Power Plants: Cybersecurity Threats and Risks (Part 2)
(This is the final installment of a two-part series exploring how critical infrastructure like power plants are proactive in implementing protective measures to safeguard against future cyber attacks, but challenges remain. Part 1 of the series can be viewed HERE).
“Defense in depth” refers to employing multiple layers of security that makes it more difficult for cyber hackers to gain access to sensitive plant control networks. These can include complex passwords, shorter password expiration policies, two-factor authentication, firewalls configured with the least privileged access and intrusion prevention systems (IPS).
These augmented protective measures are important to deter hackers from computer systems. Complex passwords should always be required as they are a fundamental reason why accounts get hacked. Hackers load security pro
grams with dictionary files and run variants by adding dates, prefixes and suffixes to create guessable password attacks. Some attacks can break passwords within minutes if passwords are not complex enough.
Two-factor authentication for remote access is one of the best security mechanisms for obtaining access to plant control environments along with something unique that is required to authenticate onto the control network environment. One-time passwords based on a hardware or software-based token generators also make password-guessing attacks more difficult for the attacker since these use one-time passwords based on complex algorithms.
Intrusion Prevention Systems
Cisco Firepower solutions (IPS) and similar tools can be an effective way to mitigate attacks from China, Russia or any location outside specific country regions based on known IP address ranges. Firewalls configured with these country IP blocks do not eliminate cybersecurity risk. Rather, they reduce it to a much smaller range of IPs that can make a connection to the firewall and prevent hacking attempts from the excluded locations.
Additional Firepower configurations can also block specific traffic types that can make hacking much more difficult. These configurations do not allow hackers infinite login and password guesses before a firewall blocks an attacker’s IP address.
"Many clients we have worked with did not have good physical security in place that challenged people they did not know. This made it easy for intruders to gain access to the internal network."
An easy way to gain access to a network is to walk in and physically plant a computer on the network that can be accessed remotely for hacking internal systems. Many companies spend copious amounts of money on firewalls, (IPS) and other mechanisms to prevent hackers from getting through firewalls, but do not focus on the internal network. An internal attack is harder to detect and is easier to carry out because these attacks do not go through the Internet and bypass the detection systems that focus on external attacks coming from the Internet.
Many clients we have worked with did not have good physical security in place that challenged people they did not know. This made it easy for intruders to gain access to the internal network. Once a computer is on the network, various free tools are run to find data that can be used to gain access to administrative accounts, which provide full access to a company’s computing environment. Users typically store passwords in unencrypted spreadsheets, which can act as a gateway for accessing the entire environment.
Avoiding Common Pitfalls: ‘If It's Easy for Users, It’s Easy for Hackers"
User education is key to an effective security strategy. Users are the easiest way to breach all the best security processes installed at plant locations if simple passwords are used to log into plant systems. User IDs and passwords should follow best practices by requiring them to be complex and expire on a set interval.
Physical security measures should require badge access to sensitive areas, preventing access to sensitive areas for “guests” and educate users to not hold doors open for people (i.e., tailgating). Users need to be comfortable to question and challenge someone they do not know if they are unescorted.
An effective patch-testing strategy should be implemented to address security vulnerabilities. Address critical issues quickly and implement a schedule for dealing with other vulnerabilities within a set time interval. The longer a security issue goes unpatched the easier hackers can gain access to the environment.
Networks and computing environments require constant updating to mitigate risks of hackers targeting a network. Keeping up to date on exposures will help mitigate cyber attacks. There are numerous cybersecurity sites that can assist in addressing published vulnerabilities. They include:
- InfraGard is a partnership between the FBI and members of the private sector. InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing national security.
- National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.
- Brian Krebs – Blogger and website for good security information
About the Author:
Glenn Hartfiel is a Director in Opportune’s Process and Technology practice. Glenn has over 20 years of experience providing clients with strategy, architecture, project management and assessment across all areas of IT. His primary focus areas include mergers and acquisitions, IT operations, interim CIO services, enterprise infrastructure design, security architecture and operations management. Prior to joining Opportune, Glenn worked at Sirius Solutions where he managed complex projects, including e-discovery litigation, mergers and acquisitions and IT integration projects for various clients.