Cybersecurity and Physical Security

Cybersecurity focus has shifted to critical infrastructure

Sponsored Advertising Feature

Some of the names are familiar — Wannacry, Red October, Stuxnet – but many of the 16 or so cyber attacks on critical infrastructure since 2010 are known only to experts.

Despite the little-known nature of some cyber attacks, the damage can be obvious, expensive and destructive.

infographicThe Petya and NotPetya cyberattacks hit a wide range of companies in June 2017, including FedEx, Durex, Maersk, and Merck, inflicting an estimated $10 billion in business losses. In January 2019, LockerGoga hit Altran Technologies and in March took Norsk Hydro’s aluminum production offline. And the threats are growing.

In a recent report, IBM noted a 200% increase over the past six months in destructive malware, that is, cyber attacks that go beyond stealing information and aim to do physical damage to facilities. About half of those attacks were on industrial companies.

Among industrial targets, the energy sector, and particularly the electric power sector, have become prime targets. In July 2018, Dan Coats, at the time Director of National Intelligence, warned of daily cyber assaults on critical U.S. infrastructure that could be crippling, saying the warning lights are “blinking red.”

This spring, the North American Electric Reliability Corporation issued an alert warning that hackers, in particular the Xenotime group, which was responsible for an attack that jeopardized the safety of a Saudi petrochemical plant, have begun targeting the U.S. power sector. Those types of threats prompted the Federal Energy Regulatory Commission in June to approve a new, mandatory cybersecurity reporting rule.

The focus in cybersecurity has shifted over the past five years or so, says Barak Perelman, CEO and co-founder of Indegy, a company that specializes in protecting critical infrastructure by providing cybersecurity for industrial control systems.

The focus used to be on the financial sector, now it has shifted to critical infrastructure and industrial controls. One of the changes that brought about that shift is the wider use of digital technologies in the power sector.

Only a couple of years ago, the typical power network did not have an internet connection. “If a power grid is not connected to the internet, it is pretty hard to direct a cyber attack,” Perelman said. “Once a network is connected to the outside world, the outside world can poke holes in your defenses,” he said.

In recent years, however, there has been a proliferation of digital technologies – from Advanced Metering Infrastructure to the Internet of Things (IoT) – that are designed to make utilities more efficient and more responsive to customers’ needs. Customers also gain by being able to tap into their accounts, monitor electric usage and access appliances remotely with their mobile devices.

As the grid has become more intelligent, utilities have begun to integrate their Information Technology (IT) and Operations Technology (OT) networks. While combining those functions provides beneficial features such as predictive maintenance, improved efficiency and reduced down time, it also makes power grids more vulnerable by expanding the attack surface.

“The digitization of the grid is changing the landscape of the power sector,” Perelman says, and poses a major safety risk because Supervisory Control and Data Acquisition (SCADA) and other OT systems were not designed to connect to the internet and lack the security protocols that are now built in.

From a cybersecurity perspective, the power grid presents a variety of challenges. In addition to the fact that many of the assets on the grid – from turbine generators to transformers – predate the security concerns that have become common in the internet age, those assets come from a variety of vendors that each bundle in their own control systems. Some older legacy energy sector assets don’t even have the basic level of security that is found on a laptop computer of mobile phone, such as username and password verification.

And, unlike the financial sector, which often relies on common software such as operating systems and spreadsheets from a few well-known vendors, critical infrastructure assets are controlled by specially designed, dedicated technology, such as a Programmable Logic Controller or PLC. The result is that once a hacker gets past the front gate, they stand a much better chance of being able to gain control of an entire system.

This presents unique challenges, even for cybersecurity professionals. When protecting regular IT networks, cybersecurity professionals typically think in terms of exploits, malware and backdoors. Those risks are relevant to the power grid, but cyber attacks on industrial assets can be executed by issuing commands that appear to follow accepted protocols. In addition, unlike financial sector cyber attacks that aim for a near term monetary payback, many attacks on critical infrastructure aim to build up capability so the adversary can unleash the damage at a time of their choosing.

About a year and a half ago, the Department of Homeland Security warned that Russia had infiltrated U.S. critical infrastructure but did not cause any damage, creating the threat the hackers had their finger on the trigger and are ready to launch a “red button” attack. As frightening as that prospect appears, “there are a lot of things we can do,” Perelman says.

One of the lessons learned from the 2016 cyber attack that crippled the Ukraine power sector was that there was a lot of activity before the system actually went down. The malicious software that infiltrated the Ukraine system was working clandestinely to collect the information necessary to identify assets and their vulnerabilities. “An attacker needs to know a lot about the system,” Perelman says. In fact, “a red button attack is not as simple as it sounds,” he says. “There was a lot of reconnaissance going on. It is easily identifiable, if you have the right tools.”

When selecting the tools to fight the rising threat of industrial cyber attacks, it is worth recalling that the tools required for cyber protection in an IT environment are different than those required for OT systems.

Effective cyber security tools must be able to detect initial intrusions, but they must also be capable of monitoring systems for malware that lies dormant waiting to attack at a future date and they must be capable of monitoring and protecting vulnerable legacy assets. That requires timely detection of cyber attacks around the clock to monitor all traffic anywhere in the network, as well as from any device in the network.

And, because power networks are often distributed across a large area and are often outdoors and in remote areas, an effective cybersecurity solution must be capable of detecting physical tampering. That requires the ability to periodically query individual devices on the network to identify whether any changes have been implemented.

That was a key consideration for the Public Utility District of Whatcom County when it turned to Indegy's industrial cybersecurity suite to protect its increasingly digitized system in which computers that run a plant have remote access.

“As their power grids become smarter and more connected, utilities need to rethink their cybersecurity strategies,” Perelman says. “In addition, if it’s not an external attack, it could be a malicious insider or simply an unintentional mistake from an employee or third-party contractors performing routine maintenance. The bottom line in all cases is that you need to know about any threat or any change to your network." That means immediate detection from a combination of active querying and passive network monitoring, while ensuring accurate and reliable asset management. Those tools can help power utilities protect their grid assets from anything that threatens them, he says.

For more information about Indegy, visit the company’s website.