According to a 2014 report from the ICS-CERT, industrial control systems in the United States were threatened by cyber-attacks at least 245 times over a 12-month period by nation-state hackers, cybercriminals, cyber terrorists and hacktivists. The potential risk to critical infrastructure is real and it’s important that the public and private sector work collectively to protect these critical systems.
Not rising to the challenge to address these threats may cause devastating consequences such as in the case of Ukraine, where on Dec. 23, 2015 the power grid was taken down by hackers linked to Russia, leaving 700,000 without electricity for several hours. Closer to home, in March of this year, seven hackers allegedly tied to the Iranian regime were indicted by the U.S. Justice Department for staging a coordinated attack targeting 46 major financial institutions, as well as a dam outside of New York City.
Protecting vital systems is easier said than done and requires a concerted effort encompassing modernizing systems, ensuring that they are regularly patched and that those charged with protecting these systems have the guidance and resources needed to meet this challenge.
One of the challenges we face when further hardening critical infrastructure across sectors is that many of the systems were developed before the concept of the modern internet. When our nation’s power-grid was designed decades ago, the internet did not exist. “Security” has been by definition a bolt-on and not secure by design. I recently talked about this in the 2017 TAG Cyber Security Annual:
Retrofitting security into a design is rarely a good idea. The preferable approach should involve the use of native integration of cyber security in the network design from the beginning. One of the components of such an approach involves native security protections being integrated into the network elements on which enterprise infrastructure is built.
Another challenge is that the authority over much of this infrastructure is dispersed across state, local and federal government, as well as the private sector. To varying degrees, these groups have adopted an “if it’s not broken, it doesn’t need to be fixed” mentality when it comes to modernizing systems.
That said, we continue to make progress and if we can focus on the following areas, we will make it much more difficult for our adversaries to meet their objectives.
Adopt Security Development Lifecycle for SCADA
Of the potential systems that could be a weak link in critical infrastructure, Supervisory Control and Data Acquisition (SCADA) networks are the most likely to get targeted. These networks are made up of computers and software that perform critical tasks and provide essential services within critical infrastructure. Unlike the systems we use on a day-to-day basis, these systems have a lifecycle that runs decades. Many of these systems were designed in an environment with the sole intent to monitor processes without considering the security requirements and the needs to protect them from external threats. They were originally conceived and deployed in a world much different than the one we live in now. The reality is there are many unpatched, poorly maintained, and end-of-life/end-of-service devices that organizations are unwilling to replace, often from fear that they will disrupt or impact services and productivity. Many legacy networking products therefore do not provide a cohesive mechanism to apply and manage a contextual policy across disparate network components. Instead, they have to be managed to a great extent individually, and one bad firewall rule, misconfiguration or exploited vulnerability can lead to a broad and cascading compromise.
Adopting secure development and system architecture for SCADA systems should be a top priority for organizations that operate these systems. A good first step is ensuring that systems get regular security updates when they are made available, as well as changing any default passwords. Another critical step is ensuring that these systems are protected with strong access control policies and protected with critical network security controls, including firewalls and advanced malware detection.
Air Gap Critical Systems
Another step to consider is “air gapping” critical systems to make it more difficult and time consuming for attackers to infiltrate systems. Air gapping ensures control systems are not directly connected to the internet, internal business networks or any other computers within an organization.
While this can often be a costly step, the level of protection for critical infrastructure systems cannot be ignored and should be considered. That said, even air gapped systems can be compromised and should not be seen as a silver bullet.
Increase Cooperation Between the Public and Private Sector
Most importantly, we need to increase cooperation and information sharing on threats. As my colleague Bob Dix pointed out in a recent article:
It is imperative that the United States mature an operational capability in cybersecurity to deliver effective information sharing, analysis and collaboration through a joint, integrated public – private partnership that leverages and respects the various capabilities developed across those communities and engages the cyber stakeholder community, including state and local government.
The good news is that efforts by the Department of Homeland Security (DHS) to engage the private sector are starting to get us all moving in the right direction. Within DHS, there are several centers that work to support security and share information, as well as best practices:
- The National Cybersecurity and Communications Integration Center (NCCIC) houses two teams that function to respond to and reduce risks.
- The National Infrastructure Coordinating Center (NICC) is the information sharing operations center that maintains the overall situational awareness of the nation’s critical infrastructure for the federal government. They serve as an information-sharing hub for coordinating between the DHS and the owners and operators.
It’s essential that we continue to support and engage these efforts and expand them to be more inclusive. Building critical resilience is vital to maintaining critical infrastructure and deserves the attention and visibility it’s getting with National Cyber Security Awareness Month. To create the foundation for a more agile and resilient critical infrastructure, our digital infrastructure requires modernized networks and monitoring tools, as well as modernization efforts around control systems that integrate seamlessly and holistically – rather than act as an after the fact “bolt-on.”