By Nate Kube
While the typical chief executive, IT director or plant manager feels quite confident they have a security system that can keep the fox away from their IT chicken coop, many have no idea there is a viper coiled in the corner ready to strike at their unprotected plant, grid, refinery or other critical infrastructure where they deploy Operational Technology (OT).
The first question is why? And the quick answer is many aren’t aware how their control system innovations can end up exploited.
Last month, I discussed how organizations that suffer attacks will not discuss intrusions, believing that disclosing breaches could tarnish the company’s reputation. As a result, the people in organizations that could also suffer such fates don’t learn about these threats in the national or trade press, industry conferences or even in peer-to-peer meetings.
For instance, as reported on ISSSource, on December 23, around 1.4 million homes in western Ukraine lost their electricity for several hours. This was a very sophisticated attack. Apparently, once the hackers had access, they manually opened the breakers. Industry news stories reported they then employed the BlackEnergy virus to hinder efforts to locate and restore the opened breakers. There was also a simultaneous Distributed Denial of Service (DDoS) on the utilities’ call centers to slow down customer reports of outages.
We know about this incident because the power company self reported, then industry media outlets picked it up and, then the national press relayed the news. But, interestingly enough, even many that do know of this situation are not aware the attack also hit additional Ukrainian energy companies at the same time to cause disruption in three blasts. Most people are also unaware just this January, Ukrainian cyber security experts revealed a new cyber attack against an airport’s networks.
Sometimes, what we hear misses the point. Only recently, we learned breaches at a dam outside of New York ended up attributed to Iranian-based actors, which shortly followed with a claim of responsibility by Iranian hackers. This was in all the national press, including on the major television networks.
New Law Brings Transparency
Until recently, companies that shared cyber threat indicators with each other or the government, could end up sued by those customers whose private information inadvertently released. Although individuals are more likely to have private information released is more likely to happen in an IT attack, procedures are in place. As a result, attacked companies said nothing to each other.
According to ISACA, new cyber regulations passed in 2015 removed this litigation threat. These new laws encourage participation by providing companies with immunity to any civil suit connected to such disclosures. Companies who share cyber threat indicators with each other or with the government have protection from suits brought by those whose private information ended up inadvertently shared.
Not Ready for OT Security
Based on a 2015 report written by the Ponemon Institute and commissioned by Raytheon, 66 percent of organizations are not ready to address OT security issues.
Organizations are putting their most critical assets at risk in an environment that lacks necessary IT and OT governance capabilities that end up defined in a wide variety of IT and industrial specific standards such as ISO-27000 series, NIST guidance and best practices and IEC 62443.
Educating Our Publics
Our publics need to understand their internal 30- to 40-year-old infrastructures were never designed for this massive connectivity, have not been patched very often and were not devised to withstand modern attacks. Often times, their operators are unaware of what’s actually transpiring on their OT networks and, even if hacked, have no knowledge of the assault.
Adding to the problems, they don’t understand OT utilizes communication protocols and network architectures not often shared with IT systems and require different types of security tools that are capable of operating on those protocols and architectures.
That’s why many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems.
There are Solutions
There are products specifically for OT environments to provide defense-in-depth for embedded systems and industrial assets connected to SCADA, distributed control systems (DCS) and safety systems that communicate in multi-vendor, complex environments. These solutions can:
• Specifically protect industrial assets, applications and communications across process control networks
• Provide a protocol inspection engine that adapts to OT command and protocols
• Identify and alert or block at the application command level, helping reduce the threat surface
• Offer a modular solution that scales to accommodate complex and harsh ICS and SCADA environments
• Deliver easy-to-install appliances that can end up implemented in tap or in-line mode, minimizing disruption to production
The more our publics understand the issues they face, the more capable they will be to rectify the problems inherent with their systems. For now, and until companies whose critical infrastructures suffer an attack and then share their news with all of us who can end up affected, we must go the extra mile to help inform our prospects of such threats.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.