Real world assets under cyber-attack - how do we defend CNI - SCADA, IOT, utilities?
Critical Infrastructure is now at risk. Transport, finance and utilities are all targets. Graham Mann looks at some key issues and how they can be tackled.
Graham Mann, managing director, Encode Group UK
Critical National Infrastructure (CNI) has been at risk for some years - the issue is deploying tools that can identify advance attacks early within hours.
It's not just these critical industries either but their supply networks, many of whom will have woefully inadequate security comparatively speaking. What about the architects and builders who have the plans for various CNI plants or operations centres, do they have sufficient security to protect such sensitive data from terrorists? Or the chemical companies supplying the water industry, are they sufficiently protected from advanced cyber-attacks? Infrastructure providers like HVAC companies, as seen in the Target attack, are also susceptible to advanced cyber-attacks.
We only have to look back at the latter half of the last decade, when US defence contractors, including our own Qinetiq, where hackers operated in their networks for years without detection. Not only could similar attacks have been untaken on CNI organisations but they probably are, like Qinetiq, they just don't know it. Sensitive data may have been stolen such as plans of plants, CCTV access, operational knowledge, etc that would leave the sector open to physical as well as future cyber-attacks.
The UK Government has already spent millions on cyber-security and there are plans to spend even more in the coming years. Instead of it going into the CESG pit, it would be better spent in testing specific commercial products that claim to identify and/or defend against advanced cyber-threats. A range of potential solutions would all be subjected to advanced cyber-attacks carried out on a sample of CNI company networks. Those demonstrating their ability to perform would then be available for deployment across the CNI sector and supply chains.
What do we do about SCADA vulnerabilities?
Firstly let's begin by understanding the problem. Over many years now organisations have sought to connect their SCADA systems with the network, to improve control and/or reporting. SCADA systems are often in remote, unmanned facilities and so connection to the corporate network has huge cost savings. These facilities will also often have CCTV and other IP-based physical security devices, all of which are IP-enabled, which has significantly compromised their security. This drive to reduce costs and increase efficiency has reduced security. SCADA has been a specialist area in the past but as developers strive for standards the technology will and indeed has become more mainstream.
Industry needs to wake up to the huge potential risk insecure SCADA systems represent given that IP-based control connectivity with SCADA systems is here to stay.
Management needs to be educated to the risks, for example; driverless mining trucks are fantastic in remote mines but what happens when the technology is used close to conurbations?
Security costs should be incorporated into the business case for SCADA systems.
Regular real-world ‘Red Teaming' or advanced cyber-attacks have to be undertaken to battle-test networks, particularly those with links into SCADA systems. The report arising should be filed (securely) with a Government agency and the issues arising from such tests investigated and resolved within a defined timescale.
SCADA and IoT developers need to have security built into their solutions from the ground up. Security can't be an afterthought, it has to be integral. CNI companies investing in such technology have a duty to push vendors to develop secure solutions.
Networks should always be monitored 24/7 for the early identification of security incidents but I suggest this is perhaps critical if there are connections to SCADA based systems.
So, what happens during a cyber-attack on physical controls?
With the increasing convergence of cyber and physical security, physical controls are now significantly at risk from cyber-attacks. Increasingly I believe we will see cyber-attacks as a precursor to physical attacks, no matter which group instigates the attack. Cyber-attacks can deliver significant information and render physical controls either depleted or simply ineffectual.
Conversely, as the physical world increasingly becomes IP enabled it can provide a backdoor for cyber-attacks; take the attack on US store Target as an example; this was mounted via Target's HVAC provider.
Through our own work on advanced cyber battle-testing we know just how easy it is to access CCTV during an attack. This is extremely useful for terrorists planning physical attacks as it provides internal views of plants, etc, guarding patterns or the ability to substitute pre-recorded footage. IP based physical access systems can be overridden. Details of physical controls, plans, drawings are likely to be held on IP-based networks all accessible to cyber-attackers, putting physical controls at risk.
The march towards IoT will simply exacerbate these issues, as more and more everyday items are IP-enabled.
What are the particular issues faced by utilities?
Significant installed base and in many cases insecure SCADA systems are first in line targets for attack by cyber weapons. The fact that they are a central part of a nation's critical national infrastructure makes them a key target. Their distributed, diverse and connected networks are complex and thus very difficult to monitor. Their threat landscape is large and varied: they are vulnerable to malware, insider attacks (whether from a disgruntled employee or a plant), external hackers (guns for hire or someone with a grudge), terrorists wanting to cause disruption or worse still, actual harm to the populous, and finally nefarious nation states or wartime enemies.
CNI organisations are interrelated, for example; without transport employees would not be able get to hospitals. Without electricity; water, health, finance, etc would not function for long. Without telephones, other CNI organisations would find it difficult to operate. So an attack on one can have a domino effect throughout the entire CNI; yet there is little information sharing when it comes to cyber-security. The interlinkage doesn't stop with the CNIs themselves, they almost all have long supply chains with varying degrees of access to the CNI's network. How well are these protected from becoming the soft underbelly?
High-profile developments can cause unhappy neighbours to undertake cyber-sabotage, for example a nuclear power station, a dam or sewage works. Detailed plans for such projects have to be filed and these are often a matter of public record.
As we have seen in recent months, ransomware has become endemic throughout the financial sector and this is likely to become a greater issue amongst other CNI organisations.
Finally, can we really leave the security of the nation solely to the internal machinations of hundreds of organisations that make up the CNI? Surely, such a critical requirement as cyber-security within the CNI should be in some way managed and/or controlled by government?
How are the risk factors sector-specific?
Take the finance sector for example; it is more likely to be at risk of criminal attacks looking to steal money, although equally, the sector is part of our CNI, and so could be subject to terrorist attacks looking to destabilise the country's financial institutions. On the other hand, an attack on a water utility is more likely to be aimed at causing damage or perhaps a criminal gang looking to hold the organisation to ransom.
There are also stark differences between food companies with a network of suppliers from around the world and a network of manufacturing plants to the NHS or an electricity generator. Although most are prone to the same attackers, their threat landscape, how they are attacked and how they need to defend themselves may differ considerably.
Take for example the potential security threat posed by smart meters, which really only effects the utility companies. Similarly, the NHS has huge databases of detailed information on patients that other CNI simply don't have to deal with. The NHS also has a vast number of consultants, etc. that are not actual employees.
Discover unforeseen problems that don't appear in theoretical approaches
It is essential for organisations to undertake ‘Red Teaming' or advanced cyber-attacks to provide organisations with actual data on their ability to detect and defend against such attacks. Our experience over some 10 years has been that very few if any organisations are able to detect advance attacks let alone defend themselves (if you can't see such an attack, you can't defend yourself). This is a critical issue and one that demands attention. Although boards are far more security savvy they either don't realise the criticality of the issue or chose to accept the risk. Either way, this poses a huge risk to UK Plc and one that could be avoided.
Have AntiVirus, Anti-Malware, Endpoint security reached their end?
I certainly believe that signature based solutions have reached their end of life for a number of reasons:
1. The sheer number of viruses and other associated malware
2. The multitude of versions of each
3. The sheer size of the historical database of viruses and malware
4. The infrastructure required to disassemble the viruses and write signature to detect and clean up the virus
5. The numbers of new viruses detected per year has been growing exponentially. In 2015, Kaspersky states that it “detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.” It's commonly believed that around a million new viruses are created every single day
6. Increasingly viruses are created for specific or single attacks and are never seen again. These are unlikely to be detected by signature-based products. Furthermore, there is little point in building signatures for them once detected
To know your susceptibility to attack – organise your own attack and see how prepared your defence actually is, then implement the lessons learned.
Contributed by Graham Mann, managing director, Encode Group UK