It is the calm before the cyber storm. Over the past several years, critical infrastructure cybersecurity has become a top-of-mind concern for utility managers and for governments alike. Ever since the Stuxnet malware damaged Iranian uranium enrichment facilities, security experts around the world are waiting with bated breath for “the big one” - a cyberattack so damaging it cripples the power grid or causes serious environmental damage or public safety risks.
Such an attack is not a matter of if, but when. While utilities are more focused than ever on cybersecurity, assessing attack risks has led to wildly different outcomes, which do not necessarily result in stronger protections. Where does this discrepancy come from?
When it comes to cyber risk assessment, there are essentially two basic camps: those who make decisions based on the likelihood of attack and those who make decisions based on the strength of our adversaries. Let us start with the former, which is called an actuarial approach to risk assessment. Some utilities apply the same logic to cyber risks as they do other risks, such as earthquakes or equipment failures, urging them to consider the probability of an attack and the financial damage it will cause.
Utilities often ask, “How many times has a cyberattack crippled a European power grid?” The answer is zero, so far, which suggests that the likelihood of a crippling future attack is very low.
The actuarial approach to cybersecurity is not entirely mistaken - conventional IT-style cyber protections, such as firewalls, anti-virus systems and security update programs, do a fair job of keeping common malware and botnets at bay. In spite of these protections, common malware infections still constitute a large fraction of control system cybersecurity events.
To high-level observers, such events have the appearance of a random process, which can be modelled actuarially. Utilities using a primarily actuarial approach to risk assessment invest minimally in industrial cybersecurity mitigations and purchase insurance to cover any expenses as a result of attack.
The problem with an actuarial approach to risk assessment is that targeted cyberattacks are not random, like earthquakes and equipment failures. They are human-caused, carefully planned and carried out with near surgical precision. The fact that a major attack has yet to occur is moot; attack capabilities are becoming more sophisticated every day.
Standard targeted attack techniques are taught in all intermediate security training programs. Anyone with an intermediate-level of security training knows how to reliably defeat firewalls, anti-virus systems, security updates and other IT-focused protections. For example, one utility we spoke with in the field hired a penetration tester who ended up breaking through their standards-compliant operations firewall and other protections in mere minutes.
Thus far, targeted attacks “in the wild” have been used primarily to steal information, but could be used just as easily to sabotage utility operations, protection systems and safety systems. For targeted attacks, insurance is the wrong answer. When a successful attack takes place, the public will not care if the utility saved money.
They will want to know why the attack was allowed to happen in the first place. Even more daunting is the expected round-the-clock media coverage and likelihood that the government will have questions of its own.
This brings us back to the second risk assessment camp, which is called a capabilities-based approach. These utilities take a more holistic view of cybersecurity, measuring our defensive capabilities against our adversaries’ offensive capabilities instead of looking only at incident rates.
If our defenses are not at least as sophisticated as our attackers’ capabilities, our defenses will eventually be compromised. The key here is not IT-style protections for confidential data, but rather ensuring the safety and reliability of critical control systems.
Utilities we have encountered that take a capabilities-based approach to strong cybersecurity have most, if not all, of the following traits:
- An involved executive team that is committed to developing and funding strong cybersecurity initiatives, and motivates teams
- Hardened physical security perimeters that incorporate strong physical access controls
- Hardened cybersecurity perimeters using hardware-enforced unidirectional security gateway technology that lets critical data flow out of protected networks without any risk of a network attack getting back in
- A resilience program that has been developed, tested and practiced to enable utilities to recover quickly from attacks and outages, and goes beyond basic standby systems and backups. What happens if the backup is contaminated? What if device firmware has been erased? How do we prevent an attack on the main network from impacting safety systems and protection systems?
- A culture of security developed in all employees that teaches them to be deeply suspicious of everyone and everything coming past the physical and cybersecurity perimeters. While we may trust a colleague or vendor, should we trust what is on his or her USB stick? Or their laptop which is being connected to the control system network?
A majority of critical infrastructures world-wide have a cybersecurity problem. There is still time to change course and invest in stronger physical security and cybersecurity measures, but that window is closing. It is only a matter of time before we see the first major attack, but no one can definitively say when or how.
What we do know is that our enemies’ attacks are steadily becoming more sophisticated, and we cannot continue relying on outdated technologies like firewalls to secure safety-critical and reliability-critical systems. What it boils down to is asking the right questions to get the right answers. Asking how many times have we been attacked in the past is really asking how our enemies have been motivated to attack us - to sabotage operations, or only to steal data?
Should we be defending against our enemies’ motives, or their capabilities? We need to accurately assess both our defensive capabilities and what are now widely-available attack capabilities, and invest in defenses capable of standing up to modern attacks.
Posted by Andrew Ginter, vice president of Industrial Security at Waterfall Security
Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cyber-security products.