It’s hard to imagine an issue more front-and-center on most people’s minds today than cybersecurity—in particular, what will happen if the world’s infrastructure systems are attacked. Dr. Curtis Levinson of the Center for Strategic Cyberspace + Security Science, opened his remarks at a recent symposium by pointing out, “the water supply, dams, tunnels, the power grid and highways are all vulnerable to cyberattacks. This is not a national issue, it is international. The grids are interconnected. Imagine trying to survive and recoup from a concerted cyberattack on infrastructure.”
Add to this possibility how fast things happen and the problem becomes even more ominous. James Comey, director of the Federal Bureau of Investigation (FBI), has said there are two types of big companies in the U.S.: “Those that have been hacked and those who don’t know they’re hacked.” He has pointed out that it takes an average of 225 days from the time a cyberattack happens until a company becomes aware of it. For many companies, that means the public relations nightmares of stolen personal and financial information. The ramifications of an attack on critical infrastructure and utilities, however, could be much more devastating—an abundance of power could be stolen or water could be tainted in 225 days.
Yet these attacks are occurring. A recent survey by the Ponemon Institute found that nearly 70% of critical infrastructure companies suffered a security breach in the last year. What’s more, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team said cyberattacks on industrial targets such as water and wastewater treatment plants increased more than 25% from 2011 to 2014.
Meanwhile, utilities today face the economic choice of upgrading equipment to better serve the public or installing cyber security. When pipes are breaking and valves are leaking in aging and outdated systems, it’s hard to justify spending money on cyber defense.
Nevertheless, protecting critical infrastructure from cyberattacks weighs heavily on the minds of governments and utilities as more and more digital technology replaces analog equipment, which makes attack more likely.
APPLICATION PROGRAMMING INTERFACES
In any discussion of cyberattacks, one area that bears close inspection is the use of application programming interfaces (APIs), which came into popular use in 2010. API is a new way of integrating applications from a single system and moving them across networks and borders. This means many devices, applications and people can now be integrated into ever-bigger, broader systems. While this is beneficial for leveraging information, skills and equipment, it also means more vulnerability. Not all of the people on that API may be ready, able or qualified to be what is essentially a system administrator.
An example given at the same cyber security symposium where Levinson spoke was the way today’s phones operate for users: Smart phones are integrated into every aspect of users’ lives, from personal banking, security controls and thermostats at home to managing sensitive material on the job. Meanwhile, many employers allow and some encourage employees to use their own devices on the job (BYOD—bring your own device) for everything from monitoring devices in the field to transmitting operations data.
The concern is that, besides privacy concerns for individuals, there are a myriad of ways APIs can be used to hack workplace computers or systems, and smart phones become part of the vulnerability.
The same problem exists for monitors and calibration tools in industrial control systems. During a recent event for valve, actuator and control manufacturers and end users that broached the subject of cyber security, participants noted that manufacturers of control systems have built security into their equipment through firewalls and network switches. However, as Peter Zornio, chief technology officer at Emerson Process Management, cautioned, “We come up with a new technology, the thieves come up with new hacks. Cyber security is a journey, not a destination.”
As a result of the issues, manufacturers are working with security companies such as Intel to strengthen the protection built into control systems. However, these added layers of security come at additional cost, and it is not unusual for utilities or even processing plants to opt not to purchase them when installing new systems simply because of the price tag.
“It’s like paying for insurance,” Zornio explained. “Unless something happens, they might not want to spend extra on cyber security because safety budgets also cover personal and plant safety, and those are more tangible expenditures.”
Water and Wastewater
Operators of many of the industries where valves are used must be able to monitor the flow and analyze the data coming from all the points in a smart technology system. However, this is also where cyberattacks can happen, which is concerning in light of the new world of terrorism.
For example, in the field of water and wastewater, it’s not likely that a garden-variety hacker would want to disrupt a water system. But there is a fear that terrorist groups or unfriendly nation-states with an agenda would seek to disrupt or destroy a city by tapping into smart devices for purposes of anything from changing the amount of chlorine going into the system to shutting off or opening up valves that control flow, causing loss of water, floods and more chaos.
One safeguard, according to Mark Fabro of the Canadian Water and Wastewater Association, is information sharing—in this case between utilities and from manufacturers to utility owners.
“We used to have threat intelligence reports from law enforcement, but they were not specific, and it was difficult to take action on them. Now, threat intelligence services send out notices, but we have to sort through the noise.”
Fabro urged industrial control manufacturers to share information from operators who have experienced problems and to send it through their channels to other operators. “If a hack happens through the control system, it’s important for owners to communicate that to the manufacturer,” he said. “That manufacturer needs to get the info out to other owners. Everybody has different architecture, so it’s a matter of taking the info and putting it into each system’s context. Fast.”
In the power generation field, one cybersecurity concern today springs from the reality that homes and businesses are increasingly capable of producing some of their own electricity, whether by solar, wind or in some areas, geothermal. Most of these structures are hooked up to the grid so that excess electricity produced at the site is fed back into the grid. In turn, when renewable resources are unavailable, electricity from the grid supplies the needs of the home or business.
While there are safety systems built into the meters and power conditioners in these remote power-producing homes or businesses, they are vulnerable to cyberattack. The possibility of an attack on one home or business sending power back into the grid is relatively low, but the lower level of security leaves this avenue one that could be breached. The concern is compounded by the fact that basically all power plants are feeding into a central grid today and the potential for disruption compounds exponentially, reaching from regional to international.
An example was presented at the cyber security conference noted above. In 2003, trees and hot weather in Ohio set the stage for a string of events that left 50 million people throughout all of Ontario and eight U.S. states in the Northeast without power for days. While this particular event occurred from natural causes and an aging electrical grid, the grid is now even more vulnerable to failure, according to former Ontario energy minister Bob Chiarelli.
“The blackout really tested the system,” Chiarelli said, and “while there have been improvements on both sides of the border, we are in fact more vulnerable now than ever before.” In light of the kind of breaches that occur when foreign countries invade the cyber security system of other countries’ embassies, energy companies get worried about the energy systems, he pointed out.
The issue of cyber security is considered so important to the power industry that North American Electric Reliability Corporation (NERC) now holds an annual grid security conference that focuses on key cyber and physical security issues and training for enhancing the security and resiliency of the North American bulk power system. NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America, which serves more than 334 million people.
The conference includes cyber and physical security perspectives from NERC, the U.S. Department of Energy, the Department of Homeland Security, the FBI and industry experts. Even with this kind of intense scrutiny, many analysts worry that power generation and distribution are the most likely targets for cyberattacks.
THE HUMAN FACTOR
There are many ways attackers could get through protective systems, but one of the easiest for them is the human interface.
According to a joint survey by Intel and the Aspen Institute1, cybersecurity companies consider BYOD and device diversity to be a significant potential point of attack. An important concern is lack of awareness by users as well as their use of unofficial online and social media services. A hacker’s way into a local water treatment or power generation plant can be as simple as an employee opening an attachment in an email.
This threat can be mitigated with quality training and the development and implementation of a cyber security protocol for employees as well as contractors or subcontractors that have virtual or physical connection to the systems of the utility or plant. Random penetration tests at various facilities have revealed that many employees, even when told not to open attachments, have done so on work computers when they believe the e-mail is from a colleague or trusted person. Many also are not aware that something as simple as using a USB stick can be a tool for infecting an entire system through malware.
At the aforementioned infrastructure cybersecurity conference, Robert Wong, chief information and risk officer for Toronto Hydro, encouraged utilities to use ongoing training and penetration tests, which consist of a fake “hacker” posing as a colleague or outside contractor or a customer. This hacker entices test subjects to open or download a file or to use a USB stick so that the effectiveness of security barriers can be tested along with awareness of and compliance with security protocols.
While training to prevent intrusions is critical, so is preparing for what happens should portions of the infrastructure, including small utilities, get hacked. Just as disaster training is conducted for physical emergencies, so, too should it be used for preparing for cyber infection. When a denial of service, ransom or any other kind of attack happens, everyone in the organization should know what to do.
The basic protocols, according to Levinson, include:
- Having a written incident response strategy. With today’s rapid development, if the strategy hasn’t been updated in the last one to three months, it may be useless. The plan should focus on dealing with breaches that would include consumer and employee data theft, theft of intellectual property and denial of service or ransom hacks. For example, what exactly is the plan if the website disappears? How should a company reach out to customers whose personal information has been compromised?
- Practicing the plan. The responders must practice responding, which means actually running through the steps. Because hacks happen in minutes, response has to be immediate to be effective and to keep everyone calm.
- Communicating with employees and identifying the types of communication shared with them as well as the public, shareholders, customers and other stakeholders. A direct line of communication should be established with “first responders,” and this communication should not be shared outside that chain.
- Making all first responders come together physically when possible. This ensures they understand this is “crisis mode” with no diversions.
- Planning how to get things back up and running as soon as possible. While this may endanger forensics later in the process, finding out exactly what happened and how is not as important as getting back to business after ensuring cessation of the spread of the malware.
- Knowing who is responsible for what. Every responder must know where and with whom the buck stops.
- Developing a recovery plan, which is especially important for utilities because the public depends on them for water, power, wastewater treatment and delivery of gas and oil.
Many agree that it’s a matter of when, not if, an organization is the object of a cyberattack. For that reason, it’s critical that those connected to infrastructure be proactive with defense by ensuring employees understand the importance of vigilance and have training in defense. For utilities and other critical infrastructure entities, the key to recuperating after the attack is a solid plan before that attack and practicing the response in preparation.
- Critical Infrastructure Readiness Report: Holding the Line Against Cyberthreats (www.mcafee.com/us/resources/reports/rp-aspen-holding-line-cyberthreats.pdf)
- Surveys referred to are the 2015 Scalar Security Study (https://www.scalar.ca/en/ resources/ executive-summary-of-the-2015-scalar-security-study/) and the 2015 Aspen Institute survey noted above in reference