Non-technical manager’s guide to protecting energy ICS/SCADA
APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS/SCADA hardware (87% of vulnerabilities are web-accessible).
There is a firm business argument that support the protection of ICS/ SCADA. Without proper safeguards in place, continued APT attacks will cause disruption, degradation, disability, and possible destruction of costly and/or irreplacible Energy Sector equipment and facilities. The economic impact to energy companies would be minor in comparison to the impact of a loss of electricity, natural gas, and petroleum throughout the United States. It is in the best interest of both Energy Sector companies and the Nation to immediately plan, fund, and effectively secure ICS/SCADA from front-to-back.
Only operating dependencies are considered; does not consider the purchase of machinery and equipment
[ ALSO:The processes and tools behind a true APT campaign: Overview ]
Human Machine Interfaces (HMI) are popular attack surfaces. The use of phishing, spearphishing, and other social engineering techniques continues to provide adversaries with access to administrative and ICS/SCADA systems. In spite of the best internal training programs and monitoring, an infected vendor or associated network connection can often open the gates to attackers, even within an otherwise well-protected system. An intentional insider threat is even more difficult to anticipate, identify, and often, act upon. Employees are unlikely to identify issues with colleagues for fear of litigation, embarrassment, or loss of prestige within the company.
Training is an effective tool for reducing or eliminating human-borne attacks. A dynamic program that informs, instructs, verifies, and requires written agreement of compliance should be mandatory within all Energy Sector organizations. Instructional System Design pre-tests employees and tailors the amount/level of instruction to their needs. Engaging training should not be entirely online or computer based; effective training should include live presenters, webinars, and case studies or practicum.
At the conclusion of training, a post-test should be administered. Passing the test with a high average indicates the lessons were internalized and, more importantly, demonstrates that the employee did indeed receive and understand the information. An employee who successfully passes the testing cannot at a later time claim “I didn’t know,” or claim ignorance if aware of a colleagues security failures.
ICS/SCADA systems originally were designed to operate alone, without network connection. Once networked, information is remotely requested. This human-machine communication is viewable by attackers unless precautions are taken. Secure connections, similar to the systems used in online banking, must always be established during the HMI to deny attackers visibility into network command, control and communications. VPNs are a necessity for mobile, remote communication with ICS/SCADA equipment.
Other best practices to control the HMI technical threat include the use of least-privilege accounts, two-person control for critical activities, careful control of portable media, and assigning personal passwords and accounts to superusers as opposed to a general “admin” logon in order to maintain attribution for system access and changes.
It is important not to overlook interconnected networks such as vendor organizations. Lack of access controls within a third-party company may result in unauthorized persons being granted administrative privileges. These privileges, if misused or hijacked, can be used to access the primary company and achieve control via the interconnected system (as happened to Target in 2014 via an HVAC vendor). Third-party vendors may not have the resources or motivation of the primary company.
External partners may be encouraged to enforce cyber-security by offering preferential contracts for those who comply or even by levying business restrictions against those who fail to meet energy sector standards for safe network operation.
Redundant, secure communication links between RTUs and the central ICS/SCADA application form the basis of a reliable, secure, and safe enterprise. The processes of power routing automation, warning systems, and production/transmission all require communication mediums that may include low-speed dial-up phone lines, medium speed radio frequency, and high-speed, broadband wired/wireless IP.
Most RTU systems do not meet Data Encryption Standard (DES) and Advanced Encryption Standard (AES) requirements. There is an expense associated with upgrading and incorporating new RTU systems using industry standard encryption routines. There is an even greater expense when an entire company suddenly goes black, perhaps because their ICS/SCADA security-by-obscurity policy -- the vain attempt to remain safe because nobody would ever look for them – was ineffective.
Data must be encrypted, both in transmission and at rest. Data exfiltrated in encrypted form generally is useless to an attacker. Watermarks may be used to identify company data and, if data is stolen, identifies the rightful owner; simplifying the identification and prosecution of the thieves. Intrusion Detection Systems and Intrusion Prevention Systems must be configured to verify all packets as valid to deter man-in-the-middle attacks as well as preventing unauthorized access by rogue programs.
The RTU interface may be enhanced by allowing for multiple passwords at multiple access levels. Multiple passwords support the compartmentalization of application software and ICS/SCADA hardware access control to least-privileged users. All hardware should cloak IP addresses through the use of hardware firewalls.
Organizations should maintain a non-repudiation based system – assigning a digital log in for each and every action. An RTU must autonomously keep track of all access related activities as well as fulfill its basic function. Always remove, disable, and rename default accounts and require the use of strong passwords. Consider the use of asymetrically encrypted password protection and maintenance programs like LastPass.
ICS/SCADA systems have long operational lives (10+ years). With some systems up to 30 years old it is difficult not only to find replacement parts but even technicians familiar with the components and operating systems. Legacy systems often are associated with legacy communication equipment with similar issues. Companies blindly continue to depend upon “security-by-obscurity.”
Were this ever an effective technique, it has been defeated with tools such as the SHODAN search engine. SHODAN, instead of indexing web page content, indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet. So what An attacker could instantly discover specific devices and manufacturers by using a simple Google-like search. Obscurity is dead.
Many manufacturers have long-since abandoned the support or production of legacy ICS/SCADA hardware, hardware that continues to faithfully serve. With no need for a functional replacement, the need for a secure replacement often is ignored. Developers are not willing to incur the cost for research and development on a replacement for a perhaps unique, decades-old electromechanical device, while business managers are reluctant to spend money to replace a system that still functions. This is false economy. Legacy systems cannot withstand modern attacks and APTs.
Mandiant, a U.S.-based security firm, released a report in February 2013 that disclosed a recent Chinese military-related cyber-attack on a single company with remote access to more than 60 percent of oil and gas pipelines in North America. If the attack had been intended to disable, it could have had far-reaching consequences on energy supply and the environment across the US and Canada
Legacy systems are not designed to function within the Internet, or to communicate securely, or to defend themselves from the above-described attacks. The energy sector must come to terms with this and accept the operating cost of upgrading or replacing legacy and unsecured systems with those that support cloaking, firewalls, encryption, and other self-defense measures.
It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.
The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.
No longer is the question, “Can we afford the equipment” The question has become, “When my industry becomes incapacitated in a cyber-attack, who will the public blame Who will find their names in the newspaper Who stands to lose everything” The answer is, you and your company.
Colonel Bryk retired from the USAF after a 30-year career, last serving as an Air Attache (military diplomat) in Central Europe. He holds an MBA from the University of North Dakota and hopes to combine that knowledge with his upcoming MS in Cybersecurity in order to protect our Critical Infrastructure.