Protecting critical assets in a hazardous world.
Torsten George (email@example.com) is vice president of worldwide marketing at Agiliance, a provider of security software systems.
Recent news of an advanced persistent threat at Oak Ridge National Laboratory,1 a U.S. Department of Energy lab that studies nuclear fusion and biotechnology, and hosts one of the nation’s most powerful supercomputers, has once again brought the issue of cyber security to the top of not just the news, but the mind of many information technology (IT) and security experts in the energy market.
The cyber security challenge is becoming increasingly important for the people responsible for securing the electrical grid, as well as nuclear power generation facilities, oil refineries and gas pipelines. Considering the system complexity they are dealing with, their job isn’t easy. When combating network threats in the forms of viruses, trojans, and worms, many organizations fail to address vulnerable interfaces between their diverse systems or consider how their security infrastructure functions as a whole.
Integration is essential to managing today’s complex security systems. One option for IT administrators is to develop an information security risk management (ISRM) program that interconnects systems, processes and people, helps provide greater visibility, and enables operators to make more intelligent decisions as they relate to the security of an organization. An ISRM program enables organizations to increase system-wide efficiencies and reduce incidents, and ultimately the overall cost.
Security and Compliance
As computer software has become the backbone of modern civilization, organized cyber criminals, state sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to generate revenue and carry out criminal activities. The growing number of cyber attacks has become one of the most serious economic and national security threats our nation faces.
Recent news of sophisticated and targeted cyber attacks against such world-class organizations as the International Monetary Fund, Sony, Amazon, Google, and Lockheed illustrate the seriousness of this threat. But while such attacks garner headlines, energy providers operating electric grids, gas pipelines and nuclear power plants have known for years that they are prime targets for advanced persistent threats. If allowed to succeed, these attacks could have a wide impact on the nation’s economy and civil stability.
Over the past decade, a series of events has highlighted the vulnerability of the electric grid and other energy infrastructure to cyber attacks. Extensive blackouts in the northeast U.S. and in parts of Europe in 2003,2 as well as sophisticated exploits such as Stuxnet,3 a computer worm that targeted nuclear plant operators last summer, are just the tip of the iceberg. A recent survey conducted by McAfee and the Center for Strategic & International Studies,4 reveals that 80 percent of critical infrastructure providers have faced threats ranging from denial-of-service attacks to extortion, and advanced persistent attacks.
While most attention is usually focused on threats to the electric grid, in reality there’s little difference in vulnerabilities between electric grids and other energy infrastructure, such as natural gas pipelines, petroleum pipelines and district heating, as well as other utilities such as drinking water and sanitation systems.
Unfortunately, the energy industry uses process control systems that lack a proficient, organization-wide incident-reporting mechanism, which makes them less reactive to any advanced persistent threat. The awareness and importance of finding ways to better protect our nation’s critical infrastructure changed overnight when the towers of the World Trade Center fell nearly 10 years ago.
Since the September 11 terrorist attacks, the energy industry has taken special measures to ensure the reliability of the North American bulk power systems—especially as it relates to emerging threats of cyber attacks. For instance, the North American Electric Reliability Corp. (NERC), certified by the Federal Energy Regulatory Commission (FERC), developed standards for NERC members’ critical infrastructure protection (CIP). These standards have been prepared to ensure the reliability of the bulk electric system in North America and include stipulations about cyber security.
In addition, the U.S. Nuclear Regulatory Commission (NRC) issued security rules that added cyber attacks to the adversary threat types nuclear plants must be able to defend against. According to the NRC’s “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), nuclear power plant licensees are nowadays mandated to submit a cyber security plan and remediation strategy. The U.S. nuclear industry’s trade group, the Nuclear Energy Institute (NEI), went even further by inviting more than 20 cyber security experts from the nuclear industry to build NEI 08-09, “Cyber Security Plan for Nuclear Power Reactors.” NEI 08-09 looks very similar to the NRC guidelines and focuses on ensuring that approximately 650 controls derived from the National Institute of Standards and Technology (NIST)—NIST 800-53—are used to verify the cyber security of critical digital assets in commercial nuclear plants.
Obviously, the energy industry has taken proactive steps to secure critical infrastructure against threats such as cyber attacks. However, when it comes to the implementation of cyber security plans, the industry is still facing a dilemma as utilities’ current measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware, and anti-virus solutions. Often, these security tools operate in a silo-based approach and aren’t integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of security programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the organization and its infrastructure.
Attackers and Tactics
Undoubtedly of utmost concern in the energy industry is the vulnerability of industrial control systems, specifically supervisory control and data acquisition (SCADA) systems that are used to control geographically dispersed assets from a central command center. Historically, SCADA systems were isolated and used to control processes for a single site. However, advances in computer technology as well as the liberalization of the energy industry have led to an interconnected environment. As a result, SCADA systems become inherently vulnerable to cyber attacks, such as viruses, worms, trojans, and malware. However, without connectivity to the outside world, energy companies wouldn’t be able to share their production and reserve capacity with other providers.
When it comes to threats against SCADA systems, energy industry organizations can distinguish between threats posed by unauthorized access to the software system—whether driven by human interference or via virus infections that impact the performance of the software—and packet access to network segments that host SCADA systems. The latter threat raises the risk of intruders taking control of SCADA systems by sending access packets to the device.
Any of the outlined threats can essentially shut down the SCADA system, resulting in a direct or indirect threat for public health and safety.
When it comes to the motives that drive cyber attacks, it’s important to understand the different types of hackers.
Leisure hackers want to prove to the world their ability to break into a protected network or server, and it doesn’t matter if the network is operated by an industrial, commercial, or government organization. It’s more about the bragging rights rather than exploiting the victims for material gain. This group represents by far the least serious threat to the energy infrastructure.
Next up the ladder are those individuals that want to bring about environmental or social change and therefore target specific networks in order to advance their particular agenda. For instance, anti-nuclear activists could attempt to disrupt a nuclear power plant operation to create fear among the citizens and leverage the unfavourable media coverage for their own purposes. With the radicalization of activist movements in recent years, this group of hackers represents a serious threat to the energy infrastructure.
The next level of hackers, organized cyber criminals, always follow the money-trail, they have focused their attention on cyberspace as it allows them to cash in with a limited risk of getting caught. And while their organized crime leans towards exploiting vulnerabilities that are associated with personal identifiable information—which then can be used for fraudulent activities—they could target the energy industry to either manipulate the stock market or ask for ransom in exchange of not harming critical infrastructures. Targets of such extortion have tended to keep the incidents quiet, to avoid encouraging copycats.
Terrorist networks pose an even greater threat. The killing of al-Qaeda leader and founder Osama bin Laden and subsequent release of intelligence data illustrated how sophisticated terrorist networks are, and that cyber warfare is not unknown to them. Considering the fatal consequences a rapid shutdown of a nuclear plant could have for a whole region, such infrastructure presents a desirable target for terrorist networks.
Finally, state sponsored attackers have a variety of possible motivations—commercial, military, tactical, and strategic. Internet security experts, Western governments, and corporate America believe that the majority of cyber attacks originate from state actors, and in particular, countries such as China and North Korea. In February 2011, several multinational energy firms were targeted in an attack called “Night Dragon.”5 The hack was traced back to China via a server leasing company in Shandong Province that hosted the malware and to a Beijing IP address. Further, according to U.S. diplomatic cable releases by Wikileaks,6 U.S. officials believe that attacks on Google were devised by two members of China’s ruling body. It is believed that thousands of hackers have been recruited to form a botnet army in China. In May 2011,7 a spokesperson for the Chinese Defense Ministry admitted that it has an elite unit of cyber warriors in its army, which is tasked to safeguard the Internet security of armed forces. China denied allegations that it uses cyber warfare as an offensive tool. Considering the funds available to many military powers as well as governments in general, state-sponsored cyber warfare represents a significant threat.
For instance, by disrupting the energy infrastructure of a country, the attacker could certainly create chaos, forcing the target nation to divert attention and manpower to dealing with internal issues rather than an external conflict.
Another factor that can’t be underestimated in the context of cyber security risk to energy infrastructure comes from the human element. Employees sometimes unknowingly fall prey to phishing attacks. And frequently users will insert USB thumb drives of questionable origin into network computers—not realizing that they could have been pre-loaded with malware. Hackers and malware build upon such weaknesses.
Improving Cyber Security
The reliable function of SCADA systems in the energy industry’s infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety.
In addition to collaborating with the Department of Homeland Security, FERC, NERC, and NEI, commercial energy providers should consider overhauling their approach to information security risk management to counter cyber attacks and prevent data loss, unauthorized disclosure, and data destruction. Following the recommendation of the DOE Offices of Energy Assurance and Independent Oversight and Performance Assurance, and the President’s Critical Infrastructure Protection Board, the following rudimentary actions should be taken to improve the cyber security of SCADA networks:8
First, companies should manage and perform risk assessments to understand which systems have sensitive data and, therefore, have the highest criticality. In this context it’s especially important to identify all connections to SCADA networks. Based on the results of the risk assessments, energy infrastructure providers should rationalize the locations where sensitive data is stored to only the most secure systems that are protected against direct Internet traffic—disconnecting unnecessary connections to the SCADA network.
In a second phase, operators should evaluate and strengthen the security of any remaining connections. This includes, but isn’t limited to hardening networks by removing or disabling unnecessary services. At the same time, it’s important to track risks on these critical systems from a top-down perspective to understand the key threats that an energy company faces and ensure controls are in place to counter these threats.
Other steps to consider are dropping the use of proprietary protocols to protect infrastructure systems, implementing the security features provided by the device and system vendors, and establishing strong controls over any medium used as a back door into the SCADA network.
From a strategic perspective, energy industry players should consider managing risk from a bottom-up perspective by consolidating and correlating data from scanners, vulnerability feeds, patch management systems, and configuration management systems to get a holistic view of vulnerabilities affecting the most business-critical assets.
An advanced information security risk management program begins by implementing internal and external intrusion detection systems and establishing 24-hour-a-day incident monitoring. Furthermore, technical audits of SCADA devices and networks, and any other connected networks, are performed to identify security concerns. This includes physical security surveys and assessments of all remote sites connected to the SCADA network to evaluate their security.
On a systems level, it’s essential to create and track tickets to put in place controls and remediation to address threats and vulnerabilities in a timely fashion. Continuously reporting on risks, vulnerabilities, and effectiveness of remediation efforts enables an energy infrastructure provider to manage emergency response processes and procedures. Following this approach enables an organization to minimize the damage from a cyber attack.
From a policy and governance perspective, energy infrastructure providers should clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users. At the same time, they should document their organization’s network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection.
Borrowing from McAfee’s current slogan, “safe never sleeps,” organizations should conduct frequent self-assessments to test their information security risk management program. At the same time, it’s essential to run training programs for employees and contractors to prevent unintended disclosure of sensitive information.
Implementing an ISRM program that integrates and interconnects components for managing security events, assets, threats, vulnerabilities and incident response, as well as software configuration and patches, will allow organizations to increase resiliency, improve response time, and enhance overall system robustness. At the same time they can reduce risk through the ability to make threats and vulnerabilities visible and actionable—enabling utilities to prioritize and address high risk security vulnerabilities prior to them being exploited.
Streamlining processes by leveraging automation and reducing redundant, manual efforts helps to reduce cost too—offsetting the initial expenses of implementing an advanced information security risk management program.
ISRM can help prevent and minimize the consequences of cyber attacks on our nation’s critical infrastructure. But will it guarantee an organization’s safety? As all security professionals are painfully aware, cyber criminals are outpacing many target organizations and security vendors when it comes to finding new ways to attack their victims. Thus, it seems that future attacks will be more severe, more complex, and more difficult to anticipate, plan for, and detect.
Beyond facing direct cyber attacks, which are targeting critical infrastructure systems, more attacks might include information warfare, using social media outlets as a new methodology. A good example of this new threat occurred in Russia, where hackers targeted a nuclear power plant near St. Petersburg in May 2008.9 The cyber attack led to the shutdown of the plant’s website, which would have gone unnoticed by the public if not for the fact that the attackers circulated rumors of radioactive leaks via the Internet. The incident didn’t affect the plant operation, but caused panic among citizens living close to the facility.
Another threat scenario lies in the manipulation of energy markets by spreading rumors about attacks on major energy infrastructure facilities (e.g., gas or oil pipelines), which could lead to unexpected shortages in power or gas and at least for a short time cause disruptions or blackouts.
Fortunately, the public, lawmakers, and regulators in Washington D.C. are becoming increasingly well informed about to threats and vulnerabilities of the nation’s critical infrastructure. A determined and collaborative effort driven by regulators, security vendors, industry leaders and politicians is required to protect our nation’s critical infrastructure against disruptions and attacks. While the most recent government initiatives are a step in the right direction, legislation has proven to be too slow to respond to rapidly evolving threats.
Thus, it lies in the hands of energy companies to raise awareness of the risk of cyber attacks and take appropriate action.
4. “In the Dark: Crucial Industries Confront Cyberattacks,” McAfee and Center for Strategic & International Studies, November 2010.
5. “‘Night Dragon’ Attacks from China Strike Energy Companies,” www.pcworld.com, Feb. 10, 2011.
6. “Wikileaks: Chinese Govt Helped Coordinate Google Attack,” www.pcmag.com, Nov. 29, 2010.
8. “21 Steps to Improve Cyber Security of SCADA Networks,” Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
9. “Project Grey Goose Report on Critical Infrastructure: Attacks, Actors, and Emerging Threats,” Greylogic, Jan. 21, 2010.