The nation’s critical infrastructure and industrial-control systems have become such potential high-value targets for terrorists that their vulnerability threatens the fabric of society. And, as they increase in both importance and vulnerability, these systems cannot be protected using conventional information security measures.
The targets are electrical grids, transportation networks, water systems, oil/gas pipeline operations and other vital resources that serve in the interests of the U.S. economy and the public good—not to mention public safety—every day. Concerns are rising about reported increases in compromise incidents within these systems, coupled with advancements in the “sophistication and effectiveness of attack technology,” according to the Government Accountability Office (GAO). The number of incidents reported by federal agencies to the U.S. Computer Emergency Response Team has surged 782 percent from 2006 to 2012, the GAO reports.
Such attacks can “cause major economic losses, contaminate ecological environment and, even more dangerously, claim human lives,” according to a research report from the University of California, Berkeley. And, industrial control systems (ICS) lie at the heart of this vulnerability.
Global events have triggered the cautionary warnings. Among the most notorious was Stuxnet in 2010, which damaged uranium-enrichment centrifuges in Iran by infecting the country’s nuclear ICS network. In 2012, the Shamoon virus attacked Saudi Arabia’s state oil company, Saudi Aramco, replacing crucial system files with an image of a burning U.S. flag and overwriting essential data with what then-U.S. Defense Secretary Leon Panetta described as “garbage data.” Panetta added that the incident was the most destructive attack the business sector has seen to date, as more than 30,000 computers were rendered useless.
At the core of the concerns are what are commonly called supervisory control and data acquisition (SCADA) systems. SCADA serves as the cerebral cortex of a nuclear-power facility, electrical utility, transportation network or any other critical infrastructure. These systems oversee all of the vital data and information that monitors and controls these resources, which means they are firmly positioned within the cross hairs of adversaries. SCADA/ICS vulnerability disclosures have increased in excess of 600 percent since 2010, and they increased from 72 in 2011 to 124 in 2012, according to NSS Labs Incorporated, an information security research and advisory company.
Yet these systems cannot operate as sealed-off islands, and this has contributed in great part to the increase in vulnerabilities. As in any organization, SCADA operators must communicate regularly with business colleagues and external parties. If a major ice storm takes place in the Midwest, for example, SCADA personnel will have to connect to technicians in the field who have to repair the power lines. They also will have to share information with their counterparts at other utilities in the region to further enhance recovery efforts.
“Twenty years ago, we’d run SCADA systems alongside a big map on the wall with pushpins,” says Michael Assante, project lead for the ICS and SCADA Security Initiative at the SANS Institute. Assante, who was the first-ever chief security officer (CSO) for the North American Electric Reliability Corporation (NERC) from 2008 through May 2010, earlier served as CSO for American Electric Power and was peer-selected as a winner of Information Security magazine’s security leadership award. “We wrote down systems information and updates in logs. When something needed to happen, we picked up the phone. Today, much of this takes place through IT [information technology] network-enabled communications,” he points out.
An elevated network presence, however, brings on the risk of elevated exposure. Dr. Charles Pak, adjunct professor of cybersecurity at Villanova University, says, “Once that connection is established, there’s no way to completely protect it.” Pak, who has taught a graduate course in security risk assessment and management at Villanova and also has taught courses on critical infrastructure protection (CIP) cybersecurity issues, notes, “Most of the systems are linked to Internet protocol [IP] addresses, which mean an adversary can compromise it. Could a system run without the connections? It’s possible. But you’d lose a great deal of efficiency, and that would cost critical-infrastructure organizations money and—in case of a weather disaster causing an outage—result in a backlash of public criticism when the power stays out.”
This sets the table for a perplexing puzzle which CIP leaders are struggling to resolve: how to strike the right balance between the safeguarding of cyber assets and the demand for information sharing/exchange. The ongoing debate underscores what Pak describes as a modern-day “unfortunate truth” that subjects critical infrastructures to vulnerabilities.
“The more you increase efficiencies to serve the public and other stakeholders, the more cybersecurity you give up,” he says.
The conflict within the balance equation led to a February 2013 executive order from President Obama that directed the National Institute of Standards and Technology to develop standards, methodologies, procedures and processes to align policy, business and technological practices with ICS cybersecurity. It called for industry-tested strategies to be incorporated “to the fullest extent possible” to deliver a “prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess and manage cyber risk.”
At the time of the order, Assante’s former organization, NERC, already had taken the most closely watched, major first steps toward addressing the issues. In January 2013, NERC submitted a comprehensive proposal to mandate 12 new requirements to improve electronic security perimeters, systems security management, configuration change, vulnerability assessments and incident reporting/response plans. Under the plan, key cyber assets must be identified, with controls put in place to protect them; those accessing systems have to undergo multifactor authentication screenings; and all security patches on each device throughout its history must be documented.
NERC also is calling for utilities to demonstrate a method for detecting known or suspected malicious communications for both inbound and outbound connections. Critical infrastructures are capable of functioning on one-way information transmissions, but two-way communications remains a much-preferred model for efficiency and reliability. In both day-to-day operations and crisis management, restricting communications to one-way feeds has proved to be too limiting, ensuring that real-time SCADA information will not be as timely and/or effective as it needs to be.
“Business demands opened up SCADA to allow information to flow,” says Assante. “An overly constrained communications structure doesn’t allow for free-flowing back-and-forth.”
Addressing the protection of two-way communications represents an acknowledgement of the immense interconnectivity of critical-infrastructure organizations. When the concept of cybersecurity took hold in the 1990s, a general impression among lawmakers and policy influencers was that SCADA systems were virtually immune. They were believed to be operations unto themselves, cut off from the rest of the world.
“This wasn’t true,” Assante relates. “You’d have the system connected to suppliers and vendors, and the ensuing information you gathered was very valuable. It helped greatly, for example, in pursuing e-procurement. Or, sometimes, you’d have the marketing department accessing data from the SCADA to make better business decisions. There were many circumstances that resulted in a SCADA network presence.”
The use of readily available IP-based technologies has brought the liberation of integrated, enterprisewide collaboration. But there is a potential price to pay, especially as SCADA systems often run on older equipment with outdated versions of Microsoft Windows and Linux, which frequently are unpatched and subject to compromises.
“They are extremely old and very difficult to upgrade,” says Jamil Farshchi, who is the senior business leader for strategic planning and initiatives for Visa and was the chief information security officer (CISO) at Los Alamos National Laboratory through 2011. “New systems aren’t really tailored to the requirements of critical-infrastructure management. So the legacy systems are still essential. Without them, you’d shut down the whole operation,” he offers.
Even plugging in routine patches is logistically complex because the systems operate in real time. “They seldom ever come offline,” Assante says, adding, “because if they did, it would cause a disruption. This builds many constraints on what you can do with them in real time. You might be able to take some servers offline on a Tuesday at 2 a.m. and put in some patches, but that will create outages. So you can’t go there too often,” he points out.
In addition, rigid compliance mandates have brought on constraints. At Los Alamos, Farshchi and his teams found themselves investing what were already limited budgetary funds on relatively generic control installations that failed to support the unique ICS environment. Auditors associated with regulations such as the Federal Information Security Management Act (FISMA) are overly prescriptive, Farshchi says, so it is that much more difficult to apply a risk-based approach toward acquiring solutions to resolve CIP-specific issues.
FISMA and other compliance measures fall short in confronting the increasingly complex tactics that attackers are using, for which tailored capabilities such as reverse-engineering countermeasures are proving more effective than a one-size-fits-all, patch-styled defensive approach. Reverse engineering involves the locating and isolating of malware away from any network activity to examine its DNA, providing useful intelligence to prevent the malware from slipping inside the network.
“Los Alamos isn’t the same as the Social Security Administration, and the Social Security Administration isn’t the same as the State Department,” Farshchi declares. “But FISMA treats everyone the same way. So, static organizations are rewarded. If you have a homogeneous environment, you’ll be rewarded. If you have a heterogeneous one, you’ll be at a disadvantage,” he states.
Private industry has worked on information technology innovations to help resolve the cyberprotection versus information sharing/exchange dilemma. President Obama’s executive order specified that the Defense Department would have to expand its Enhanced Cybersecurity Services program to critical infrastructure sectors and “maximize the utility of cyber threat information sharing with the private sector” to reduce and mitigate risks to the CIP.
This has elevated what is described as “guard” technologies into the spotlight as a promising next-level solution. For years, guard products have demonstrated a good track record of fully secured, two-way communications for military and intelligence community (IC) operations. Warfighters, intelligence analysts and other Defense Department/IC personnel have depended on the solutions because users must be able to exchange mission-critical information securely in real time—especially in the heat of conflict or a terrorism-focused field investigation.
Guard technologies can ensure secure bidirectional transfer of data from one isolated network to another. ICS/SCADA systems already are closely tied to the Defense Department and other government departments. The Department of Homeland Security is highly involved with the protection of ICS/SCADA physical structures. The U.S. Army Corps of Engineers monitors the nation’s dams and levees. And, the Defense Department is the largest consumer of energy in the United States.
Ultimately, everything involving a SCADA system and its critical-infrastructure organization and outside parties is so interconnected, it is extremely difficult to pinpoint where every access path is, which is a foundation of cybersecurity assurance.
“It’s hard to get your arms around the entire cyber inventory,” Assante says. “And, even if you do, few security products are created for the critical-infrastructure environment. You can’t just plug in some generic product. Given the stakes, we should be ahead of the curve on cybersecurity. But we’re really five to eight years behind.
“Critical-infrastructure users are demanding solutions to secure two-way communications, and that’s motivating information technology suppliers to look closely at which architectures are in the works,” he continues. “It’s still in the planning part of the evolution here, but it’s getting larger and larger on the radar. I’m an optimist when it comes to security and innovation, and I believe this is going to come to us faster than you’d think.”
George Kamis is the chief technology officer at Raytheon Cyber Products Company.