In the world of cybersecurity, critical infrastructure is becoming targeted at an alarming rate. As cyber criminals become more sophisticated in their modus operandi, Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems provide cyber criminals a veritable plethora of attack vectors and angles to launch their cyber hacking campaigns against critical infrastructure.
It is well known that critical infrastructure in the United States and the rest of the world utilizes a significant amount of ICS and SCADA technology that is out of date, and unsupported by software manufacturers. Additionally, many known vulnerabilities, flaws, and paths to access ICS and SCADA devices and architectures are available on the world wide web. Anyone with internet access and the motivation to learn how to identify and exploit flaws can get in on hacking.
Recent attacks on critical infrastructure such as the hacking of the Colonial Pipeline have brought publicity to something cyber security experts have known for some time. Industrial Control Systems and supervisory control and data acquisition (SCADA) architectures are extremely vulnerable to cyber-attacks. Bad actors are demonstrating they have better intelligence and knowledge of industrial control systems architecture, as well as an expert level understanding of the information technology systems and tech stacks in use.
ICS and SCADA architecture was thought to be secure because the systems were “air gapped,” meaning they are not connected directly to the internet or their company’s network. They were theoretically safe from a cybersecurity perspective. This is clearly not the case.
Take for example a medium to large electric company with a complex power grid. The company will have many main power stations, sub stations, alternative energy sites and co-generation facilities (natural gas or coal powered). These facilities are typically not geographically located in close proximity. In most cases, the alternate energy (wind and solar) sites are very remote, making them difficult to access.
For the utility to maintain proper communication and control from an operations perspective, the facilities must connect to the internal reporting and control structure. Network design engineers build their systems to be secure. However, a contractor called out to work on an ICS controller on a remote site may have to plug a work laptop into a component at the “air gapped” facility, and accidentally passes along malware to the ICS or SCADA.
Depending on the configuration and capability of the ICS or SCADA, the malware introduction can allow the hackers more access than to just the specific air gapped facility. Once into the network at the facility through the malware, they can move laterally at least in that system. They will also be mapping the digital infrastructure and exploring what else can be accessed. The hackers may also could just settle into the isolated ICS they infiltrate, and create serious issues for the system under control, up to and including the destruction of the device the ICS is in control of.
Additionally, contractors and service providers to critical infrastructure do not always create or maintain separation from read and write systems. In many cases it is one network of systems receiving the data, and then after analysis of the data, writing commands to adjust performance and sending back down the network for execution. When the ICS or SCADA is compromised, the threat actors have full access to the industrial control systems and can disable the system or destroy it.
To this point we have mostly seen unlawful access to critical infrastructure utilized to achieve extortion, gaining the maximum dollars possible per hack. As the vulnerabilities continue to be exposed and are more accessible, the concern becomes how to stop hacktivists or terrorists who do not ask for ransom, their goal is just to damage the critical resources.
What are the best steps a critical infrastructure company can take to increase their cyber security posture? First, get an accurate assessment of where you currently stand. Engage a company such as LIFARS to complete a security audit including a penetration test.
The next step would be to have an executive tabletop exercise to work through all the various issues without any cyber live fire. This tabletop would be to ensure the company understands how to respond to the various threats.
When to involve the legal department? Does Law Enforcement need to be notified? When should be engage the public relations team? These are critical decision points that should be thought through ahead of time.
Lastly, every company should have a well thought out and quickly actionable cyber-attack disaster recovery plan including the restart of essential systems post attack. Critical infrastructure is at a crucial time in its evolution. The rising wave of cybercrime does not appear to be waning.