Cyber attacks on critical infrastructure are becoming more commonplace, threatening public health and safety, and occasionally deteriorating relations between countries. These attacks have grown in sophistication as adversaries including nation-states deploy more advanced techniques to pursue their goals of financial gain or destabilizing a country’s core systems.
The severity of such activities recently prompted the Department of Homeland Security and the Federal Bureau of Investigation to issue a technical alert describing ongoing attacks on critical infrastructure by hackers apparently associated with the Russian government.
Since most of the critical infrastructure in the United States is owned and managed by organizations in the private sector, they are responsible for maintaining their security. While many have invested heavily to secure their IT networks, few have made comparable investments in their Industrial Control Systems (ICSs).
ICS Networks and SCADA Weaknesses
ICS networks and their Supervisory Control and Data Acquisition (SCADA) systems were created before the Internet, when hacking and cyber terrorism did not exist – and computer security was a non-issue.
The brains of all SCADA systems are programmable logic controllers (PLCs), specialized computers that make logic-based decisions to control industrial processes. PLCs use vendor-specific communication protocols that make them completely unsuitable for IT-like security monitoring and threat prevention.
Unlike most enterprises that replace their hardware and software every three years or so, critical infrastructures tend to hold onto their technologies for 10 to 15 years, or longer. Their reasons for doing so are ultimately self-defeating when it comes to implementing the best security.
In some cases, replacing old tech with new tech would be extremely costly. In most cases, however, replacement is simply not an option because the particular system or service would have to be taken down for an indefinite period.
Poor Information Sharing
Organizations rarely volunteer information about attacks or breaches to competitors or other third parties, reveal the security technologies they had in place, or discuss any best practices they used to counter attacks.
Unfortunately, this widespread failure to collaborate has an intracompany failure. Different groups within organizations — such as the IT department, operations, and C-level people — are often guilty of not sharing information, for one reason or another.
Incident Response Planning
In many ways, the steps to prepare for incident response in critical infrastructures mirror those that all organizations should take, regardless of industry. These involve creating a good plan and establishing clear policies and procedures. Ideally, the plan should be tested regularly, and policies and procedures should be updated to reflect changes in any applicable laws, new cyber threats, and so on.
Know the Regulatory and Compliance Landscape
For example, the energy sector has some very specific guidelines for what should be done in incident response. Other critical infrastructure organizations should familiarize themselves with all existing frameworks, laws, and regulatory and compliance standards so they can use them to craft effective plans, policies, and procedures.
A great source of information for all organizations is the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems. It provides recommendations and best practices.
NCCIC ICS works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community, while coordinating efforts among federal, state, local, and tribal governments, as well as with control systems owners, operators, and vendors.
Assess the Risks
Before creating a plan, organizations should do their homework. Primarily this involves identifying the sources of the greatest risks and vulnerabilities, drawing up a detailed list of these, and then reviewing what resources the organization has and lacks for addressing potential threats.
Develop a Containment and Continuity Strategy
The plan should be twofold: harness resources to identify threats and contain attacks, and ensure that business operations and services can be restored as quickly as possible after an attack.
Speed, efficiency, and information sharing are key in all phases of an attack: identification, containment, and business/service continuity.
Organizations should leverage the knowledge and assistance available from industry groups and law enforcement as well as local, state, and federal government agencies.
Disaster recovery planning is very closely tied to the incident response process. Make sure that those processes are tightly integrated when developing an incident response plan.
Hunt for Threats Before They Become Attacks
Being proactive is, of course, easier said than done. Nevertheless, organizations need to weigh the risks and costs being placed in a reactive mode that forces them on defense, a posture that empowers the bad guys.
Offense is the best form of defense, in sports and security. Proactive threat hunting can be very effective in preventing sophisticated threat actors from gaining a foothold deep into IT and operational networks.
Developing a plan, process and procedures for incident response is important in every industry. For critical infrastructures, where the stakes of a security incident include physical damage and public safety concerns, response capabilities must adhere to a much higher standard.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.