Spotlight on Cybersecurity: Protecting the Systems that Control Our Critical Infrastructure
A Worrisome Trend
It seems that almost every week another major news story breaks concerning a cybersecurity breach at a high-profile company or government agency. Historically, the ultimate aim of many of these attacks has been financial gain for the perpetrators whether through the acquisition of personally identifiable information (PII), the deployment of ransomware, or other means. Over the last few years, a worrisome trend has emerged as attacks directed at the systems that control our critical infrastructure such as power, gas, and water utilities have become more common, more sophisticated, and more successful. Consider some of the most startling recent examples:
- Iranian hacking of Bowman Avenue Dam (May 2013) – The control system of a dam outside New York City was compromised by seven Iranian hackers.
- Ukrainian power outage cyber attack (December 2015) – A cyber attack caused approximately 225,000 customers to lose power.
- Lansing Board of Water and Light cyber attack (April 2016) – A ransomware virus caused a Michigan municipal utility to pay a $25,000 ransom, spend more than $2 million in recovery costs, and suffer extended outages for email, accounting and phone systems.
- Russian Palmetto Fusion government hacking (June 2017) – Russian government hackers penetrated business systems of U.S. nuclear power and other energy companies.
- DragonFly 2.0 hacker attacks on critical infrastructure (August 2017) – Forensic evidence suggests hackers successfully gained access to a handful of U.S. power company control systems.
In the early part of the decade, energy firms, and utilities in particular, cautiously and conservatively invested in cybersecurity initiatives. Compounding the problem was the prevalence of vulnerable legacy hardware and software commonly found in both information technology (IT) and operations technology (OT) environments, often as a consequence of competing priorities and tight technology operating budgets.
The good news is that the combination of high-visibility breaches like those listed above, bestselling books such as Ted Koppel’s Lights Out, and Tech Insider’s video of RedTeam Security breaking into a power company has sparked a sense of urgency among board and executive levels within large energy companies. For smaller-to-midsized energy firms that may not yet have embarked on a more expansive cybersecurity program or are in the early stages of their journey, there are certain lessons, leading practices and recommendations that can be gleaned from those that had a head start.
Formulating a Balanced Response
Energy firms that deploy a risk-informed cybersecurity strategy – one that includes multiple, overlapping and mutually reinforcing protective layers to guard against single points of failure in people, process or technology systems – are a hard target to threat actors. IT organizations within these energy companies can better position themselves across each of the NIST Cybersecurity Framework Core functions: identify, protect, detect, respond and recover.
Be Risk-Informed – Quantify cybersecurity risks using your existing enterprise risk framework, just as you would for flood, fire, injury, regulatory, commodity price or any other business risk event. Using a consistent framework will help your board and management team better understand and optimally allocate resources to risk mitigation.
Know the Threat Actors – Understand what you have that is of value and who might want it. Threat actors are commonly broken into four basic types: (1) criminals, (2) hacktivists, (3) state-sponsored, and (4) insiders. Understand their motivations and level of sophistication. A criminal may simply want to steal PII, and a hacktivist may seek to embarrass the company or industry. A state-sponsored entity may employ highly sophisticated tools and techniques combined with the patience and persistence necessary to exploit multiple systems over long time periods working their way ever closer to critical control systems culminating in sabotage or espionage. Not all threat actors are the same, and this insight will help prioritize the strategic and tactical elements of your cybersecurity roadmap.
Build Defense in Depth – Developed by the National Security Agency (NSA) and sometimes called the Castle Approach, this concept involves establishing multiple layers of security control throughout a system to create redundancy so that no single control failure or exploit can compromise an entire system. IT organizations can implement a slate of tools, including: intrusion protection and detection, firewalls, antivirus and malware removal, endpoint protection, email and web content filtering, network segmentation, etc. Companies may place increased emphasis on securing smartphones, tablets, printer/copiers, and Internet of Things (IoT) devices, just as they might a laptop or server. As technology advances, the number and complexity of the tools available to augment cybersecurity capabilities will continue to multiply. Analytics, cognitive platforms and blockchain all are of increasing relevance in the realm of cybersecurity.
Manage Hardware and Software Assets – Develop and maintain a complete, current inventory of all of your hardware and software assets. Keep them patched. Running up-to-date firmware, virtualization, operating systems, drivers and applications will reduce the number of vulnerabilities that a threat actor can exploit. Monitor these assets as unexpected, unexplained performance issues or outages may serve as an early indication of a breach. Retire legacy systems running old, vulnerable operating systems and applications or ring-fence them to protect the rest of your network in the event they are exploited.
Encrypt Sensitive Data – Identify, govern and protect sensitive or proprietary information by encrypting it both in transit and at rest. Data that is encrypted in transit across the network or internet using current standards will be much harder for hackers to peer into. Encrypting sensitive data at rest in server-side databases, on laptops and on mobile devices will minimize the potential for impact if a device is stolen or a database table is exfiltrated.
Secure Applications – Utilize sound application security and secure coding principles. Build them into your project management practices, enterprise architecture guidelines and software development lifecycles. Train your developers. Conduct static and dynamic code scans so vulnerabilities can be identified, prioritized and remediated.
Control Access – Tighten identity management processes and technology. Utilize strong passwords and employ multi-factor authentication where feasible. For example, multi-factor authentication can thwart the efforts of hackers since it necessitates a user provide some combination of “something they have” (possession), “something they know” (knowledge), and “something they are” (inherence) in order to be granted access to a system. Minimize accounts with privileged access. Regularly expire user passwords and rotate them even for service accounts. Retire unused accounts. Remove default accounts that are often created as part of system installation and configuration.
Establish a Cybersecurity Awareness Program – Educate employees and customers on an ongoing basis about the risks of phishing, social engineering, etc., including how they are to respond to a cyber incident. Spear-phish and social engineer your own workforce to test that response, and adjust cyber training and awareness programs accordingly. Communicate regularly about active threats and educate stakeholders on incidents.
Identify, Assess & Monitor External Threats – Organizations have a tendency to focus extensively on the tools they deploy and processes they employ to protect against cybersecurity threats. In many cases, very little time is spent developing a kind of organizational self-awareness regarding cyber hygiene and the company’s cyber profile from an external perspective. For example, an IT staff member’s LinkedIn profile may list what specific version, patch level and point release of unix the company runs. This information could be used by a threat actor to prepare a targeted exploit for those kinds of systems. A job description posted on a recruiting site may specify that a candidate should have knowledge of a particular SCADA system. Again, a malicious agent may use this information in targeting the company’s systems. This kind of information exists on social media sites, job boards, in public records, is embedded in office suite document metadata, etc.
Practice Incident Response – Energy companies routinely conduct fire drills and man down exercises. Firms routinely rehearse how to safely respond to all manners of natural disasters, workplace violence, and the like but don’t as often practice how they would respond to a cybersecurity incident. Oil and gas and utilities companies should engage regularly in cybersecurity tabletop exercises and simulations involving IT/OT teams, cross-functional business stakeholders, peers, law enforcement, government agencies, as well as vendors critical to a real-world incident response. Engaging multiple stakeholders is key to developing and executing against a well-reasoned plan. For example, IT may plan to employ a take-down service in response to a phishing campaign targeting the company’s customers, but chief counsel may not be comfortable that the Active Cyber Defense Certainty (ACDC) act adequately provides for this kind of hack back activity. These kinds of conflicts are often most readily surfaced in the context of interdisciplinary drills.
Develop Resiliency – Many of the same skills, processes and technologies that IT departments employ for business continuity, to maintain high system availability, provide for redundancy, and achieve Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets can be called upon to speed recovery in the event of a significant cyber incident. If a file server is found to be infected with ransomware that cannot be cleanly removed, the ability to rapidly restore that server to its pre-infection condition may be instrumental in minimizing business interruption, costs or lost revenues.
Prepare for the Worst – No energy company can protect against all cyber attacks with complete success. All it takes is one vulnerability or control failure to be identified and exploited by a threat actor to undermine all the best breach protection efforts and investments. Certain steps should be taken to ensure that an organization can recover from an unmitigated, catastrophic cybersecurity event. Cybersecurity insurance may help companies mitigate losses from data breaches, business interruption and network damage. When coupled with incident response services on retainer, such a policy may help pave the path to recovery and contain associated costs.
Managing cybersecurity is a daunting task considering the current threats energy companies face on a daily basis. A risk-informed strategy and roadmap will aid in articulating the need to the board and management so that they can best prioritize where money is spent. It is important to keep in mind that it is impossible to protect systems from cybersecurity compromises 100 percent of the time. Given scarce resources and the asymmetrical nature of the threat, success in this endeavor is often characterized by efficacy in the detection, response and/or recovery around a significant cybersecurity event. Therefore, it is necessary to balance investment of man and material across these functional domains in order to create a balanced posture in the face of these risks.
As governments, industry associations, trade groups, etc. gain a deeper understanding of the real threat cyber attacks pose, an ever-increasing number of high quality, low and no cost cybersecurity-related resources are becoming available to companies in industries responsible for critical infrastructure. Some are provided through the Department of Homeland Security and others via industry special interest groups focused on these emerging risks. Below, are a few good places to start.