It can seem at times like there are millions of cyber attacks going on out there, that they're growing in severity, and they're being directed less by hackers and more by malicious nation-states. This is a pretty scary scenario, but what's really frightening is that it's an accurate picture of what's happening.
"Cybersecurity threats are increasing in frequency, scale, sophistication and severity of impact," said Neil Hershfield, deputy director, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Dept. of Homeland Security. In citing a Sept. 25, 2015, statement by U.S. National Intelligence Director James Clapper, Hershfield added, "Several nations have undertaken defensive cyber operations against private sector targets. Cyber threats can't be eliminated; instead cyber risks must be managed. The likelihood of a catastrophic attack is remote at this time. Instead, we envision an ongoing series of low-to moderate-level cyber attacks that will impose cumulative costs on U.S. economic competitiveness and national security."
Herschfield outlined this grim situation in his presentation, "Managing cyber risk: current trends and defensive strategies for protecting critical infrastructure" during the Chemical Industry Forum this week at Automation Fair in Atlanta.
Seeking security
"If remote access is granted without adequate isolation and boundary protection, you'll be susceptible to compromise by campaigns like these." Neil Hershfield, deputy director, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) for the U.S. Department of Homeland Security.Process control engineers and their colleagues can't let themselves be paralyzed by this concerning situation and must find ways to protect their applications, co-workers, facilities and surrounding communities. Fortunately, there are more than a few new and increasingly effective tools, methods, services and software for preventing probes, intrusions and cyberattacks.
"Because of the many well-publicized data breaches in 2014-15 and system problems that are continuing to increase, many businesses are racing to improve their cybersecurity postures," explained Hirschfield. "This seems to be a pay now or pay later model with significant corporate spending after hacking incidents. In fact, the cybersecurity market was worth $75.4 billion in 2015 and is expected to reach $101 billion in 2018 and $170 billion by 2020."
Risk reduction mission
To help process industry users improve their cybersecurity situation and response, Hershfield reported that ICS-CERT's mission is to reduce risk to the nation's critical infrastructure by strengthening control system security through public-private partnerships.
The benefits of this include: awareness of emerging threats and mitigations, state-of-the-art analysis, incident response support, and established partnerships and collaboration with other agencies and partners.
As a result, ICS-CERT offers a variety of resources, risk-assessment tools, training and other services that organizations in the process and other industries can use to improve their cybersecurity. One of the most popular is its cybersecurity evaluation tool, which helps individual users evaluate their current cybersecurity capability. All of these resources are available at ICS-CERT's website.
Growing process concerns
"Sophisticated adversaries are becoming more advanced in their reconnaissance, network penetration, detection evasion, persistent access and data ex-filtration capabilities," continued Hershfield. “Inherent vulnerabilities in control system environments are coupled with interconnectivity to business networks. There's also been a shift from isolated systems to open protocols, including access to remote sites through the use of modems, wireless, private and public networks. And, of course, the Industrial Internet of Things (IIoT) means that even more control systems connecting to the Internet."
Consequently, these events and trends have contributed to the overall risk evolution and the present state of cybersecurity in the process control industries. Hershfield reported that, while there were 39 cyber incidents involving industrial control system (ICS) in 2010, there have been 290 incidents in 2016.
"In 2010, there were few ICS intrusions and most were identified infections that were usually inadvertent. Plus, there was little evidence of focused R&D programs by sophisticated threat actors to develop ICS exploitation capabilities," Hershfield added. "There have also been multiple, sophisticated, ICS-focused campaigns since 2001, including BlackEnergy and Havex. As a result, there's been vast commercial research into ICS discovery, vulnerabilities and exploits."
Another Chemical Industry Case Study:
Ukraine and response
A notable cyberattack caused power outages to Ukraine's electrical grid on Dec. 23, 2015. Analysis revealed that the attackers used spearphishing—tricking victims into opening spurious emails and downloading malware—to steal credentials and connect to the local electric utility's virtual private network (VPN) and remote desktop software to manipulate human machine interface (HMI) controls.
"Power was restored in four to six hours by switching to manual control, and the affected utility was still in manual mode three months later," said Hershfield. "This attack demonstrated extensive preparation and coordination, but limited technical sophistication. Meanwhile, U.S. infrastructure is vulnerable to similar attacks across multiple sectors, and these systems might not be able to switch to manual as easily.
"We also learned the importance of multi-factor in the Ukraine incident. Some organizations have legitimate operational needs for remote access and/or monitoring, but if remote access is granted without adequate isolation and boundary protection, they'll be susceptible to compromise by campaigns like these."
In general, Hershfield advises users to:
- Never connect to the Internet without a firewall;
- Don't allow business/IT level direct access to control systems;
- Require different logins and passwords for business and control departments;
- Require multi-factor authentication codes;
- Only allow data to go out from control systems through network demilitarized zones (DMZ) and not back in; and,
- Perform a thorough security assessment.
The editors of Control and Control Design are on site at the Rockwell Automation Fair to bring you breaking news, innovations and insights from the event. Once Automation Fair 2016 is over, the editors will be putting together an Event Report featuring the top news. Be among the first ones to receive the full report by pre-ordering it today.