Are your company’s business systems connected in any way to the industrial control systems (ICS), including Supervisory Control and Data Acquisition (SCADA), which are used to manage the company’s critical infrastructure? If they are, and the best guess is they are, then the ICS/SCADA could be vulnerable to cyberattacks in addition to the business side of the networks.
In 2013, the Department of Homeland Security (DHS) ICS Cyber Emergency Response Team (CERT) responded to 256 reported industry incidents and 59% of these were in the energy sector, including the pipeline and gas industry. The disturbing fact on this was not only that the number of actual incidents was probably much higher but that 120 of the reported incidents were of an “undetermined/ unknown” nature.
“Why,” you ask? An expert opinion, in the absence of investigation results, would say this was probably due to improper configuration of security and monitoring systems, the failure of these systems, the absence of these measures in place in the system’s architecture, or the lack of proper training to manage these systems.
Imagine the ecologically damaging incidents like those depicted in the photos on the right. Now, imagine this incident on a massive and distributed scale as the result of malicious cyber-attackers taking control of oil and gas pipeline ICS/SCADA systems. Take this one step further and imagine your company is the target.
Unfortunately, this scenario is well within the realm of possibility and attempts have been made to carry out such harm in recent years. In fact, there have been a number of systems, identified as national critical infrastructure, that have experienced malfunctions that were likely cyberattacks that caused outages, loss of control, and physical damage.
Fortunately, the attacks to date have been far from severely impacting the long-term economic stability of any country involved; that remains to be seen.
Have we been lulled into a false sense of assuredness by the relative calm though? Do not be fooled; there is a cyberwar looming on the horizon and evidence abounds to indicate that nation-state actors and activists are actively practicing for such attacks. And, in 9/11 style, these cyber-rattackers are planning and working patiently, looking for those chinks in the armor of an organization’s commitment to security. And, in these uncertain times, where major hacking attacks and terrorist activities seem to happen just about every few weeks, it is in everyone’s interest to know the threats, targets, and risks involved in every aspect of our lives; especially those related to our occupation, local environment, travel, and nation as a whole.
In today’s technology-driven society, the threats abound but the single most important element involved in avoiding cyberattacks are the people responsible for the maintenance and use of computer assets, networks, applications, and databases. The experts categorize the biggest threat today as the “Advanced Persistent Threat”, or APT. These APT are a set of constant computer attack methods, often coordinated by humans, pursuing a particular target and operating stealthily over an extended period of time.
The people and organizations behind the APT are intent on gaining access to systems are motivated by various reasons to include financial gain (or harm) and political influence. There are many ways in which the actors behind the APT gain control or indirect access (and eventually direct access), but it usually involves an element of social engineering wherein people like you and me are deceived into providing the attackers a way into the network, either through explicitly revealing the information or simply clicking on an email or website link that is disguised to appear trustworthy.
However, the actors behind the APT also rely on the knowledge of internal system vulnerabilities. The attackers have already done their reconnaissance and intelligence gathering, so they know your systems have one or more specific vulnerabilities; all they need is an unintentional invitation to enter the corporate network and allow automated software to do the rest.
In countering the myriad of threats, the advent of cloud services has brought about a shift in the way corporations, and especially industry, are managing their information systems technology and security services and the budgets behind these. Utilizing a Cloud Service Provider (CSP) certainly has monetary advantages in economies of scale, but there is also the high level of security enjoyed by having access to tested and proven environments with layered security, guaranteed high availability, and data center geo-dispersal, that include such aspects as:
• Compliance monitoring;
• Finely grained policy control of system administrator and user access;
• 24/7 security monitoring and network operations centers (NOC);
• Robust patch management;
• Next-generation firewalls and intrusion prevention;
• Secure multi-tenant database architecture, storage, and backups;
• Encrypted virtual machines (VM);
• Advanced virtualization techniques that include Virtual Desktop Infrastructure (VDI)
• Immediate replication and rebuild (self-healing) to secure baselines; and
• Third-party certified data centers.
The use of cloud services can help organizations achieve vital security through dedicated teams and facilities that continuously keep abreast of the latest technologies and capabilities and are certified to be experts in their field while serving a number of clients as a shared and scalable resource. The ability to implement this as an on-premises solution is something that companies grapple with all the time when tightening their budgetary belts.
The first thing to go is usually the training dollars and then the planned upgrades being scrapped shortly thereafter. In the ever-evolving world of information technology (IT), it is in the best interest of companies to maintain the best-of-breed in the critical components and training that ensure technical security measures are adequately implemented for the management of (i) configurations, (ii) public key infrastructure (PKI), (iii) security information and events, (iv) IP address space, (v) identities and access, (vi) service desk support, (vii) updates and patching, and (viii) policy; to name a few.
Obtaining and implementing the best security measures your company can afford, whether on premise or through a CSP, can only take you so far. A sense of continuous awareness of threats and vulnerabilities is half the battle in any area of risk management, and cybersecurity is no different. To assess your personal risks and vulnerabilities, there is a series of questions you should ask yourself on a regular basis, that include:
• “What am I doing on a daily basis to protect my company’s information?”
• “Do I know what the corporate policy is concerning my responsibilities?”
• “Have I been adequately trained to recognize things like social engineering attempts?”
• “To whom should I report suspicious activities?”
• “What are my actions when I become aware of potentially malicious activity?”
• “How do I best protect company assets?”
A commitment to policy is the key element to remaining vigilant in protecting your company and its information from malicious attackers. This commitment to policy must be a top-down activity. A true commitment to policy is demonstrated through:
• Planning for and providing resources and scheduling that support adequate levels of system security controls, maintenance of controls, continuous monitoring activities, updating/ revising of documentation, and the ongoing training and exercises related to policies and related security controls;
• Holding company personnel accountable for non-compliance with corporate information security policy in accordance with the company’s HR policies related to performance management and adverse actions; and
• Supporting the implementation of information security policy through personal example throughout the organization.
It is important to know that a company’s security can be taken down even when it possesses the greatest achievable security currently possible through detection, prevention, and monitoring systems when it does not have a commitment to policy.
Other threats that you and your company need to consider are:
• Terrorists/hacktivists – are individuals with intent to cause great harm, mostly ideologically motivated. The recent attack on a French satirical magazine is a perfect example where, even though the attackers did not use high technology, they were capable of achieving their goal of stopping specific people they saw as their enemy from being involved in an enterprise they objected to.
• Malicious insiders – are disgruntled individuals that actively work for, or have worked for, an organization and use their knowledge and level of access to perpetrate attacks to cause damage, deny services, steal information, or embarrass or destroy the reputation of individuals or organizations. The recent attack on Sony Entertainment, according to a large number of cybersecurity industry experts, may have been made possible by current or previous insiders that provided the real attackers (Guardians for Peace (GOP)) the ability to gain covert access to much of the Sony Entertainment’s information systems, including personal emails. In this case, the purported reason for the attack was a movie that certain entities found objectionable. The results have been that the target organization lost a great deal of revenue and people had to apologize for statements they made about the president of the United States.
• Industrial espionage agents – are individuals working for, or on behalf of, another company, a government, or individuals with the intent to steal proprietary information and/or gain access to information systems through surreptitious means. These might be people visiting your facility for a conference, business meeting, or tour or they might be folks who are terminating employment with your company and taking thumb drives chockfull of company information with them to their new employer. In May 2014, the federal government accused the Chinese military of infiltrating a number of American companies and stealing trade secrets. This was accomplished by gaining access to emails and computer systems.
• Users losing or misusing mobile assets – this is either unintentional or purposefully. In any case, the effect can be disastrous. In one of the most epic breaches of personal information, an employee of the Veterans Affairs lost a laptop with the unencrypted private and personal information on 26.5 million people.
You might be thinking that you cannot be fooled; that you are computer-savvy and have done this for far too long not to recognize you are being “hacked.” Yet, like a junk mail campaign through the postal system, the APT are able, over time, to craft some very convincing emails, called “phishing,” that can make their way past the most sophisticated “spam filters” and appear to be from someone, or some entity, that you feel you know and trust.
In this way, the attacker can drop malicious software from their “phishing” email into a system, which they know to be vulnerable on the inside, and initiate their attack in an automated fashion. It might be the start of something like a “botnet,” where the software spreads from computer to computer and goes about autonomously gathering information from across the organization and relaying it back to the attack organizers through encrypted communications.
The best ways to counter the attackers, that are intent on trying to beat their way into your business and ICS/SCADA systems, is to remain vigilant through adherence to policy, report when policy is not adequate, and, for the company, to balance the risk with the cost in continuing to operate an on premise IT vs. through a CSP.