Securing critical infrastructure from virtual and physical threats
Tim Compston, Features Editor at Security News Desk, finds out that the security challenges faced by critical infrastructure operators are many and varied, with attack vectors emerging not only from the physical world but, increasingly, the virtual – cyber – one as well.
Threats can, of course, come in many forms, whether it be hackers breaking into specific control systems to disrupt day-to-day operations; terrorists’ intent on directly targeting critical infrastructure or criminals engaged in metal theft – a particular challenge for the electricity grid.
When it comes to protecting the water we drink and the electricity that powers our lives, although things may seem smooth on the surface the reality, underneath, is much more turbulent. Today, individuals, terrorist groups, and even state actors are all thought to be plotting to hack into and take control of such systems with malicious intent. The cybersecurity deficit that is so often flagged up for power and water plants is certainly not helped by the fact that vital control systems may need to be kept up and running around-the-clock – over months or even years in some cases – with any unplanned downtime impacting, potentially, on millions of people.
A recent incident, revealed by Verizon Security Solutions, illustrates the challenges that are out there. In this case hackers breached a server at an unnamed water company which was relying on outdated operating systems. Not only was the wider IT network accessed – through a payments system – but because the network was linked to Operational Technology (OT) systems, controlling a water treatment facility, further investigation discovered, worryingly, that chemical levels for tap water had been changed four times during the attack.
Commenting on the incident, Monzy Merza, Director of Cyber Research at Splunk – the operational intelligence platform – believes that opportunistic attackers are all too willing to exploit what he refers to as the ‘low-hanging fruit’ present in outdated or unpatched systems: “We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the Internet.” He goes on to say that the incident underscores the importance of ‘actionable intelligence’: “Reports like Verizon’s are important sources of insight. Organisations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks,” concludes Merza.
Control system vulnerabilities
For his part, Mike O’Neill, Managing Director at Optimal Risk Management Limited, agrees that the standout security test for critical infrastructure today is cyber-related, especially where industrial control or SCADA (Supervisory Control and Data Acquisition) systems are concerned: “That is the big threat for highly industrialised infrastructure such as the water industry, the power generation industry, and the railways.” The reality on the ground is that many SCADA systems are relatively old which means it is more difficult to patch them up software-wise or to implement layered security.
Talking to Cliff Wilson, Associate Partner in the IBM Security Business Unit, UK and Ireland – who is responsible for all IBM security business in the Industrial, Energy and Utilities sectors – he reiterates the concern that many industrial control systems still running today were actually designed, manufactured, and implemented well before the Internet came along: “In addition to being old, many of these systems can be considered to be highly fragile. Thus, penetration testing or other security analytical testing has to be carried out in a highly sensitive way – it is not hard to crash a legacy programmable logic controller (PLC).”
Asked about whether one of the problems here is that the utilities and other users are keen to have their systems more broadly connected, from a business perspective, Wilson agrees that this is, indeed, an ‘observable phenomenon’: “A lot of old industrial control stuff is, increasingly, being connected to the Internet because there is a need to be able to patch software, to pull out log data, to update software versions – whatever it might be – and also to be able to extract process data to send to corporate management systems. Instead of having to drive a van half way across the country, for example, to look at a piece of industrial control equipment, it is much easier to connect that device to the Internet and be able to query it remotely. However when you do that, and when you connect that piece of old equipment to the Internet, it is often done in a quick and simple manner without taking security into account,” he warns.
In terms of how IBM works with its customers to tackle this ongoing cybersecurity dilemma Wilson reports that this is accomplished from a variety of standpoints: “We do penetration testing and systems assurance testing, specifically in the industrial controls area. The idea there is to look for stuff that shouldn’t be there and to see where data is perhaps leaving the environment. So we often get involved in advising our customers how to close those gaps, or to close those back doors in their industrial control systems and how to put better security in place.”
Although Wilson did not want to dwell on the details of specific IBM products, he did tell me that one approach, making inroads here, is in the shape of a technology capability which is basically designed to provide a protective envelope for these old and ‘creaking’ industrial control systems: “What we have done in the UK in IBM is that we have a security solution that wraps around legacy systems, legacy control systems, of whatever type and allows you to put in place a modern robust security control system around them.”
Kaspersky Lab calls for cooperation with new Industrial Control Systems Emergency Response Team
Kaspersky Lab has founded the Industrial Systems Computer Emergency Response Team (known as Kaspersky Lab ICS-CERT) – a global CERT entity that, the cybersecurity specialist says, is looking to collaborate with critical infrastructure operators, vendors and government institutions. Through KL-ICSCERT, Kaspersky Lab plans to share its own experience in securing industrial systems as well as to coordinate the exchange of expertise on threats, and protection methods, between all interested parties.
Andrey Doukhvalov, Kaspersky Lab’s Head of Future Technologies and Chief Security Architect, comments: “Today’s approach to cybersecurity highlights the importance of accumulating intelligence on the latest threats, in order to develop protection technologies. This is especially true for industrial infrastructure, which has specific threats, highly customised hardware and software, and strict requirements for reliability.
“As a security vendor, we have years of experience analysing threats and helping industrial operators with threat prevention and detection, incident response, staff training, and the prediction of future attack vectors. We are confident that sharing intelligence, or, in a broader way, exchanging knowledge between vendors and operators, is an important step towards more secure critical infrastructure. By establishing ICS-CERT we are expanding the availability of the industry’s expertise in a way that no other private security vendor has done before.”
Research reveals that a third of industrial control system components are insecure
New research conducted by Positive Technologies – a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection – has found that a third of industrial control system (ICS) components, that are Internet-connected, are insecure. Nearly half of the vulnerabilities identified by the research, according to Positive Technologies, are high-risk – with the majority found in popular vendors’ products. The enterprise security specialist reckons that widespread poor security practices, such as default and dictionary-guessable passwords, make it easy for outsiders to access these systems and gain control. With ICSs typically used in industries – such as electrical, water, oil, gas, transport and manufacturing – the implications, says Positive Technologies, are, at best, irritating but also have the potential to be devastating.
Looking in more detail at the investigation, Positive Technologies’ researchers were able to ‘find’ automated control systems responsible for manufacturing processes, transportation, and even the water supply. It determined that, in many cases, intruders would not need any special knowledge to gain access to these systems. Having gained control an ‘intruder’ could perform denial of service attacks (DoS), remote code execution to deploy malware, install new compromised firmware, or disable safety mechanisms and even force buffer overflows that could cause equipment failure or unsanctioned operation of equipment, all equally undesirable given the reliability requirements and sensitivity of ICS components. Positive Technologies points out that where a component is deployed will determine the severity from such attacks/access, for example a compromised pump in a nuclear power plant could be critical.
Of the ICS components found online, only two thirds can be reasonably described as ‘secure’ says Positive Technologies. Data shows that only 14 percent of vulnerabilities were resolved within three months, while 34 percent waited over three months and the remaining 52 percent either were never repaired, or the date of repair was not given by the vendor.
Paolo Emiliani, Technical Manager EMEA of Positive Technologies explains: “Industrial control systems are part and parcel of everyday life, from smart homes to nuclear power stations. They bridge the gap between the digital world and the physical world by interpreting the commands that control turbines, switches, valves and more. These systems are complex, critical to infrastructure, and often Internet-connected, making them a very tempting target for hackers. A further consideration is that many computerised smart home systems are based on technologies similar to those used in industrial plants. With modern energy supply control systems (smart grids) extending industrial networks to houses and apartments, these vulnerabilities need to be brought under control. The largest number of vulnerabilities was identified in SCADA components and programmable logic controllers (PLCs), industrial network devices and engineering software, human–machine interfaces (HMIs) and remote access and management terminals.”
Perhaps one of the most high profile examples of a cyberattack in recent times – with hints of state involvement – relates to the use of Stuxnet malware. Designed to target industrial control systems, allegedly with the intention of disrupting Iran’s nuclear facilities, Stuxnet first come to the world’s attention back in 2010.
This was followed, over the next two years, by hacks deploying a range of computer viruses aimed at, amongst other things, the Bandar Abbas electricity supply company and the Kharg Island oil terminal – both essential to the country’s oil exports.
Scale of the challenge
Putting the repercussions of a utility provider’s cyber defences being breached into a national or regional perspective, Mike O’Neill from Optimal Risk Management Limited stresses that the very nature of CNI (Critical National Infrastructure) means that the impact of any incident is greatly magnified: “The way that CPNI [Centre for the Protection of National Infrastructure] categorises this, you have got the criticality of an asset and the impact of its loss. If you wipe out the generation capability in a region, for example, the National Grid is going to be hugely challenged to get power back into that area.”
For those seeking to quantify the economic ramifications of a cyberattack a new ‘Integrated Infrastructure: Cyber Resiliency in Society’ study, undertaken by the University of Cambridge’s Centre for Risk Studies and Lockheed Martin, makes for interesting reading. The rationale behind the study was to estimate the short and long-term economic impact of a coordinated, and sustained, cyberattack on the UK’s critical infrastructure. To achieve this researchers modelled an attack on a regional power distribution network. The ‘fictional’ scenario envisaged a cyberattack being executed by a disgruntled employee, with the backing of a nation-state, leading to the installation of rogue hardware in a minimum of 65 vulnerable substations across South East England, ultimately triggering rolling blackouts. In the most conservative scenario, the immediate impact to the UK’s economic output was estimated by the report’s authors as being a massive £12 billion.
Simon Ruffle, Director of Technology and Innovation at the University of Cambridge’s Centre for Risk Studies, believes there are valuable lessons to be learned from this type of cyber resiliency study: “By better understanding and quantifying the consequences, both economic and societal, of a severe cyber hazard on our country’s critical infrastructure, we underline the level of responsibility amongst each of the key stakeholders in this value chain.” Ruffle goes on to say that through ‘hyper-connectivity’ we have created fantastic opportunities for smarter infrastructure use that, crucially, also bring with them a complex set of cyber risks.
Moving away from the cybersecurity arena to some of the physical security measures that can help to protect critical infrastructure. The landscape for security managers and operators is changing at an ever faster pace as new technologies and methods come into view.
One security aspect that has gained more traction over the last 12 months relates to systems to deal with the soaring number of drones in our skies which accidently, or deliberately, are venturing close to, or even over, critical infrastructure areas where they simply should not be. Examples of the drone activity that has given cause for concern range from the multiple reports of unidentified drones flying near French nuclear power stations to near misses with civilian aircraft.
In terms of potential answers to the drone or UAV (Unmanned Aerial Vehicle) dilemma, we have witnessed a number of solutions taking-off here. One example is the aptly named DroneTracker from Dedrone. Basically it is a multi-sensor drone warning system which, Dedrone reckons, reflects the reality that the size, speed, and shape of drones make identification extremely difficult for a single monitoring method. Utilising a system of interacting sensors the DroneTracker, is designed to reliably detect all types of drones based on multiple parameters such as noise, shape, and movement patterns, with the processing done in the device itself or via cloud computing. The DroneTracker’s built-in HD (High Definition) camera allows the saving of images and video so there is evidence of the intrusion.
Rapidly deployable CCTV systems are also finding favour to secure critical infrastructure by offering the potential to ram-up security in response to emerging threats. A good example of the type of fast- track solutions being brought to market is the WCCTV Site Tower from UK-based Wireless CCTV Ltd. This has already been widely specified for railway network and power distribution networks, amongst other locations. The WCCTV Site Tower supports remote monitoring, multiple camera and sensor options, and can be powered by mains, wind, and solar or even fuel cell technology. Marketing Manager Daniel del Soldato is an enthusiastic advocate of such towers and reports, crucially, that demand for the company’s site security solutions has grown by an impressive 27 per cent, year-on-year.
Speaking to Nick Cowley, Country Manager of MCL Utility, he is keen to spotlight the main challenges involved in protecting the fresh water supply and why having the right kiosk in place is a critical aspect of this: “Certain sites, such as the locations of bore-holes, need to remain inconspicuous. What a kiosk is protecting [e.g. bore-hole pumps] is unknown to the public so we cannot draw attention to these sites with large fences and CCTV monitoring.”
As well as being inconspicuous, Cowley stresses that these protective measures have to withstand sustained efforts to access vulnerable points in our critical infrastructure: “Here, the kiosk is the first line of defence in any possible attack and so it needs to be secure. Bank safes are designed to withstand attack long enough for emergency services to respond or for thieves to get discouraged and give up. Kiosks need to be designed and manufactured to replicate exactly that. That’s why LPCB accreditation is so important, as it’s this ability to withstand tampering that the organisation is testing for.”
Cowley goes on to explain that the most capable of today’s kiosks feature a hybrid structure of proprietary glass reinforced plastic (GRP) composite and exotic alloy plates for additional reinforcement. This approach, he stresses, means that kiosks are best placed to perform under pressure from both the elements and potential attacks or vandalism where a wide assortment of tool and weapons are applied: “As part of AMP6, utilities companies are specifying kiosks certified to LPCB LPS1175 level 4. Our kiosks have been extensively tested so we know that it takes a lot of time and force to breach a level 4 graded model.”
Broadening things out beyond individual security systems, for critical infrastructure today greater attention is being paid to solutions that can operate in an integrated way rather than, simply, being confined to disparate and unconnected silos. Underlining this trend, Synectics – which is exhibiting at the forthcoming UK Security Expo – has produced a critical infrastructure whitepaper which stresses the value of unlocking wide-area situational awareness, through a more intelligent approach to integration.
David Aindow, Product and Technology Director at Synectics, offers his thoughts on the emerging critical infrastructure security landscape: “There is a big emphasis on integration and bringing not just alerts of events but situational data into a command and control platform. It is about how people assess the levels of threats that might be coming from different sources and then driving operators through procedures, and work flows, to make sure that they are handling all of the events in the most efficient way possible.”
Canary Wharf invests in new security platform
Canary Wharf certainly stands out as one the busiest business and financial districts in London, offering over 14 million square feet of office and retail space on 97 acres, and welcomes over 140,000 people daily. What is effectively a mini city had been running an old analogue DVR-based video system, which was unreliable, difficult to scale, and lacked flexibility.
Mike Walker, Security Technology Manager at Canary Wharf Management Ltd – a fully integrated property development and management company – takes up the story of how a new solution was put in place: “With the support from security operations and management, we were ready to move to IP. We wanted a system that could be used with many different technologies, and accommodate standard IT practices.” The IT team trialled different IP video solutions before adopting the Omnicast video surveillance system from Genetec.
Apart from being impressed with the long list of hardware integrations, the flexibility of the open platform, and its robust software development kit, Mike Walker and his team valued another key factor: “Genetec was the first company that understood us. They were able to answer all of our questions, and proved that they understood the network and IT functions. It was a lightbulb moment; Genetec spoke our IT language,” explains Walker.
A wider vision
Since the initial migration from analogue to Omnicast IP video surveillance, Canary Wharf has upgraded its security system to encompass the entire suite of security solutions within Security Center, the unified security platform from Genetec. The Synergis access control system has been provided to tenants for visitor management tasks, and a C-Cure plugin within Security Center has allowed for a full integration with other doors. Walker explains that the team tracks vehicles within Canary Wharf’s peninsula by using the AutoVu automatic number plate recognition (ANPR) system which automatically notifies police of hotlist hits. Canary Wharf has also added a car barrier system. At the touch of a button, operators can block vehicle roadways when a situation requires immediate district lockdown.
Other custom integrations have been added within Security Center, including a tenant communication system called Shop Alert. In the event of an emergency, operators can discreetly send text messages to store clerks and suggest procedures such as an immediate evacuation. Clerks can also alert security staff to disturbances by pressing a distress button, which automatically triggers an alarm within Security Center with video from nearby cameras.
According to Bernadette Bashford-Payne, Estate Control Centre Manager at Canary Wharf: “All of the information we need is available from one central platform. We originally procured the system for one purpose, but we are recognising so much more opportunity and value in our system as we continue adding automation and integrations.”
In the end, there is little doubt that effective critical infrastructure security calls for a wide range of protective measures to deal with current and evolving security issues from cyberattacks to terrorism. Given the ramifications if such infrastructure is disrupted, or put out of action completely, the pressure on governments, owners and operators to make the right security choices is extremely high.