Recently, Vergle Gipson, Senior Advisor for the Cybercore Integration Center at Idaho National Laboratory, testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation. His conclusion was that operational technology systems in the U.S. are more vulnerable to malicious cyberattacks than information technology. This statement is especially alarming as much of the world’s critical infrastructure has been the target of cybersecurity attacks.
On a global scale, there have been numerous attempted cyberattacks on global grids and utilities, many via phishing and ransomware, and some have been successful. The World Economic Forum’s Global Risks Report listed cyberattacks on critical infrastructure (CI) as a top concern. WEF noted that “attacks on critical infrastructure have become the new normal across sectors such as energy, healthcare, and transportation.” The Global Risks Report 2020 | World Economic Forum (weforum.org)
The Threat To Critical Infrastructure and Especially Energy
The energy sector stands out as being particularly vulnerable among critical infrastructures. This energy ecosystem includes power plants, utilities, nuclear plants, and the grid. Protecting critical Industrial Control Systems (ICS), Operational Technology (OT), and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies.
In a Ponemon Report, it was disclosed that three-quarters of energy companies and utilities have experienced at least one recent data breach. The growing sophistication of attackers is a factor. One of the reasons for why the energy sector has become more vulnerable is that hackers have gained a deeper knowledge of control systems and the converged OT & IT architectures and how they can be attacked and can employ weaponized malware against power stations and other energy-related assets.
The National Security Agency (NSA) recently released a Cybersecurity Advisory on this exact issue of integration and connectivity of OT and IT systems. The advisory details “how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. Information technology (IT) exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.”
“Each IT-OT connection increases the potential attack surface. To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible. An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure.”
“NSA recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission critical, as appropriate to their unique needs. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. Mitigations include fully managing all IT-OT connections, limiting access, actively monitoring, and logging all access attempts, and cryptographically protecting remote access vectors.” NSA releases Cybersecurity Advisory on Ensuring Security of Operational Technology > National Security Agency Central Security Service > Article View
There is only one surefire way to mitigate hardware risk – that is through comprehensive penetration testing. Testing identifies vulnerabilities and allows for understanding the cyber risks in the critical infrastructure environment.
A Case In Point: Validating Hardware Cybersecurity on KVM Devices Connected to Critical Infrastructure
To ensure safety under the growing threat landscape, hardware implemented cybersecurity is necessary in critical infrastructure OT. The best way to find out if OT is secure is to do so via penetration testing. Recently, the Israel Electric Corporation (IEC) initiated penetration testing on its potential vendors to see how well protected they are from breaches.
As the largest supplier of electrical power in Israel that builds, maintains, and operates power generation stations, substations, and transmission and distribution networks, IEC cannot afford to deploy security technologies that do not meet specifications for the missions. This is especially important since Israel’s critical infrastructure is being subjected to sophisticated attacks every day and hardware product vulnerabilities now attached to critical infrastructure could pose a significant threat if discovered and exploited by adversaries.
IEC conducted penetration tests to secured KVMs they purchased from one of Israel’s two sole manufacturers of secured KVMs, whose products are in use in the American security market. To their surprise, the vendor who had claimed their secured KVMs were impenetrable failed a test inquiring whether the KVM is unidirectional or bidirectional. The KVMs failed both a test using a compromised cable and failed stopping a hacking attempt on the KVMs drivers. The major result is that hackers can easily bypass operating system drivers and breach the OT networks. The vendor was provided a second chance to have their KVM device evaluated after it failed but it still did not pass security requirements.
At the IEC’s request, Fibernet, the other Israeli manufacturer of secured KVMs, offered devices for testing and passed since they did in fact have hardware-based cybersecurity that is indispensable for protecting OT and SCADA systems.
Fibernet, an Israeli developer and manufacturer of fiber optics, secure AV, and data center solutions, is well known in both the data center and cybersecurity verticals and among the company’s prominent customers are the prestigious European Laboratory for Particle Physics – CERN, the IDF, and the Israeli government.
Physical security due diligence is a necessary step to how critical infrastructure is configured and protected and especially what hardware devices are connected to the networks. An unauthorized or negligently networked device provides an easy means for economic espionage and avenue for hackers to exfiltrate data.
The potential misrepresentation by a vendor to the Israeli Electric Company is a wakeup call for every global operator involved in OT SCADA security that is relying on their vendors for truthful statements about the capabilities and performance attributes their cybersecurity solutions. For critical infrastructure and OT and SCADA operations, this is a cybersecurity caveat emptor or buyer beware that requires strong penetration testing and examination among all vendors before devices are procured.