17 February 2016

Protecting Critical Infrastructure

RHEA SIERS
FEBRUARY 14, 2016 

Industrial control systems are a profoundly important part of the critical infrastructure of the United States, but they are also increasingly vulnerable to cyber-attacks. The Cipher Brief spoke to former National Security Agency official Rhea Siers about the growing threat to these systems. Siers says the U.S. is getting better at protecting these systems, but there are still a number of vulnerabilities that need to be addressed.

The Cipher Brief: Some of our readers may not be familiar with industrial control systems (ICS), could you briefly explain what they are and why they are important?

Rhea Siers: ICS is the technology that monitors and maintains industrial processes from the power grid to manufacturing to nuclear power. It includes computers and cyber technologies that keep things running, including parts of our critical infrastructure. The cyber threat to ICS could cause tremendous harm; consider the consequences if dam controls or utility operations are disabled or disrupted by a hostile actor. In this context, you may also hear the term SCADA (supervisory control and data acquisition), which is an industrial control system that figures prominently in everything from manufacturing to water treatment plants to electrical power.

TCB: A malware program called BlackEnergy that targets industrial control systems has been in the news recently for being used to disable a power grid in Ukraine. How vulnerable are industrial control systems to cyber-attacks? Could bad actors disable critical infrastructure in the U.S. using malware, as happened in Ukraine?

RS: We already know that ICS intrusions have been increasing; just last month, the US government noted its concern about the increase in penetrations, warning that connectivity to the Internet is exposing these systems. The fear is that critical infrastructure, especially SCADA systems, could be targeted in the U.S. and elsewhere. 

The Ukraine attack resulting from Black Energy underlines the problem experts have noted repeatedly: utility and other systems were not built to deal with external connectivity and protections are missing from some systems. According to several news sources, however, the Ukrainian facilities were NOT following their own protocols about connectivity to the Internet, thus exposing their systems to attack. 

In 2014, DHS warned about the presence of Black Energy malware on several US commercial entities, but there was no evidence that disruption or damage occurred. So there is always the threat—the question is whether capable actors are interested in actually carrying out a disruption or attack.

TCB: Are states the only actors capable of launching a cyber-attack against industrial control systems, or could cyber-criminals or hackivists do so as well? What factors would determine whether a bad actor was capable of launching such an attack?

RS: This is not just an issue of capability but also of intent. Under the right circumstances and with the right technical acumen and resources, non-state actors could be capable of launching an attack. But the necessary intent and objectives need to be there. And we need to remember that some non-state cyber actors are surrogates for state actors, thus confusing clear attribution. In the Ukraine attack, which some have called the first take down of a utility by "hacktivists," the "Sandworm Gang" has been tagged as responsible. Many believe Sandworm has close connections to Russia and certainly their array of targets—NATO, Ukraine, and Poland—lends support to that theory. In terms of cyber criminals – for them to devote the resources to a disruption, their objective would be monetary, so ransom or extortion would have to be the catalyst.

A great example of how attacks can be confused and inflated is the recent so-called attack on "the Israeli electrical company" at the end of January 2016. The attack was announced by Israel's Minister for Energy at the recent Cybertech Conference in Tel Aviv, generating headlines and considerable concern. It turns out that the "attack" was a successful phishing attempt against the Israeli Electronic Authority (a regulatory body) and was actually an installation of ramsonware on their system. Israeli utilities were not affected, but the Israeli government has been very concerned about the possibility of attack by other states or non-state actors and has already adopted a stringent regulatory framework for critical infrastructure.

TCB: What can be done to better protect industrial control systems? How can the government and industry work together to keep these control systems safe?

RS: Not all companies are equal in terms of their ICS and ability to afford and deploy cyber prevention and defense. The issue is the enforcement and support of standards for these vulnerable industries by the U.S. government. The information-sharing piece is progressing, but what happens to the small utility with limited resources? This is especially worrisome since these small utilities are often interconnected with larger utilities, which may leave significant parts of the U.S. electric grid vulnerable. Some argue that we need a unique U.S. ICS security system because the traditional "air gap solution," which isolates the secure ICS from the Internet, was defeated by Stuxnet. Meanwhile, the National Institute of Standards and Technology (NIST) continues its work on new standards for "smart grids." For the cyber world, both public and private, all of this is still a work in progress.

Rhea Siers is the Scholar In Residence at the George Washington University Center for Cyber and Homeland Security and is co-author of Cyberwarfare: Understanding the Law, Policy and Technology (Thomson Reuters). She worked in the Intelligence Community for 30 years, and served as the Deputy Associate Director for Policy at the National Security Agency.

No comments: