How can critical infrastructure be protected from cyber-attacks?
Imagine that you have almost finished your shift at a control center distributing power to a couple hundred thousand homes and businesses. Then you notice something odd on your screen. The mouse cursor is moving by itself and not just randomly. Before you can react, the runaway cursor has opened a circuit breaker at a substation and the realization that someone else is remotely controlling the SCADA system is setting in.
Before long, the machine has logged you out and as you desperately try to get back in, you notice your password has been changed leaving you helplessly watching as substation after substation goes offline…
This was the scenario at the operations center serving the Ivano-Frankivsk region in Ukraine two days before Christmas 2015. The power grid had been hacked, the intruders were in full control and staged a large-scale breakdown, leaving 220 000 subscribers without electricity for several hours. Thanks to manual backup functionality, the power was restored later the same day. The control center was, however, not fully operational until months later, a wake-up call for the many infrastructure owners around the world that do not have manual options available.
With increasing geopolitical tensions after the escalation of the Russo-Ukranian conflict in 2022, this wake-up call rings even more alarmingly today.
Threats to critical infrastructure
Before and after this event in 2015, several similar attacks have targeted control systems. This includes critical infrastructure, industrial manufacturing automation systems and safety systems. As owners and operators find themselves faced with security challenges that were unthinkable to most less than a decade ago, society’s concern is rising for good reason. Critical Infrastructure around the world is completely dependent on automated control systems, often referred to as Operational Technology (OT) systems. Examples include power production and distribution, railway signaling, flight control, traffic light control, water management and many more. Some of these systems may be vital to a nation’s security. For all, safe and reliable operation is essential.
Today there are various threats to worry about. Infrastructure owners risk becoming a selected target from foreign states intelligence or criminal groups. Targeted attacks can also come from hacktivists and disgruntled employees. In many cases, however, the infrastructure owner becomes a victim of malware that accidentally makes its way into OT systems.
Critical infrastructure vulnerabilities
Hacking, malware and viruses have now been around for several decades. Why is it that these just recently pose a real threat to industrial infrastructure?
OT systems are undergoing a comprehensive digitalization process, posing considerable challenges to OT security. Traditionally, security risks to such systems have been mitigated through maintaining an “air-gap” from other computer systems. Increased digitalization and modernization of the OT systems has benefits such as safer, more reliable and efficient operations. Smart grids and automation allowing robots to take over harmful tasks are good examples.
The price to pay however is increased vulnerability:
- Proprietary, often serial, communication protocols are rapidly being replaced by Ethernet/IP-based communication. Ethernet is cheaper, vendor neutral and compatible with modern technology. This does however leave controllers more accessible for a perpetrator or malware that has made its way into the infrastructure.
- Remote control and maintenance capabilities are being more widely utilized. Remote access to critical infrastructure can be set up to be very secure, but also in less secure ways. Remote access, however, always represents a possible entry point for attacks.
- Technology used by various industrial services is becoming more similar, allowing the same attack to be repeated to target many different infrastructure sectors. IT platforms, such as Windows and Linux, are today common in industrial systems and may allow IT type attacks to affect and propagate through these systems. At the same time implementing IT security best practices, such as keeping systems patched and endpoint protection up to date, is often hard and even impossible in industrial settings.
Going back to the situation in the Ukrainian power grid in 2015, all of these elements played a role in making it possible for an attacker to remote control physical equipment like circuit switches. And they will likely play a role in new cyberattacks.
Critical infrastructure protection and resilienceAll protection strategies and attack response have to be based on sufficient situational awareness. This means being aware of possible security holes and knowing the vulnerabilities in your specific infrastructure. Next, you have to know when someone has started a silent reconnaissance campaign in your network. They might look around for IP addresses to OT machines, credentials, firewall settings, etc. You would also need to know if malware has been transferred to your OT machines via USB to an engineering laptop, and is now lying dormant waiting for a signal to execute.
Another important element of protection strategies is risk management. There are several standards designed specifically to help industrial infrastructure owners manage cyber risk:
- The ISA/IEC 62443 series defines procedures for implementing OT systems in a secure way. This series is becoming a staple for risk management of OT systems. ISA/IEC 62443’s guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
- The NIST Cybersecurity Framework (NIST CSF)was originally aimed at operators of critical infrastructure. Today it is also used by various organizations, for example in the private sector. NIST, being the US National Institute of Standards and Technology, has its main user base in the USA. The NIST CSF standard is however gaining wider traction and increasingly being used and referenced by other standards and organizations globally.
- Many organizations use ISO 27001to build an Information Security Management System and want to use the same system to manage cyber risk to infrastructure.
Industri specific solutions
When selecting the best method for securing critical infrastructure resilience, it is important, however, to find a solution that is specific to industrial purposes and solves logistics and practical challenges, as well as meeting security needs. Protection strategies for a large plant will have differences from those of a distributed infrastructure, for example with numerous remote unmanned sites. Technology and work processes to protect Windows servers may be completely different for servers in the enterprise network and production network.