Cybersecurity concerns with our critical infrastructures are well-known. In recent years, the Department of Homeland Security (DHS) and other authorities have encouraged critical infrastructure owners and operators to take steps to ensure cybersecurity for both their business and critical control system assets.
The American Petroleum Institute (API) was ahead of the game when, in October 2004, it issued API 1164, a voluntary industry standard specific to supervisory control and data acquisition (SCADA) systems designed to improve security within the oil and gas pipeline industry.
Most pipeline utilities have a security program implemented already, but in the changing landscape of attack threats and methodologies, the key question remains: Are current efforts enough? Cybersecurity risks to control systems range from pervasive malware designed by organized crime syndicates, to insider threats and sophisticated, targeted attacks.
Information technology (IT) security teams are focused on preventing information theft: credit card numbers, contract details and intellectual property, for example.
Control system security teams have a much different focus, however. Most often the cyber-compromise of a pipeline control system triggers a safety shutdown of the pipeline. If malware impairs the operation of any part of a control system, and the operator is no longer confident in overseeing and operating the pipeline, and no working and uncompromised backup system is available, the operator is required to shut down the affected parts of the pipeline.
A more sophisticated attack could have more serious consequences. If an attacker overrides safety protocols, he could open valves to cause spills, damage equipment through faulty operation, or even trigger shock waves, especially in liquids pipelines. This could damage the pipeline, valves and equipment – posing a safety risk to and the general public.
The reality is that utilities will never be fully protected; we are never perfectly safe, and we are never perfectly secure. Because there is always more we can do and more we can buy, communicating our security posture to senior management is difficult. Telling management teams that “the next thing we should do or buy is this” does not help, as all they hear is, “I need more money.”
The way executives and board members resolve constant requests for additional funding is through a cost-benefit analysis for investments intended to increase profits or reduce costs, and a risk-management analysis for investments intended to address security and safety risks.
Management teams tend to use what they regard as mature risk management methodologies to evaluate risks and make investment decisions. Many management teams, for example, use some variation of the National Institute of Standards and Technology (NIST) methodology to evaluate security risks.
The methodology has a number of definitions of risk, the most succinct being NIST 800-37’s definition: “Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”
Let’s call this the actuarial model of risk, as it is similar to how insurance companies model risk, asking questions, such as, “How likely is an earthquake or hurricane?” and “What is the average financial impact of such an occurrence?” By multiplying one by the other, the expected business impact of a risk can be determined as well as how much an insurance company will charge to transfer the risk.
When applying this model to cyber risk, the implicit assumption is that the likelihood of a future attack depends heavily on how many attacks have taken place in the past. Since there has yet to be a full-scale attack on our nation’s critical infrastructure, it is easy to come to the conclusion that the risk of an attack is low and that little investment in additional security precautions is justified.
However, the DHS and military risk-assessors use a different approach to risk management. They ask, “How capable are our enemies?” and “How capable are our defenses?” And they ask, “When – not if – an attack occurs, what is the most likely outcome?” If this outcome is unacceptable, then we need to improve our defensive capabilities.
A problem with most control system security programs is the inability to explain a capabilities gap to senior management. For example, a typical attack pattern taught in every intermediate-level security training program sends a fake email to select individuals in a target organization to trick a recipient into opening an attachment.
The email uses subject lines like “Confidential – staff reduction plans” with the CEO’s email address as the return address. The custom malware is not detected by anti-virus engines since they are designed to catch high-volume malware, not a custom attack someone has never seen before. When activated, the malware fakes a problem on the computer so the victim calls the help desk for assistance. Once the help desk fixes the problem and uses the domain administrator password, the attacker steals the password or password hash and uses it to contact the domain controller and create accounts on control system hosts – and sometimes control system firewalls – to wreak havoc.
This targeted class of attack is well-understood and extremely effective; it is used routinely to steal information from IT networks, and has been proved repeatedly to work against control system networks. One IT expert after another has said they are no longer confident that targeted attacks can be blocked at the company firewalls. They recommend the deployment of intrusion detection and other technology designed to detect and prevent the theft of huge volumes of sensitive information.
The control system security risk management problem is this: targeted attacks have rarely been used to sabotage pipeline operations. An actuarial risk analysis concludes that because there have been so few attacks on control systems, there is little likelihood of such attacks in the future, justifying no additional protections. But a capabilities-based risk analysis observes that any adversary with a little skill and a couple of hours’ time can launch this type of attack and take remote control of a pipeline control system.
Do we really believe this scenario? If this is true, why are there not countless cyber-sabotage incidents for pipeline control systems? The best answer to this question requires a look at possible motives. For example, the loosely organized Anonymous hacker group issued a statement a year ago saying it was not interested in sabotaging critical infrastructure – it has other goals for its “hacktivism.”
The Chinese intelligence agencies, allegedly responsible for the plague of advanced persistent threat (APT) attacks, appear interested only in stealing information: the names of dissidents, source code, contracts and other intellectual property. These groups have demonstrated the ability to take over control systems more or less at will in the course of pursuing their other objectives, but appear to have no motive to sabotage those systems yet.
For control systems, just as in the IT world, solutions to targeted attacks exist. Forward-thinking pipeline utilities are deploying unidirectional security gateways instead of firewalls at the perimeters of their control system networks. The gateways are hardware-enforced, one-way communications devices that safely integrate industrial networks with corporate networks.
The gateways replicate control system servers, such as relational databases and process historian databases, out to corporate networks. Corporate users and corporate applications have access to real-time data by querying the replica servers without any risk of interfering with the industrial networks that are the source of the real-time data. Unlike firewalls, the unidirectional gateway hardware only permits information to flow in one direction, entirely eliminating the risk of a network-based cyber attack gaining access to the control network, no matter how simple, how targeted or how sophisticated the attack.
Control system cybersecurity teams must start communicating risk more effectively to senior management. An actuarial risk analysis effectively defends against our enemies’ motives, not their capabilities. We must start deploying defensive capabilities that are a match for our enemies’ attack capabilities. We need to make it clear that requests for budget to defend against targeted attacks on control systems are not just the perennial requests for “even more security,” but a call to action to deploy defensive capabilities that match our enemies’ capabilities.
Is senior management willing to represent the first pipeline to be taken down by a targeted attack? When the first such attack causes serious consequences, there will be questions by the media, and possibly by congressional committees, such as: What did you know? When did you know it? What did you do about it?
Are we prepared to answer those questions? The time to act is now.
Author: Andrew Ginter is the vice president of Industrial Security at Waterfall Security Solutions, a provider of unidirectional security gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cybersecurity products.