stop commands and inserting substitute device logic and malicious instructions. Many of these exploits can be found through freely available open-source penetration testing frameworks obtainable by both ethical and unethical hackers.
Many ICS operators have argued that cyberattacks are unlikely due to the fact that SCADA systems and PLCs are usually cut off from the Internet, but this “air gap” strategy is fraught with risk. To effectively protect ICSs from hackers, operators need to recognize that all control systems are connected to the outside world in some fashion. It might be a network connection, a mobile laptop, a serial line and a modem, an RF connection, or a USB flash drive—all these are pathways that can be exploited. In fact, according to the CIA, as far back as 2008, malicious activities against IT systems and networks had already been able to cause disruptions of electric power capabilities in multiple regions around the world, “including a case that resulted in a multicity power outage.”
Hacking Isn’t Hard
Today’s hackers have it easy compared to just a few years past. A typical hacker would formerly have had to write custom code to use in an exploit, and he or she may have had to spend days trying different password combinations to break into a system. Now, “exploit kits,” complete with instructions and help desk support, are readily available and quite affordable. Hacker-friendly sites list thousands of scripts, tips, and tutorials.
Automated hacking tools exist for performing denial-of-service, code injections, and phishing attacks. Open source hacking frameworks, containing hundreds of free and frequently updated hacking tools, can be downloaded. Hackers can leverage cloud infrastructures to amass multiple virtual machines that work in parallel to crack complex passwords or crash systems and applications. In addition, hacking organizations are able to use the Internet to coordinate hacking activities; they have been known to successfully release exploit code to massive numbers of amateur hackers in order to attack a common target from multiple locations around the world.
Today’s hackers also have a multitude of attack vectors at their disposal, from social engineering to open wireless access points to texting and Bluetooth. And, as noted, hackers are already directing their attention to targets beyond PCs and Web sites to SCADA systems and PLCs.
Insiders: The Weak Link
As any security professional knows, an organization’s trusted insiders can be primary threats to cybersecurity, and that type of threat is the most difficult to mitigate, because these individuals have authorized access to systems.
Even when insiders do not have malicious intent, they can unwittingly assist those with nefarious aims if they are not on alert against the potential risks. For example, it has been suggested that the Stuxnet worm was delivered to the Iranian nuclear community through a USB flash drive that an insider plugged into the system without realizing that it was infected.
This calls attention to the many possible ways that malware can be introduced into a protected network by employees and contractors who are permitted to plug devices into workstations, laptops, and field devices or to access the corporate network remotely. It is the perfect environment for spreading malware in the same way that social contact spreads biological viruses.
Another potential cyberthreat comes from terrorist organizations, such as al Qaeda, Hamas, Hezbollah, Palestinian Al Aqsa Martyrs Brigade, Aleph, and Chechen groups. It has been reported that al Qaeda has already called for cyberjihadists to attack critical infrastructures. In a video obtained by the FBI in 2011, an al Qaeda operative called upon the “covert mujahidin” to launch cyberattacks against the U.S. networks of both government and critical infrastructure, including the electric grid. The video compares vulnerabilities in vital American computer networks to the flaws in aviation security before the 9-11 attack. At the time the video was released by the Senate Committee on Homeland Security and Governmental Affairs, Committee Chair Joseph Lieberman (ICT) stated, “This is the clearest evidence we’ve seen that al Qaeda and other terrorist groups want to attack the cyber-systems of our critical infrastructure.”
If terrorist organizations acquire highly sophisticated malware, such as Flame, many information security experts agree that a global Internet blackout and crippling attacks against key infrastructure are possible.
Though most critical infrastructures may be more at risk of a rogue hacker attack or accidental malware infection from careless insiders, the likelihood of a nation-state attack has grown since June 2010, when news of the malicious worm called Stuxnet broke. In that case, reports from credible cyber labs around the world supported the conclusion that it was a targeted nation-state cyberattack on Iran’s nuclear industry. As the Stuxnet code and payload were investigated, the notion of a nation-sponsored cyberattack was borne out when the New York Times reported that the United States and Israel had confirmed this worm was part of a joint intelligence effort code named, “Operation Olympic Games.”
Since Stuxnet was revealed, other sophisticated worms, Trojans, and backdoors have been identified, including Duqu and Flame, which are both apparently related to Stuxnet. Eugene Kaspersky, head of Kaspersky Lab, which discovered Flame, called it “the most sophisticated cyberweapon yet unleashed,” and he further noted that “even those countries that do not yet have the necessary expertise [to create a virus like Flame] can employ engineers or kidnap them, or turn to hackers for help.”
Because international attacks tend to be tit for tat, Iran will probably launch a reprisal cyberattack of its own. It is already reportedly involved in cybercrimes at the nation-state level; for example, according to Defense Tech, an online publication that reports on cybersecurity issues, the Islamic Revolutionary Guard Corps set up its first official cyber-warfare division in 2010, with an estimated $76 million budget.
Though espionage is often thought to be the focus of nation-state cyber activity, Stuxnet shows that they have the potential to go far beyond spying. Given the expansion and proliferation of ICSs, such attacks could be used to disrupt utility networks and other ICS components, shut down power grids, and sabotage nuclear systems. Given that nation-state sponsored activity exists and is likely be more prevalent than is known, IT security professionals at critical infrastructure operations that use ICSs must prepare for the likelihood of attacks.
Guidance such as ANSI ISA 99, NERC CIP, and other documents provide a good framework for identifying critical cyber assets and controlling access to these, as well as for maintaining a healthy cyber environment. Employee and contractor background checks, limiting access, logging, scanning, auditing, due diligence, and situational awareness are all cited as important aspects of reducing the cyberthreat.
Companies need to ensure that they educate employees and raise their awareness. Stricter safeguards, such as USB port control, continuous monitoring, and anomaly detection, are also important. These procedures can help to mitigate both careless and malicious malware introduction where the insider is the primary conduit in code transfer. Web filtering is another effective safeguard against the potential downloading of malware onto corporate networks.
ICS operators also need to establish a defense-in-depth approach that establishes and maintains a high level of security capability. One aspect of this is to segregate the most critical systems behind several layers of protection. Other aspects include identifying potential internal and external threats and risks, establishing requirements for access to critical systems, and developing robust security architectures and policies.
Active monitoring is also essential to a well-rounded cybersecurity program. Questioning all access to critical systems, then monitoring that access in real time, as well as preventing critical functions, such as code download, without appropriate approvals and privileges, for example, are critical to mitigating the malicious insider threat.
A security intelligence (SI) capability is another important component of a defense-in-depth approach. SI solutions integrate with existing systems and detect events of risk-management interest, providing security with actionable and comprehensive insight into threats.
SI builds on the data-collection capabilities of log management; the correlation, normalization, and analysis capabilities of security information and event management; the network visibility and advanced threat detection of network behavior anomaly detection; and the network traffic and application content insight afforded by network forensics.
Another component that security professionals should consider is anomaly detection, a relatively new technology that learns the normal behavior of networks and systems and provides alerts when anomalous activities occur that might signal a hacking attempt. Anomaly detection can help security personnel spot new threats even before malware signatures are available.
In the face of evolving cyberthreats such as Stuxnet and Flame, there is no doubt that the critical infrastructure owners and operators need to continuously reevaluate the risks they face and revise their defenses accordingly. How well they will meet the challenge remains to be seen.
Douglas Powell, CPP, PSP, is manager of security and privacy at British Columbia Hydro and Power Authority in Burnaby, British Columbia. He is chair of the ASIS Critical Infrastructure Working Group and vice chair of the ASIS Utilities Security Council. Allan Wick, CPP, PSP, PCI, is corporate security and business continuity manager for Tri-State Generation and Transmission Association, Inc., of Denver, Colorado, and chair of the ASIS International Utilities Security Council. Don Fergus, CISSP (Certified Information Systems Security Professional), CRISC (Certified in Risk and Information Systems Control), is senior vice president, professional services, for Patriot Technologies, Inc., of Frederick, Maryland, and chair of the ASIS Information Technology Council.