Situational Awareness is the Key to Protecting OT systems from Cyberattacks

Summary

By Nina Hesby Tvedt, Sales & Marketing Director, Secure-NOK

Imagine that you have almost finished your shift at a control center distributing power to a couple hundred thousand homes and businesses. Then you notice something odd on your screen. The mouse cursor is moving by itself and not just randomly. Before you can react, the runaway cursor has opened a circuit breaker at a substation and you realize that someone else is remotely controlling the SCADA system. Before long, the machine has logged you out and as you desperately try to get back in, you notice your password has been changed leaving you helplessly watching substation after substation going offline.  

This was the scenario at the operations center serving the Ivano-Frankivsk region in Ukraine two days before Christmas 2015, as described in chilling details by Wired Magazine in the article named “Inside the Cunning Unprecedented Hack of Ukraine’s Power Grid”. The power grid had been hacked, the intruders were in full control and staged a large-scale breakdown, leaving 220 000 subscribers without electricity for several hours. Thanks to manual backup functionality, the power was restored later the same day. The control center was however not fully operational until months later. This was a wake-up call for the many infrastructure owners around the world that do not have manual options available.

Threats to Industrial Infrastructure

Before and after this event, several similar attacks have targeted control systems. This includes critical infrastructure, industrial manufacturing automation systems and safety systems.  As owners and operators find themselves faced with security challenges that were unthinkable to most less than a decade ago, society’s concern is rising for good reason. Critical infrastructure, manufacturing and processing facilities around the world is completely dependent on Operational Technology (OT). Examples include power production and distribution, railway signaling, flight control, traffic light control, water management, oil & gas installations, plants, factories and many more. Some of these systems may be vital to a nation’s security. For all, safe and reliable operation is essential.

Today there are various threats to worry about. Infrastructure owners risk becoming a selected target from foreign states intelligence or criminal groups. Targeted attacks can also come from hacktivists and disgruntled employees. In many cases however, the infrastructure owner becomes a victim of malware that accidentally makes its way into its OT system. As the intensity and sophistication of recent large-scale attacks such as Wannacry and Not-Petya has risen, the probability and consequence of becoming a non-targeted collateral damage victim is significant.

Hacking, malware and viruses have now been around for several decades. Why is it that these just recently pose a real threat to industrial infrastructure?

Traditionally, security risks to such systems have been mitigated through maintaining an "air-gap" from other computer systems. Increased digitalization and modernization of the control systems has benefits such as safer, more reliable and efficient operations. Smart grids and automation allowing robots to take over harmful tasks are good examples. The price to pay however is increased vulnerability:

• Proprietary, often serial, communication protocols are rapidly being replaced by Ethernet/IP-based communication. Ethernet is cheaper, vendor neutral and compatible with modern technology. The flip side is that controllers become more accessible for a perpetrator or malware that has made its way into the infrastructure.
• Remote control and maintenance capabilities are being more widely utilized. Remote access solutions can be set up in very secure ways, but also less secure ways. Regardless, remote access will always represent a possible entry point for attacks.
• Technology used by various industrial services are becoming more similar, allowing the same attack to be repeated to target many different infrastructure sectors. IT platforms such as Windows and Linux, are common in industrial systems and may allow IT type attacks to affect and propagate through these systems. At the same time implementing IT security best practices, such as keeping systems patched and endpoint protection up to date, can be hard, impractical and even impossible in industrial settings.

Going back to the situation in the Ukranian power grid in 2015, all of these elements played a role in making it possible for an attacker to remote control physical equipment like circuit switches.

How to Protect Critical Infrastructure from Cyberattacks

All protection strategies and attack response have to be based on sufficient situational awareness. This means being aware of possible security holes and knowing the vulnerabilities in your specific infrastructure. Next, you need to obtain continual visibility into your infrastructure to know if someone has started a silent reconnaissance campaign in your network. Attackers will often look around for IP addresses to OT machines, credentials, firewall settings etc. Unfortunately, many infrastructure owners have no or inefficient mechanisms in place allowing them to pay attention to such activities that may last for months or longer. The next step of an attack may be to plant malware into your OT machines, for example via infected engineering laptops or USB. If you are not specifically looking for it, this malware may be lying dormant, collecting system behavior information or waiting for a signal to execute.

Responding to an ongoing cyber attack may in many cases be complicated in an industrial setting. Isolating an affected network segment may not be possible. Often several vendors have provided different parts of the control system. The infrastructure operator may lack required system competence and depends on consulting expertise at the vendor in order to take effective, yet safe responsive actions.

As with most complex problems there are no simple solutions allowing a secure state to be obtained by investing in a single piece of cybersecurity technology. The infrastructure operator has to establish and implement a Cybersecurity Strategy involving processes, procedures, competence, training as well as technology to protect their industrial assets against cyber-attacks. This strategy has to include key vendors as well.

There are several standards designed specifically to help industrial infrastructure owners manage cyber risk. When selecting the best method for securing critical infrastructure from cyberattacks, it is important to find a solution that is specific to industrial purposes and solves logistics and practical challenges as well as meeting security needs. Protection strategies for a large plant will have differences from those of a distributed infrastructure, for example with numerous remote unmanned sites. Technology and work processes to protect Windows servers may be completely different for servers in the enterprise network and production network.

-The ISA/IEC 62443 series define procedures for implementing Industrial Automation and Control Systems (IACS) systems in a secure way. This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

- The NIST Cybersecurity Framework (NIST CSF) was originally aimed at operators of critical infrastructure. Today it is also used by various organizations for example in the private sectors. NIST, being the US National Institute of Standards and Technology, has its main user base in the USA. The NIST CSF standard is however gaining wider traction and increasingly being used and referenced by other standards and organizations globally.