On Aug. 5, 2008, the 1,099-mile-long Baku-Tbilisi-Ceyhan (BTC) pipeline, which is frequently used by many of the world’s largest oil and gas companies to transport crude oil across Europe, exploded outside of Refahiye, Turkey. Shortly after the incident, the ethnic group, known in Western Asia as Kurdish separatists, claimed responsibility for the explosion.
The Kurds declaration, however, had little legitimacy and was quickly exposed as nothing more than a poor attempt to garner attention and incite fear among those who they deem as adversaries. The Turkish government soon thereafter released what it identified as sufficient evidence to prove that the explosion was a result of an internal malfunction. The mystery of the BTC pipeline explosion was thus considered solved.
Fast-forward more than six years to December 2014 and new evidence has emerged proving neither the Turks nor the Kurds are accountable for this disaster. As Bloomberg News first reported, the explosion was, in fact, the result of a sophisticated attack into the pipeline’s control system, in which an adversary was able to gain network access, ironically, through the pipeline’s security camera system.
With network penetration, the adversary was able to intentionally pressurize the pipeline and intercept alarms that would normally alert the control room of abnormalities in flow readings. Because the control room was not receiving system alerts, operators were not aware of the explosion until 40 minutes after it happened.
The new evidence surrounding the Turkish pipeline explosion emerged just days after Cylance, a global security services and products company, released the findings of a comprehensive investigation into a sophisticated cyberattack campaign, named Operation Cleaver.
The report, which focuses exclusively on Iran and its cyber activities over a two-year period, concludes that there is significant evidence to prove that Iran has, and continues to, explore pathways and access points into sensitive computer networks, including those of military institutions, defense facilities, general aviation facilities, and equipment within the oil and gas ecosystem.
The Turkish pipeline explosion and the conclusion of the Cylance Report, in addition to the recent cyberattacks against a German Steel Mill and a Korean Nuclear Power Plant, make it hard to argue against the presumption that December 2014 will be defined as the tipping point for bringing the cyber threats to critical infrastructure into the mainstream narrative.
Understanding the Threat
Threat actors, such as terrorists, organized crime, extremist groups, nation-states, and hacktivists, have for many years viewed critical infrastructure, such as pipelines, as attack targets; in large part because of the capacity that a successful attack would have to impose mass physical disruption over a prolonged period of time.
But over the past decade as legacy systems have come online, the pathways for which adversaries can gain access to an asset, also known as attack vectors, have proliferated substantially. Control systems that facilitate the operations of critical infrastructure facilities and equipment were initially designed with physical security as the primary concern. Thus, the entire notion of connectivity and the sharing of information outside a dedicated network, while common today, was of no concern to the original architecture and threat analysis.
For pipelines specifically, assets are dispersed along a potentially large geographic distance with remote sites required to send information back to the control room. This makes communications vulnerable to eavesdropping depending on the media used. In addition, these remote outstations can be physically broken into and the adversary can use the equipment at these stations to hack into main control stations, depending on how they are configured. Since remote outstations are often a long way from civilization, any intrusion could take someone hours or longer to get to them.
In a recent article for EnergyCentral.com, my colleague at SANS and NexDefense, Michael Assante, explains how the transformation of static to digital control systems has evolved:
In the early 2000s, control systems were typically breached by accidental, non-targeted infections, insider-motivated incidents, or technical errors; and the resulting nuisance was usually restricted to the facility hosting the infected system. Unlike digital systems, however, early control systems did not share information outside the facility or communicate with other systems or people via the Internet. The evolution of digital systems has since opened up multiple pathways to the control center and field devices. Therefore, as technology is introduced, so too are new vulnerabilities and threats to America’s critical infrastructure.
Many security professionals are aware that this unification of operational technology (OT) with informational technology (IT) is essential to lasting systems control. However, this process is frustratingly challenging, and best practices to ease the transition are still to be determined.
Penetration of Control Systems
As organizations quantify their risk assessments, it’s important for them to understand that increased connectivity also heightens the opportunity for remote access to be manipulated with relative ease. While there are many attack vectors for adversaries to take advantage of, there are only four primary access paths, or ways to exploit vulnerabilities, that are common to control system security breaches. These access paths include entry via external networks, calibration, support, and Safety Instrumented System (SIS) field devices. Using the Turkish pipeline explosion as an example, hackers allegedly penetrated the pipeline’s control system by manipulating vulnerabilities found within the outside security cameras’ software.
According to a SANS analysis of the Turkish pipeline incident, “attackers were able to exploit a vulnerability on the alarm server, running a Windows operating system, and placed malicious software allowing them to achieve persistent access.”
With the collection of recent successful and attempted attacks to control systems, there is now enough evidence to identify, with some certainty, the most commonly exploited vulnerabilities. In no particular order, these vulnerabilities include people, supply-chain dependencies, poor architecture, intercepted cross communications and web-based applications.
Despite what type of attack surface is used, how an attack vector is exploited, or which of the vulnerabilities are exposed, the successful intrusion into any control system can result in the loss of network view and control, theft of information, modification of logic, alerting I/O device settings and the forfeiture of assets. Any and all of these outcomes are potentially devastating to safety, productivity and efficiency, both in the short-term and long-term, locally and abroad.
Solutions for Protecting Pipelines
As the exploitation of previously unknown vulnerabilities, known as “zero day threats,” continue to proliferate with expediency and heighten the inherent risk for critical infrastructure operations worldwide, the burden of ensuring the safety of people and the integrity of mission critical systems is of unprecedented importance.
Unfortunately, many of the most effective safeguards to combat advanced persistent threats (APTs) against supervisory control and data acquisition (SCADA) systems are dependent on the convergence of IT with OT. Until legacy systems and those who operate them, and networked systems and those who operate them, can communicate and function in unison, critical infrastructure will remain highly vulnerable to attack.
In the meantime, the priority for those responsible to ensure the integrity of critical infrastructure is to create and continuously refine the threat analysis and corresponding business impact assessment (BIA) that identifies the most effective methods to anticipate, identify and minimize threats without sacrificing productivity, safety and security of normal operations and communications protocols.
While this might sound complicated in theory, the principles that define industrial control system (ICS) cybersecurity are rather rudimentary in today’s hyper-connected landscape and are vital to the successful and proactive monitoring of all internal and external assets.
1) Establish Controls – Every organization that operates critical infrastructure should establish controls that increase the cost, risk, and intellectual energy required for a threat actor to be successful. An example of a positive control is defining what network communications are allowed, and then establishing buffer zones or firewalls to prohibit any and all communications that fall outside of the established parameters.
2) Introduce Uncertainty – Another universal principle of ICS cybersecurity is introducing uncertainty that is cryptic enough to disrupt attack planning and challenge successful execution. This defensive strategy decreases the likelihood that threat actors will have the freedom of movement and action necessary to achieve all of their goals and objectives.
In order to accomplish this, facility owners and operators must remain up-to-date on their technical cybersecurity knowledge through training and comply with cybersecurity standards and regulation. In addition to the requirements in place, proactively going beyond what is mandatory and securing every area of the facility places yet another barrier on a hacker attempting to access the network.
3) Analyze Risk vs. Function – The third and most important principle to ICS cybersecurity is the capacity for organizations to recognize the trade-offs between risk and function; specifically, by understanding how security is a fundamental part of reliability and safety. For example, how an organization protects its employees, operations and equipment, customers, the community, and the business and brand are imperative, but how each contributes to reliability and safety will differ from one organization to another. A successful attack could result in disruptions to operations and dangers to public safety, so cybersecurity policies and procedures must be enforced to maintain a safe and reliable environment.
4) Utilize Real-Time Monitoring – In addition to internal best practices, real-time monitoring tools are being developed to help sustain consistent visibility into control system environments. Although relatively new to market, these tools are already proving valuable to maintaining a secure and therefore reliable ICS through by equipping engineers and security staff with the knowledge and methods to manage the integrity of your operational technology.
Understanding the value of these real-time monitoring tools, David Greenfield, editor of Automation Magazine, recently projected in an article that “by identifying and addressing information in protocols, as well as understanding the commands being sent and received on real-time monitoring the network, asset and network identification cybersecurity adds new depth to industrial control system security.”
Threats to critical infrastructure, such as the pipelines that expeditiously transport valuable oil and gas across the globe, will continue to be a target of cyber crime no matter how effective any predictive or reactive security protocol turns out to be. That doesn’t mean a successful attack on critical infrastructure is imminent; especially if organizations take basic steps to train their staff, migrate systems for uniformity and create process and procedures that make it hard for threat actors to succeed. Knowledge and visibility remain central to ICS security, and so too does the ability to seamlessly share and adopt best practices across the critical infrastructure spectrum.
Author: Graham Speake is the vice president and chief product officer of NexDefense, a cybersecurity company for automation and control systems. He is also a SANS trainer and a subject-matter expert to the Global Industrial Cyber Security Professional (GICSP) certification.