Industrial Control Systems (ICS) – such as supervisory control and data acquisition (SCADA) systems – manage and monitor critical storage, refining and distribution operations at many energy pipeline companies. These systems collect data from points throughout the operation and communicate control commands to equipment located both locally and remotely.
These systems have typically run behind the scenes, but have more recently become front and center as information about real and potential cyberattacks have appeared in the media. Hostile governments, competitors, terrorist groups, disgruntled employees and other malicious intruders know these systems offer a trove of confidential and potentially very damaging data.
The types of critical infrastructure that industrial control systems manage include physical and IT assets, networks and services that, if disrupted or destroyed, could have a serious impact on the health, security and/or economic well being of both people in the immediate area and the country at large.
Due to the critical nature of ICSs and the facilities they control and manage, all levels of management at these facilities must put security of these systems at the top of their agendas.
Until recently, security concerns over ICSs were limited to physical attacks. Because these were closed systems, managers assumed that if operational consoles were isolated and only authorized personnel were allowed to gain access to the network, any security issues were covered. There was limited risk of malfeasance since few people had the technical expertise to operate the system and data communication paths were isolated.
Today’s situation is completely different. IT teams at energy companies have recognized that lower costs, easier accessibility and improved efficiency can be gained thorough connecting their IP-based operations network to their ICSs. Today’s systems are directly or indirectly connected to corporate networks and the Internet, which exponentially increases the security risks to which they are exposed far beyond physical attacks. Multiple factors have contributed to the increased exposure of industrial control systems, these include:
1) Technical information availability – public information about infrastructure and control systems is available to potential hackers and intruders. Potential hackers can easily find design and maintenance documents and technical standards for critical systems on the Internet, threatening overall security.
2) Remote connections that are vulnerable – Connections such as virtual private networks (VPNs) and wireless networks are used for remote diagnostics, maintenance and examination of system status. If users fail to incorporate robust identification, authentication and encryption into their communications, the integrity of any information transmitted is in question.
3) Networking of control systems – Organizations have increased connectivity through the integration of their control systems and enterprise networks. Any breach at any point in the network, exposes all the information – ICS-related data, e-mails, corporate information, et al. to intruders.
4) Alternative vectors of malware propagation – Whether the systems are online or offline, maintenance and updating will need to take place. Frequently this happens through the use of mobile media devices, such as USB keys. The Stuxnet virus proved the effectiveness of this method of propagation and research shows that one in every eight malware attacks is carried into the organization on a USB stick.
Shortly after 9/11, government experts found evidence of terrorist groups visiting websites that offered software and programming instructions for the equipment that ran power, water, transportation and communications grids. Since then, numerous incidents of cyberattacks on the inner controls of critical infrastructure systems have occurred.
More recently, of course, there was much publicity around a cyberbreach at a major international oil company. Hackers were able to penetrate the company’s operations network, but not its ICS. Nevertheless, this breach demonstrates a critical point: damaging an energy company does not require penetrating the ICS, preventing the company from effectively working with suppliers and customers can equally damage the operation.
Ensuring cybersecurity in the control infrastructure of an energy company may seem like a daunting task as it requires cooperation and commitment from the entire organization as well as support organizations. Upper management must recognize the numerous benefits of a secure ICS. These advantages include ensuring system uptime, reliability, availability and safety to both the facility and surrounding area. A secure system protects the company, its vendors, systems integrators, customers and others who interact with the ICS.
To provide maximum protection for critical ICS data assets, IT teams at energy companies should deploy a “defense-in-depth” security approach that includes multiple layers of protection to recognize and thwart cyberattacks.
The basic premise of defense-in-depth consists of incorporating a layered approach to network security – deploy one or more layers of protection at network boundaries (firewalls, antivirus/malware appliances, and intrusion prevention devices), and additional layers of protection at the individual computer workstations or endpoints. This defense strategy is most effective when using multiple unique defense mechanisms – such as multiple vendor solutions for antivirus control. Any gaps in one vendor’s security solution are addressed by the second vendor’s solution.
Network Level Security
The first level of security to consider when implementing a defense-in-depth strategy is at the network level. Proper attention to security at the network level will provide benefits to all downstream resources. For example, use of a network protection appliance at the network switch in conjunction with a traditional antivirus solution at the network endpoints adds up to 38% additional anti-malware protection vs. utilizing anti-virus endpoint protection alone.1
1) Network Perimeter – The network perimeter or edge is where Internet traffic enters and exits an organization’s network. IT teams can deploy various types of protection, including malware protection, spam filtering, content filtering, network firewalls, and intrusion detection and prevention.
The network perimeter is often protected by Unified Threat Management (UTM) technology. This solution is typically deployed as a network appliance and combines multiple security functions into a single solution with a unified management interface. These devices are especially valuable at the edge of the internal network where most external “brute force” attacks are going to occur.
UTM solutions are a critical component of network level security and they need to be implemented carefully. For example, network firewalls must be configured so that they do not allow unnecessary protocols to pass through to the internal network, or the perimeter of the agency’s network will be open to attack through open firewall ports.
In some cases, security officers may choose to deploy an anti-malware appliance from a different security vendor in line with the UTM to provide a second analysis vector on incoming data packets – this is another element of a defense-in-depth security strategy.
2) Segmented Networks – Large internal networks are often organized into groups of smaller networks. This type of network topology reduces congestion and improves network performance by reducing the amount of traffic flowing through any one network segment.
Segmented networks also provide a high level of security – broadcast traffic is contained within each local network, and network segments can be quickly isolated in the event of a security breach. In a segmented network topology, each segment can be protected with a dedicated network level security appliance to prevent viruses and malware from crossing network boundaries.
3) Advanced targeted attacks protection – The latest development in cybercrime is the use of well-hidden and targeted attacks to compromise organizations. The targeted attacks are not detected by traditional IT security solutions, but require additional analysis mechanisms. Organizations should ensure that sufficient protection against this type of cyber threat is implemented.
Endpoint Level Security
An effective security infrastructure must protect all network endpoints (servers, workstations, et al.) from cyberattack. The accepted way to protect these network resources is by installing anti-virus software and enabling a firewall at each endpoint.
Anti-virus software is used to prevent, detect, and remove malware (including computer viruses, computer worms, trojan horses, spyware and adware). There are a number of strategies that can be employed by an anti-virus solution:
1) Signature-based detection – This strategy involves searching for known patterns of data within executable code. These patterns are regularly updated by the anti-virus company’s research team. It is critical that all endpoints with antivirus software receive updated signature files regularly.
2) Heuristic detection – This strategy is used to identify new malware for which no signature is known. The antivirus software identifies new viruses or variants of existing viruses by looking for patterns that are similar to those of known malicious code or slight variations of such code.
3) Sandbox detection and analysis – This strategy executes unknown files in a protected environment and analyzes the results of that execution to see if the files trigger any malicious actions in the host environment. Sandbox solutions can identify new and undiscovered malicious code that may pass through signature-based and heuristic detection methods undetected
All anti-virus solutions will provide some level of protection for the network endpoints, but the best anti-virus solutions use a combination of all three techniques to protect endpoints from infection. Security personnel should periodically evaluate their anti-virus solutions to ensure that they are leveraging a solution with multiple layers of defense.
Anti-virus endpoint protection is not enough. Anti-virus software is a critical component of endpoint security and security personnel must ensure that the software is installed on every server and workstation on their networks. Endpoints with outdated virus definition files are a security risk, so procedures should be put in place to ensure that all endpoints are regularly updated with new virus definition files.
Once a comprehensive anti-virus plan has been deployed, a more comprehensive strategy of endpoint security should be considered – one that ensures all endpoints are kept secure through application of regular vulnerability patches:
1) Patch and Remediation Software – Over 90% of cyberattacks exploit known security flaws for which remediation is available. For network endpoints to be completely secure, IT teams must also know what software is installed and operating on each endpoint. They must further ensure that the software and operating systems of every endpoint are patched regularly to eliminate attack vectors that could be utilized by cybercriminals to compromise the resource.
2) Application and Device Control Software – One aspect of endpoint security that is often ignored is application usage. By implementing a “whitelist” approach to managing application usage, IT teams can define which devices and applications are permitted on the network through user and/or machine-specific policy rules. Execution of unknown or malicious code is prevented because only authorized applications are allowed to run on laptops, PCs, and mission-critical servers.
A comprehensive application control solution should automatically determine what applications are in use throughout the network endpoints, enforce application usage policies across the entire network, and automatically log network events related to endpoint security policy for compliance reporting. Such a solution should implement endpoint agents that are tamper-proof and protected against unauthorized removal.
Device control solutions protect networks from internal threats like data theft by enforcing which removable media (such as USB drives) are allowed in the organization’s network and controlling the data that is copied to and from the internal network through policy-enforced encryption. These solutions should also log all data transfers for security and compliance reporting purposes.
Secure and well-protected industrial control systems are critical to the efficient operation of an energy company. Without this protection, cyberattacks have the potential to wreak terrible accidents and destruction to infrastructure, system personnel and citizens at large.
A defense-in-depth approach to network security will provide the most comprehensive protection against malware threats and other forms of cybercrime. Security architectures with multiple layers of protection from multiple vendors provide the best protection, especially when deployed at multiple levels in the network. Likewise, a multi-layer endpoint management strategy with anti-virus, patch, remediation, and application and device controls will provide the most comprehensive protection at network endpoints.
IT teams at energy companies should continuously review their system’s security architecture to identify areas of vulnerability and implement defense-in-depth network strategies where appropriate to ensure that the system’s network resources are adequately protected.
Torjus Gylstorff is vice president, Global Enterprise Sales, for Norman’s enterprise security group and has served in this role since 2011. Previously, he served as managing director of Norman AS and has been part of the regional sales leadership team since joining Norman in June 2010. He holds a M.Sc. degree in economics and business administration from Copenhagen Business School.
NSSLabs, Norman Network Protection (NNP) Network Anti-Malware Assessment: Q2 2010.
White House May Issue Cybersecurity Order
The Obama administration has indicated that it could issue an executive order relatively soon to strengthen cybersecurity initiatives given the lack of legislative movement on the issue, U.S. Sen. Joe Lieberman (I-CT) said Oct. 7 on Platts Energy Week.
Lieberman, chairman of the Senate Homeland Security and Governmental Affairs Committee, asked the administration in a letter in late September to do so, and at a minimum ask the U.S. Department of Homeland Security (DHS) to develop electricity sector standards.
Lieberman said the administration has said “We’re on it, we’re doing it, we’re working on it. They may issue an order about cybersecurity in the next month.”
“The energy sector is a prime target for people wanting to disrupt our country,” Lieberman said. The Senate last month did not pass cybersecurity legislation authored by Lieberman and Sen. Susan Collins (R-ME). The president has said he supports the Lieberman-Collins proposal (S. 3414), which would among other things direct DHS to chair a new federal body called the National Cybersecurity Council.
Lieberman said that while he does not consider his bill to be dead, he said it probably had less than a 50% change of passing. He said it has not passed because people see it as “just more regulation,” but he said it instead focuses on homeland and economic security.
Lieberman said the president does not have authority to order many of the proposals contained in his bill, such as granting companies immunity from certain liabilities if they opt in and follow voluntary standards to increase cybersecurity. But he could set up initiatives to increase cooperation, and possibly grant some other types of rewards for companies that opt in to the standards.
Meanwhile in San Antonio, the country’s largest municipal utility has embarked on a separate type of initiative to diversify its power generation portfolio.
San Antonio CPS Energy President and CEO Doyle Beneby said that the muni has developed a program “linking our pursuit of a renewable goal with economic development.”