Feds weigh in on cybersecurity

Dec. 22, 2016
Neal Hirschfield, deputy director of ICS-CERT, part of the U.S. Dept. of Homeland Security, notes an 'ongoing series of low- to moderate-level cyber-attacks that will impose cumulative costs on U.S. economic competitiveness and national security.'

Cybersecurity threats are increasing in frequency, scale, sophistication and severity. However, despite several recent cyber-attacks by nation-states against private-sector targets, Industrial Control Systems Cyber Emergency Response Team estimates the likelihood of a catastrophic attack is presently remote. ICS-CERT instead envisions an ongoing series of low- to moderate-level cyber-attacks that will impose cumulative costs on U.S. economic competitiveness and national security, according to Neal Hirschfield, deputy director of ICS-CERT, which is part of the U.S. Dept. of Homeland Security.

"Sophisticated adversaries are becoming more advanced in their reconnaissance, network penetration, detection evasion, persistent access and data exfiltration capabilities," explains Hirschfield. "Unsophisticated adversaries have easy access to victim identification and script and scripted exploits of control systems. Inherent vulnerabilities in control system environments are coupled with interconnectivity to business networks. There's also been a shift from isolated systems to open protocols, including access to remote sites through the use of modems, wireless, and private and public networks. And, of course, the industrial Internet of things (IIoT) means even more control systems connecting to the Internet."

Consequently, these events and trends have contributed to the overall risk evolution and the present state of cybersecurity in the process control industries. Hirschfield reported that, while there were 39 cyber-incidents involving industrial control system (ICS) in 2010, there have been 290 incidents in 2016. "In 2010, there were few ICS intrusions and most were identified infections that were usually inadvertent. Plus, there was little evidence of focused R&D programs by sophisticated threat actors to develop ICS exploitation capabilities," adds Hirschfield. "In 2016, there were 41 confirmed and reported ICS intrusions in fiscal year (FY) 2014, and 23 confirmed ICS intrusions in FY 2015. There have also been multiple, sophisticated, ICS-focused campaigns since 2001, including BlackEnergy and Havex. As a result, there's been vast commercial research into ICS discovery, vulnerabilities and exploits."

One of the most egregious recent cyber-attacks caused power outages to Ukraine's electrical grid on Dec. 23, 2015. Analysis revealed that the attackers used spear phishing—tricking victims into opening spurious emails and downloading malware—to steal credentials and connect to the local electric utility's virtual private network (VPN), and remote desktop software to manipulate human machine interface (HMI) controls.

"Power was restored in four to six hours by switching to manual control, and the affected electric companies we're still in manual mode as of February 2016," says Hirschfield. "This attack demonstrated extensive preparation and coordination, but limited technical sophistication. Meanwhile, U.S. infrastructure is vulnerable to similar attacks across multiple sectors, and these systems might not be able to switch to manual as easily. We also learned the importance of multi-factor authentication in the Ukraine incident. Some organizations have legitimate operational needs for remote access and/or monitoring, but if remote access is granted without adequate isolation and boundary protection, they'll be susceptible to compromise by campaigns like these."

In general, Hirschfield advises users to:

  • Never connect to the Internet without a firewall;
  • Not allow business/IT level direct access to control systems;
  • Require different logins and passwords for business and control departments;
  • Require multi-factor authentication codes;
  • Only allow data to go out from control systems through network demilitarized zones (DMZ) and not back in; and
  • Perform a thorough security assessment.

ICS-CERT offers a variety of resources, risk-assessment tools, training and other services that organizations in the process and other industries can use to improve their cybersecurity. One of the most popular is its cybersecurity evaluation tool, which helps individual users evaluate their current cybersecurity capability. All are available on the ICS-CERT website.

For more, read Control's December 2016 cover story, "Building a united front for cybersecurity."

About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control. 

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...