Source: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
With connected devices becoming more integrated into our daily lives--the Internet of Things (IoT) will add an estimated (cue the Dr. Evil close-up from the film Austin Powers) two trillion dollars to the economy by the end of the decade--companies are investing in hardware, software and management services aimed at binding together our physical and digital worlds. But along the way IoT also creates vulnerabilities that pose public safety risks. It is bad enough for hackers to expose 56 million credit card numbers at Home Depot as happened last year, and quite another when critical infrastructure organizations such as water purification plants, petroleum processing facilities, and gas and electric utilities suffer security breaches.
And yet, a Unisys research study, “Critical Infrastructure: Security Preparedness and Maturity,” found alarming security gaps in the world’s critical infrastructure organizations that could impact their ability to prevent devastating attacks to disrupt power generation and other critical functions. Conducted in partnership with the Ponemon Institute, the study surveyed 599 global IT and IT security executives at utility, oil and gas, alternate energy and manufacturing organizations in 13 countries. The study was conducted during April and May of 2014. The results highlighted the concerns of many of these executives regarding the security of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that monitor and control the processes and operations for power generation and other critical infrastructure functions.
Many SCADA systems were designed to work independently on closed networks, so they were not put in place with secure defenses against cyberattack. But utilities and other companies have been hooking them up to the web in order to improve efficiency and as a result data generally flows freely between SCADA systems at a utility and the remote substations it controls.
The Unisys study found that nearly 70 percent of critical infrastructure managers surveyed reported at least one security breach that led to the loss of confidential information or disruption of operations during the prior 12 months. In addition, 78 percent said a successful attack on their organization’s ICS or SCADA systems is at least somewhat likely within the next 24 months. Only one in six respondents described their organization’s IT security program or activities as “mature.”
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the study. He added: "While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”
Interestingly, respondents who reported suffering a data breach within the past year most often attributed these breaches to an internal accident or mistake, and 24% of respondents said these compromises were due to an insider attack or negligent IT employees.
That assessment is in lock step with a 2011 Department of Homeland Security (DHS) Office of Intelligence and Analysis Report, which concluded that while there are several roadblocks to improved security in the critical infrastructure sector, including outdated systems and our physical reliance on these systems, the main vulnerability to critical US infrastructure is from insiders working at these facilities.
DHS pointed out that those targeting the infrastructure may be intent on damaging equipment and facilities, disrupting services, stealing proprietary information, or other malicious activities. The greater the individual’s knowledge and authorized systems access, the greater risk the individual poses, they said.
Any individual with access to a plant’s systems might be swayed by social media recruiting to purposely, unwittingly or inadvertently introduce malware into a system through portable media or web access. Keep in mind that the clever folks behind Stuxnet, the malicious code that was used to attack the system that controlled centrifuges for enriching uranium at Iran’s nuclear facility in Natanz, had to find a way to physically smuggle the code into the facility, probably via an insider using a USB stick.
Insiders, DHS noted, often possess detailed operational and system-security knowledge, as well as authorized physical and systems access to utilities. They can be employees, contractors, service providers, or anyone with legitimate access to utility systems. They often are self-motivated, know system security measures, and raise no alarms due to their authorized systems access.
When violent extremists are able to gain access to an insider or acquire an insider position, this increases the likelihood of success and impact of an attack. With knowledge of and access to a utility’s network, these “malicious actors” could seize control of utility systems or corrupt information sent to plant operators, causing damage to plant systems and equipment.
Violent extremists have, in fact, obtained insider positions, and a report from the DHS Office of Intelligence and Analysis entitled “Insider Threat to Utilities” points out that al-Qa‘ida in the Arabian Peninsula (AQAP) has highlighted insider access as useful in attack planning. A US citizen who was arrested in Yemen in a March 2010 roundup of suspected al-Qa‘ida members worked for several contractors performing non-sensitive maintenance at five different US nuclear power plants from 2002 to 2008. This individual was able to pass federal background checks as late as 2008 before becoming a contracted employee.
The DHS report concluded:
“We judge that terrorist groups and other adversaries will continue to seek employment opportunities and attempt to obtain information from insiders regarding utility infrastructure to improve attack planning and maximize damage. We judge that disgruntled and unstable employees in the utilities sectors will continue to pose a potential threat to the utilities sectors based on their access and intent. We judge that cyberattacks against utility-sector systems have the potential to cause significant damage and will continue to be a primary threat.”
Fair enough. But if IoT based cyberattacks can potentially create public safety risks, what is the public sector’s role and how do the public and private sectors work together?
Last Wednesday the House of Representatives passed the Protecting Cyber Networks Act which now goes to the Senate for consideration. Proponents say the legislation is designed to help companies and the federal government defend against the growing threat of cyberattacks. Approved by a 307-116 vote, the bill encourages US companies to share information about security breaches with the federal government through a "cyber portal" administered by the DHS. In turn those companies would be provided with expanded legal liability protections.
Despite amendments that required two cleansings of personal information from any threat data shared with the government, privacy advocates continue to worry it will give the intelligence apparatus too much access to Americans’ personal information. Privacy advocates and the American Civil Liberties Union said that the legislation could reinforce government powers to conduct surveillance on US citizens or lead to "overbroad law enforcement uses." In a statement, a representative of the Obama administration cautioned that a private company should not be granted immunity “for failing to act on information it receives about the security of its networks."
Perhaps cognizant of failed previous legislative attempts-- the Cybersecurity Information Sharing Act of 2014 and the Cyber Intelligence Sharing and Protection Acts proposed in 2012 and 2013 passed the U.S. House, but did not pass the Senate—a day later, on Thursday of last week, the House passed a second bill, the National Cybersecurity Protection Advancement Act, which will allow companies to share information about cyber breaches with the Department of Homeland Security. It is expected to be less controversial than the Protecting Cyber Networks Act, in part because prior to the vote an amendment was added to the bill that would require the Government Accountability Office (GAO) to review the law’s impact on American privacy five years after it is enacted. The second bill also will now move to the Senate for consideration.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security, operates cybersecurity operations centers in Arlington, Virginia and Idaho Falls, Idaho. Among its activities ICS-CERT responds to and analyzes industrial control systems-related incidents, provides onsite support for incident response and forensics, conducts malware analysis and provides situational awareness in the form of actionable intelligence. ICS-CERT has an Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to the nation’s industrial control systems.
The National Cybersecurity and Communications Integrations Center, Arlington, VA
The 2015 Spring ICSJWG Meeting in Washington, DC will bring together asset owners and operators, government professionals, vendors, systems integrators and academic professionals to discuss the latest initiatives impacting the security of the nation’s critical infrastructure. The meeting will be held June 23 - 24, 2015 at the Wilbur J. Cohen Building, 330 Independence Ave., SW, Washington, D.C. This meeting provides an opportunity for government professionals, control systems vendors and systems integrators, research and development and academic professionals, asset-owners and operators, to interface with cyber security peers and stay abreast of the latest initiatives impacting security for industrial control systems and the nation ‘s critical infrastructure.
The two day meeting will include keynote speakers, practical demonstrations, plenary presentations, panel presentations, and non-classified briefings. ICSJWG also is planning a classified briefing (active clearance at Secret level or above) on June 25 at 9AM for about two hours at a different location (for US Citizens only). The registration site for the ICSJWG meeting is: https://secure.inl.gov/icsjwg2015.