As the drumbeat of cybersecurity breaches seems ever-present in the media, we’re starting to see some real attention being paid to this function in a number of verticals, and a willingness to go beyond their regulatory compliance obligations.
For example, large retailers have reorganized their security teams and made significant investments in personnel and technology. Healthcare organizations, long subject to the security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), have finally started to recognize the real costs of not improving security. This arguably has resulted in heightened enforcement with in that vertical.
However, within the critical infrastructure sector, particularly with electric utilities, the focus still remains on compliance. While the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and the cybersecurity regulations promulgated by the Nuclear Regulatory Commission do call for some much needed improvements, many utilities still fail to recognize the risks. By one estimate, at least 50% of all cybersecurity spending is allocated for regulatory compliance. Most of the remaining budget focuses on cybersecurity risks on the enterprise side, seeking to address vulnerabilities within back office systems that exist in all industries. Those systems are not used to generate or deliver electricity, but not surprisingly, they are the systems getting breached. In fact, for end-user systems used to surf the web and read e-mail, malware infections are simply a fact of life.
However, to date there has not been a single power outage in the United States directly attributed to a cyber-attack on an electric utility. While there has been evidence that advanced threat actors have infiltrated electricity control systems, they have not used that access to cause any palpable harm.
And while the threat does exist, evidence thus far shows that just being able to break into a critical system is not enough. The authors of Stuxnet spent millions of dollars with access to some of the world’s best intelligence data about the exact configuration of the centrifuges in order to devise a program that would lead to their destruction. By contrast, the recent attack on a German steel mill that resulted in damages to a blast furnace was probably a case of a hacker getting lucky, as there is little evidence supporting the outcome considering the malware designed.
As famed control system security expert Rob Lee noted in a presentation at the American Petroleum Institute’s annual cybersecurity conference, campaigns targeting control systems, including Black Energy and Havex, have come up short in their ability to cause damage or even take control of a targeted systems. This is because figuring out how to make a control system behave in particular way without inside knowledge is hard. While the software used is usually common and readily available to hackers, the actual configuration settings, set points, and application logic in the end controllers often differ dramatically. Moreover, just shutting off power that can be turned back on quickly is probably not something terrorists and other malcontents are willing to spend a lot of time and money on. Instead, they want to cause real damage and sustained power outages. Here is where the hype and the actual motivation and capability of the threat actor have yet to match up.
However, one should not be complacent. As many control engineers have rightly pointed out, we have experienced damage, extended power outages, and even deaths that can be attributed at least partly to computer malfunctions, albeit not as a result of a malicious actor directly causing that harm. One could argue that if human errors, lack of maintenance, and the lack of proper monitoring can cause such catastrophic results, the threat of a malicious hacker should be taken very seriously.
For some, the answer is going back to basics and following well-defined processes in change and configuration management, patching, and strict adherence to rigorous policies and procedures. That is certainly important, but it’s not enough. Through constant surveillance and infiltration of insiders, the bad guys will eventually learn enough to circumvent the superior quality control practices in place. That’s where meeting the threat will be key. Whether that means the use of anomaly detection technologies, looking for supply chain injected malware, or simply employing 24x7 monitoring of the control environment, critical infrastructure operators will need to up their game. And that means taking the threat into account. No one can protect everything completely. Once solid quality assurance is applied consistently, the next step is to prioritize the protection of your most valuable, vulnerable, and most probably targeted assets by those capable of succeeding. In some ways, that’s just security 101, but in a checkbox culture often driven by compliance, that’s a message worth repeating.