Is your transport infrastructure truly secure? Successful cyberattacks against Supervisory Control and Data Acquisition (SCADA) and other process control systems at airports, nuclear and petroleum production plants, power generation stations, water treatment facilities, mass-transit systems and other critical infrastructure systems have increased significantly.
SCADA networks contain computers and applications that perform key functions in providing essential services and commodities to all Americans. Given the sensitive nature of what they protect, SCADA and Distributed Control Systems (DCS) are attractive targets for hackers and terrorists.
Even though cybersecurity has vaulted to the forefront of concerns for many businesses, fewer than a third say they’re prepared to meet an attack, according to an industry report from consulting firm Black and Veatch titled "2014 Strategic Directions: US." Furthermore, only 32 percent of electric utilities surveyed for the report had integrated security systems with the “proper segmentation, monitoring and redundancies."
In 2013, a hacker compromised a US Army database that held sensitive information about vulnerabilities in US dams. In 2014, it was reported that Nuclear Regulatory Commission (NRC) computers within the past three years were successfully hacked by foreigners twice, as well as by an unidentifiable individual, according to an internal investigation.
Mass-transit systems and airports, not airplanes, are extremely vulnerable points of attacks.
Countering the increasingly dangerous cyber threats to the nation’s critical infrastructure will, however, require breaking down a number of growing misconceptions about SCADA systems, which can create a false sense of security.
Myth: Most SCADA systems are not connected to the Internet, so they’re secure
The average system has eleven direct connections to the Internet. Those connections may include intranets, direct Internet connection, wireless and dial-up modems and Internet of Things (IoT) devices. This kind of patchy security and lack of 24/7 monitoring can lead to potential disaster.
As an example, the Davis-Besse nuclear power plant’s process computers and safety display systems were infected via a contractor T1 line, which took the plant’s safety monitoring capability offline for five hours. In another example, a water treatment plant in Harrisburg, PA was hacked remotely over an infected employee laptop. The cybercriminal used the worker’s remote access to install malware and spyware.
Even if your SCADA network is completely walled off from the Internet by utilizing private physical network links or satellite technology, it’s still vulnerable.
Myth: Firewalls are all you need
Many organizations believe that firewalls are the equivalent of an impenetrable force field. Shields up. We’re safe. Wrong!
Firewalls offer some protection, but they can be easily hacked. In spite of record spending on firewalls, anti-virus software, malware detectors, and the widget of the day, organizations keep getting hacked because the focus is in the wrong place.
Organizations expose themselves to cyberattack when they use technology as a crutch. The crutch of believing that buying more hardware and software equates to safer infrastructure could be a fatal mistake. Departments and organizations need to realize that it is the quality of the cybersecurity personnel, at the end of the day, that will help identify and eliminate potential threats before they are executed. All the best technology in the world will fail if the human element is ignored.
Myth: SCADA is obscure technology and hackers do not get it
SCADA cybercrime has become very lucrative. In fact, cybersecurity has vaulted to the forefront of concerns for US electric utilities this year, yet fewer than a third say they’re prepared to meet the growing threat of an attack. The Wall Street Journal reported in March 2015 that if only nine of the country’s 55,000 electrical substations went down – whether from mechanical issues or malicious attack – the nation would experience a coast-to-coast blackout. One month later, sniper fire knocked out a substation in San Jose, California. The very definition of a hacker means that vulnerabilities can and will be found.
Myth: Our facility is not a target, we’re too remote
Research by the Kaspersky Lab has shown that computers running SCADA software encounter the same malware afflicting business systems, whichinclude Trojans, viruses, malware/ransomware, worms, and other exploits that target vulnerabilities in the Windows operating system. In the cybersecurity world, physical location and distance are irrelevant to state and non-state malicious actors.
SCADA: An emerging security market
To successfully defend against SCADA attacks, organizations must utilize a more thorough and systematic approach for identifying “normal” behavior and placing safeguards around sensitive PAC (Protected Access Credentials) and other hardware and software components. Organizations need a complete solution that does not adhere to the outdated belief that just physically isolating systems and buying technology will make a facility safe.
The role for managed security services in the control systems segment is really no different than any other market – the task and goal are the same, but many companies lack the time or personnel to operate a Security Operations Center (SOC). Most organizations running control systems have limited expertise and the resource bandwidth to deal with the complexities of security and compliance. Security is a multifaceted approach; proactive security is more complex and requires vigilant oversight.
Managed security services providers (MSPs) with the ability to monitor, manage and protect control systems fill that cybersecurity gap. MSPs focus solely on their side of the coin, security and monitoring. This allows organizations to focus their employees on the things that matter most to them, running the business.
An MSP who employs both technology and an intelligent human network of on-site personnel can monitor and act as a full operations team. Technology, if deployed correctly, is a force multiplier for intelligent human beings. An MSP adopts teams that are trained to be security aware in all areas, from older hacking techniques that are making a comeback to recognizing the behaviors of a zero-day attack. Understanding how attacks occur allow MSPs to proactively fight against malicious behavior in any facility.
MSPs can also help customers with compliance. In the Industrial Control Systems field, for example, the North American Electric Reliability Corp.’s Critical Infrastructure Protection (NERC CIP) standard is a key requirement. The huge regulatory burdens by the NERC, which maintains a set of cybersecurity standards for Critical Infrastructure Protection (CIP), can be daunting. Partnering with an MSP allows organizations to have an additional oversight to ensure they are following the most current security policies required by their governing body.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime; as are the misconceptions about infrastructure SCADA systems and their vulnerability for attack. This is a future trend that must be recognized if organizations hope to safeguard critical infrastructure. It is a war that must be fought daily, butone that can be won.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.