More than eight years since Stuxnet, fears persist that a cyber attack on the U.S. energy sector could be devastating.
Friday, November 9, 2018
By Jim Romeo
In 2010, computer malware known as Stuxnet was discovered in Iran's nuclear program. It used a nuclear facility's supervisory controls and data acquisition (SCADA) as its gateway of entry. The “zero day” attack (so called because of when the vulnerability is discovered), disabled some 20% of Iran's nuclear centrifuges and an estimated 200,000 computers and 1,000 machines associated with the operation.
Stuxnet lingers as a concern to many who believe that U.S. infrastructure is highly vulnerable to a zero day attack that could paralyze industrial operations, health care networks and financial institutions as well as energy facilities.
Stuxnet is generally believed to have been “a targeted attack by the American and Israeli governments on an Iranian nuclear facility,” says Rob Cheng, CEO of computer security company PC Pitstop, creator of the PC Matic antivirus software. “The question is whether the tables can be turned and a similar attack perpetrated against U.S. infrastructure. A successful targeted attack would be more difficult now than 10 years ago.”
The U.S. is heavily dependent on critical infrastructure. What happened in Iran could occur anywhere in the world, and a hit on the U.S. energy grid could be devastating.
As a target, the energy industry is wide and deep and spans from drilling and extraction to processing and refinery sites and beyond through an extended supply chain. Terminals, pipelines, refineries as well as transportation hubs are at risk of potentially dire consequences.
Joseph Campbell of Navigant Consulting's Global Investigations and Compliance practice notes that the U.S. government issued a warning last year about hackers targeting the energy sector.
“The risk of cyber penetration of energy facilities, or any facility that is involved in manufacture or manipulation of hazardous or sensitive materials, and then the ability to interfere in the safe processes of those facilities, could have catastrophic consequences,” says Campbell. who worked more than 25 years for the FBI and was assistant director of its Criminal Investigative Division. “We have already seen the devastation that can occur from accidents at energy plants and energy processing and oil exploration facilities such as the Deepwater Horizon.
“Industry wants to ensure that its ICS [industrial control systems] cannot be exploited through cyber penetration in a manner that could intentionally cause such an event. Protection of the facility's ICS through monitoring of the IT system on the front end, and being prepared to promptly identify and mitigate after a cyber penetration, could save a small event from becoming something of much more significance, with possible loss of life and environmental-endangering consequences.”
There is concern about energy-industry preparedness relative to other sectors. Karl Steinkamp, product director of Colorado-based cybersecurity advisory company Coalfire, points out that in SecurityScorecard's 2017 Government Cybersecurity Report Card, the energy sector lagged in most security categories.
“Part of this is a result of the ICS technologies, while part is a result of weaknesses in people and/or cybersecurity processes,” Steinkamp explains. “For business reasons, most manufacturers do not invest heavily in security access controls. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply-chain processes.”
IIOT and IT/OT
Production lines in the energy industry are rife with Internet-of-Things (IoT) devices that proliferated faster than security measures began to be built in.
Chris Morales, head of security analytics at Vectra, a San Jose, California-based provider of automated threat management solutions, says that network visibility and real-time monitoring of interconnected devices is essential to early detection of attacks in industrial infrastructure. But he is quick to point out that such visibility can be a double-edged sword.
“Manually monitoring network devices and system administrators creates a challenge for resource-constrained organizations that cannot hire large security teams,” he says. “Numerous security analysts are needed to perform the manual analysis required in identifying attacks or unapproved behaviors in large, automated networks that have IIoT [industrial Internet of Things] and IT/OT [information technology/operational technology] devices.”
John Pearce, cyber risk principal with Grant Thornton in Washington, D.C., also sees the risk of a cyber attack growing in parallel to the IT/OT convergence. Such convergence has continued to expand the attack surface for critical infrastructure.
The industrial Internet of Things “introduces unique and unseen vulnerabilities that are exploited by advanced attackers for intellectual property theft and physical destruction,” Pearce says. “This is problematic for anyone who wants to make full use of IoT, but also requires a high level of security.
“Because threat actors are increasingly sophisticated and well organized,” he continues, “our critical-infrastructure ecosystem needs to be able to defend against attacks while actively identifying that an attack is occurring. Many systems may provide passive security; however, the new threat landscape demands that our security must be able to respond to active threats, as well as see across the entire critical infrastructure environment for trends.”
According to Vectra's Morales, cybersecurity is an ongoing exercise in operational efficiency, particularly for the energy industry and given organizations' limited resources to counter attackers who are not similarly constrained.
“Network security must always be evaluated in terms of efficiency as well as its impact on the operational fitness of the organization,” Morales notes. “At the same time, there is a global shortage of highly skilled cybersecurity professionals to handle detection and response at any reasonable speed.”
In light of the cyber risk to critical infrastructure, what are the prudent decisions available to risk managers and their security colleagues?
Al Martinez, a senior advisor for Fusion Risk Management in Chicago, says everyone has to assume they will be hit by a data breach. He recommends scenario planning, taking into account human impact, so that at the time of crisis, data is available to assist in critical decision-making.
“The first step is to establish a baseline program and understand the areas of highest risk,” says Martinez. “A risk, threat, and priority view should be used to apply the mitigation and treatments as appropriate.
“From a technical perspective, the need to secure the entry points to your systems remains, with the assumption a breach is possible. Technology should be deployed to mine for the existence of a perpetrator. In most cases, the hacker is in the systems weeks or months before being detected. Focusing only on access control is insufficient.”
Duncan Greatwood, CEO of IIoT security company Xage Security in Palo Alto, California, advises that “distributed, autonomous, any-to-any, edge-heavy networks” be secured and employ a system of central policy definition with decentralized security enforcement.
“Decentralization enables system operators to cover large areas, including hundreds of thousands of controllers, sensors, and meters, while facilitating secure addition, removal, and control of resources,” Greatwood says. “In multi-vendor and multi-application IoT networks, decentralization allows smart devices within utility, energy, manufacturing, or other systems employing a wide variety of devices, sensors and assets, to communicate securely.”
Greatwood adds that by utilizing a distributed security system, businesses can underpin continuous edge-computing operations, even in the face of irregular connectivity. By providing a communication fabric that integrates security within the devices and applications themselves, industrial control systems can be efficiently deployed in a way that enhances security with every device added to the network.
Greatwood maintains that a decentralized blockchain, or distributed ledger technology, system “can ensure data integrity and fully tamper-proof IIoT devices. Building on an immutable ledger based on consensus, blockchain's structure creates a more secure operation as more smart devices are added - a perfect fit for large industrial operations.”
Technology and the Human Dimension
Blockchain and associated technologies will grow in importance as more funding becomes available for advanced approaches to cybersecurity. The U.S. Department of Energy recently announced awards of up to $28 million to support research, development, and demonstration (RD&D) of next-generation tools and technologies to improve the cybersecurity and resilience of the critical energy infrastructure.
Still, risk mitigation begins with people.
“Security technology is getting better, but people are not,” says Jason McNew, founder and CEO of Stronghold Cyber Security in Gettysburg, Pennsylvania. “Attackers know this and take advantage via social engineering.” In a test at a financial institution using social engineering, “we tricked 20% of the staff (including the CFO) into giving us their passwords. We were not able to penetrate their firewalls, however.”
The energy sector could learn from the financial industry's experience facing advanced persistent threats, with both technology and information-sharing mechanisms.
“Private financial institutions are light years ahead of the industrial sector in terms of cybersecurity,” says Matt Kozloski, vice president of professional services at Kelser Corp., a cybersecurity-as-a-service provider in Glastonbury, Connecticut.
He points to National Institute of Standards and Technology (NIST) Special Publication 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations - as designed to bring the industrial supply chain up to the level of the financial sector. “Financial firms tend to have dedicated cybersecurity staff and highly up-to-date systems in place, which isn't always the case across the industrial space,” Kozloski says. “We are much more likely to see a major cyber attack on an industrial facility than a financial institution in the next few years.”
Critical Infrastructure in a Fragile Environment
“Even though Stuxnet was more than eight years ago, we see the risk of industrial cyber attacks continuing to grow,” says Pearce of Grant Thornton. “The main driver for this growth is nation-states, as well as other threat actors, continuing to focus on how to leverage the cyber domain for geopolitical and criminal purposes.”
Pearce notes that the U.S. Computer Emergency Readiness Team (US-CERT) a few months ago issued an alert on cyber activity targeting the energy sector. “Even with enhanced recommended standards, public-private partnerships, as well as attention on protecting critical infrastructure against cyber attacks, threat actors will continue to take advantage of the cyber domain to effect asymmetric impact to critical infrastructure,” he says.
Attacks on critical infrastructure could affect the lives of everyday citizens. Department of Homeland Security Secretary Kirstjen Nielsen made that point in her National Cybersecurity Summit keynote speech in July:
“We are facing an urgent, evolving crisis in cyberspace . . . Indeed, most Americans go about their daily lives without fear of personal injury or harm from our adversaries. But our digital lives are now in danger every single day. And these virtual threats can have very real-world consequences. When the bad guys can remotely turn off the lights, steal money from your bank account, and shut down emergency services, the impacts go far beyond our smartphone screens.”
Jim Romeo (www.JimRomeo.net) is a journalist focused on business and technology topics.