Search:  

 Blog     e-Newsletter       Resource Library      Directories      Webinars     Apps
AFCEA logo
 

Defending the Systems Supplying Everyday Life

March 2012
By Rita Boland, SIGNAL Magazine
E-mail About the Author

 

The Control Systems Security Program in the Department of Homeland Security works to protect the computer control systems vital to the delivery of services and materials such as electricity, water and oil. The networks enable everyday life in the United States, making them attractive to cybercriminals. Protecting them is a challenge because many of the systems are interconnected, and information about them is readily available online.

All computer systems are prone to attacks from various cyberthreats, but disruptions on few of those networks have the potential to cause calamitous damage to national infrastructures. Control systems are such networks—they manage the critical services that much of the world relies on each day, making them attractive targets for cybercriminals. To help prevent catastrophe, the U.S. Department of Homeland Security has an effort dedicated to countering these dangers through various partnerships and training opportunities.

The Control Systems Security Program (CSSP) established under the department coordinates government and private-sector actions to secure the multiple, disparate, interconnected industrial control systems (ICS) across the nation. A Department of Homeland Security (DHS) official within the CSSP program explains that, “Control systems are typically used in many of the industries that sustain our way of life, including electrical, water, oil and gas, chemical, transportation, pharmaceutical, medical, pulp and paper, food and beverage,” as well as banking and finance, communications and discrete manufacturing. The last item includes the automotive, aerospace and durable goods industries. The CSSP provides the resources and information to assist the owners and operators of control systems with protecting such assets by addressing vulnerabilities and developing measures to strengthen security and mitigate risk.

Protecting all the systems against attack is a concern for the government and private sector because, as the official explains, “Cybersecurity breaches of control systems can potentially affect everything from power grids and local water systems to financial markets and lifesaving medical devices and can potentially lead to longer-term disruptions of basic services. While each of these industries is different, all are dependent on the ICS that monitor, control and safeguard their processes.”

Control systems and critical infrastructure hold a special allure for hackers and cybercriminals for several reasons. Many of the assets are interdependent, creating the potential for a chain of problems. Another factor is the ready availability of information on the Internet regarding how these systems work. In addition, attacks via the Internet protect anonymity, so discovering the source of an attack is difficult for those who would bring perpetrators to justice. “Combating these threats requires a coordinated approach to cybersecurity, and DHS works to increase the sharing of information and resources among the government and stakeholders,” the official says.

On its website, the CSSP identifies several main threats to control systems, including national governments, terrorists, industrial spies, organized crime groups, hacktivists and hackers. These diverse groups represent a range of motives, interests and techniques that must be understood and countered. In June 2011, the National Institute of Standards and Technology (NIST) released the “Guide to Industrial Control Systems (ICS) Security,” which outlines methods for securely establishing such systems.

The guide identifies more threats to ICS such as disgruntled employees, malicious intruders and unintended sources such as system complexities, human errors and accidents, equipment failures and national disasters. The authors write that: “To protect against adversarial threats (as well as known natural threats), it is necessary to create a defense in depth strategy for the ICS.” Under the umbrella of the ICS falls supervisory control and data acquisition (SCADA) systems, distributed control systems and smaller control system configuration, such as skid-mounted programmable logic controllers, frequently found in the industrial sectors and critical infrastructures.

Many of the threats officially identified by various government publications cut across multiple areas and as such cannot be delineated clearly into one category. However, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) directs the majority of its incident response activities at threats posed by hackers looking to break into networks, phishing schemes intended to access proprietary information or gain access to systems, and malware intended for various purposes. The CSSP manages and operates the ICS-CERT, which is the analysis arm of the program offering support for industrial systems stakeholders.

According to the official, the most difficult threats to address are those related to legacy systems that are still functional but are equipped with antiquated code. Often, the older technologies lack built-in security. “Also, these systems typically cannot be stopped without interrupting critical processes,” the official says. “Testing and certification system requirements make patch management a slow, lengthy process, leaving legacy systems vulnerable for long periods of time.” Security experts also must address vulnerability and security issues that stem from the intersection of products not designed for open connectivity with the current highly interconnected ICS environment.

The potential for problems increases as more groups rely on services provided through ICS. “As businesses become increasingly dependent on cybernetworks and control systems, and data becomes more accessible in real time, the increased conveniences and efficiencies can also lead to increased vulnerabilities,” the CSSP official states. “Cybersecurity must therefore be a part of any overall risk management or security program.”

 

Analysts working for the Industrial Control Systems Cyber Emergency Response Team strive to protect control systems from cyberthreats to prevent major disruptions to everyday life.

Whatever the root cause of a security weakness, if it has the potential to impact control systems, then personnel must assess, understand and address it to minimize the overall risk to the owners and operators of critical infrastructure and key resources. The CSSP and the ICS-CERT strive to ensure processes and procedures are dynamic and flexible enough to meet the current and future needs of critical infrastructure personnel. “Unfortunately, no ‘one-size-fits-all’ approach exists to address the full spectrum of ICS vulnerabilities,” the CSSP official says. “Response and mitigation efforts will vary and depend on the nature of the issue reported and the control systems affected.”

To ensure systems remain functional, the CSSP stresses that network administrators should practice defense-in-depth strategies such as password protection, firewall protection and patch management, working with vendors and information technology professionals to manage network security and monitoring of the network traffic for anomalies. The program has several resources available to administrators to help them evaluate the security of their systems. The Cyber Security Evaluation Tool (CSET) provides users with a systematic and repeatable method for assessing the cybersecurity of ICS networks. It derives recommendations from a database of cybersecurity standards, guidelines and practices from across the government and industry. Each suggestion correlates to a set of actions that personnel can apply to enhance cybersecurity controls.

The CSSP works with various organizations in the government including providing ICS subject-matter expertise to standards development organizations such as NIST. It also offers content, participates in topic discussions and reviews text that the standard body is considering. In addition to its other interagency work, the program has established the Industrial Control Systems Joint Working Group, under the framework of the Critical Infrastructure Partnership Advisory Council. The group serves as a vehicle for collaboration between government and the private sector.

Moving forward, control systems will become more interconnected, and increasing numbers of people will rely on them to provide critical services. Because of these factors, they will continue to draw interest from those looking to exploit vulnerabilities in the systems’ security. Homeland security experts plan to work with private and public partners to ensure coordination and information sharing that will allow defenders to adapt as threats evolve. The department offers several resources to help create some continuity among the various organizations involved in the protection of these assets. The CSSP provides in-person and Web-based training from beginner to advanced levels of cybersecurity for control systems. In addition, the DHS posts its “Daily Open Source Infrastructure Report” each business day, which includes a summary of published, open-source information concerning significant critical infrastructure issues.

Industry plays a major role in critical infrastructure, so a dialogue between the public and private sectors is key to keeping control networks functional. Keith Rhodes, chief technology officer, QinetiQ North America, Services and Solutions Sector, has sat on both sides of the table. Before joining his current company, Rhodes served as the U.S. Government Accountability Office’s chief technologist. He explains, “Usually people think about the cyber environment as being segregated or segmented from everyday life, but when you look at SCADA, by definition you’re looking at critical infrastructure. ... The infrastructure is around us, and it’s very personal and it belongs to all of us. The designations between government and industry and public and private and at work and at home all go away when you talk about SCADA and support of critical infrastructure.”

As these networks and services become more complex and interwoven, they will demand different security to keep daily life on track. “It’s very much a fabric that’s everywhere yet invisible,” Rhodes says. “And it’s completely taken for granted until it’s not there.” To meet current challenges, he states, leaders cannot be scared or panicked, but they need to understand that the physical and logical worlds are now inextricably linked.

Though no one he knows wants to ignore the problem, Rhodes states that finding a solution is challenging. The necessary technical knowledge is available in both government and industry, but policy and laws often prevent information sharing. The government has to be careful not to reveal information to one company that could give it a competitive bidding advantage over others, and industry has to protect its own business interests. Both also have to worry about other laws, such as those ensuring privacy. Rhodes insists that security is not a matter of what can be done, but what may be done inside the law.

With all the possible threats to SCADA systems, the one that most concerns Rhodes is a denial-of-service attack. “If the infrastructure we take for granted is no longer trusted or trustworthy—that’s the thing that worries me,” he says. During the 2007 attack on Estonia by Russian activists, financial services were interrupted. Rhodes explains that although products were available, people without ready currency were unable to buy them. Even a slowdown in connectivity could cause stress and panic if many people are trying to buy basic goods, and credit card readers are sluggish to respond.

Another problem that such an attack could cause is a disruption to stoplights, causing chaos in areas with heavy traffic. In those situations, people stop thinking clearly and become reactive and upset, Rhodes says. If the threats affected heating or fuel supplies, the tension could become even more severe.

On the upside, a complete catastrophic meltdown of society is more exciting fiction than fact. “I don’t think anyone is going to bring down the entire SCADA fabric of the entire United States or any country for that matter,” Rhodes says. With the many touch points and escape points in the network, a digital, localized event is more likely. He adds that in the future, neither lives nor infrastructure will become less complex, but continued information sharing among the groups involved in securing the systems will help to mitigate dangers and improve responses.

WEB RESOURCES
CSSP Training: www.us-cert.gov/control_systems/cstraining.html
CSSP Cyberthreat Source Descriptions: www.us-cert.gov/control_systems/csthreats.html
Daily Open Source Infrastructure Report: http://www.dhs.gov/files/programs/editorial_0542.shtm
“Guide to Industrial Control Systems (ICS) Security”:  http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf