Probably the best-known cyber-attack on critical infrastructure was in the Ukraine in 2015, when hackers successfully infiltrated the electric utility’s SCADA system. Key circuit breakers were tripped, and the SCADA system was turned into a “brick”, causing a system-wide power blackout. It left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours. Critical infrastructure around the world continues to be at risk.
Last October, reports from India eventually confirmed, following several denials, that hackers had infiltrated the country’s biggest nuclear power station, at Kudankulam in the southern state of Tamil Nadu. According to the virus scanning website VirusTotal, the hackers had managed to infect at least one computer with the so-called DTrack spyware before the breach was detected. Criminals in India had previously planted the DTrack spyware in ATM machines to steal card numbers and other personally identifiable information (PII). It is feared that this time the perpetrators may have obtained a large amount of data from the nuclear plant, which could be sold to terrorists for nefarious purposes, such as sabotage or stealing radioactive material.
Meanwhile, according to reports, at least one oil installation in the Middle East is among the victims of a new kind of ransomware. As you might expect, the Ekans malware works by encrypting data and leaving a ransom note. The Duuzer malware used against South Korean manufacturing plants in 2015 worked in a similar way. What is new and more dangerous about Ekans is that it specifically targets industrial control systems. It blocks software processes that are specific to IACS, which could prevent operators from monitoring or controlling operations. The consequences could be devastating for human lives and for the environment.
IT vs. OT
Many power stations and industrial plants are not equipped to deal with these threats. A key issue, according to a recent IEC Technology Report, is that cyber security is too often understood only in terms of IT (information technology). Those responsible for security often overlook the operational constraints in sectors such as energy, manufacturing, healthcare or transport. The growth of connected devices has accelerated the convergence of the once separate domains of IT and operational technology (OT). From a cyber security perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks.
That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance. Priorities for OT environments focus on health and safety and protecting the environment. In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
Protecting SCADA systems
SCADA systems, which are used to oversee electric grids as well as plant and machinery in industrial installations, often rely on “security by obscurity”, reflecting the ingrained mindset that since no one knows or cares about their communications systems or their data, they don’t need to protect it. However, SCADA systems can now have widespread communication networks increasingly reaching directly or indirectly into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment. The retrofitting of appropriate and effective security measures has therefore become quite difficult for these SCADA systems. In the world of IT, for example, intrusion detection and prevention systems (IDPSs), are on the frontline of defence against malware. IDPSs are usually software applications that eavesdrop on network traffic. Depending on how they are configured, IDPSs can do everything from reporting intrusions to taking actions aimed at preventing or mitigating the impact of breaches. The challenge with SCADA systems is how to distinguish between normal data and potentially intrusive data that could cause harm.
“If the intruder uses well-formed protocol messages, the IDPS may not recognize it as an intrusion,” explains smart grid cyber security expert Frances Cleveland, who is the convenor of IEC Technical Committee 57 Working Group 15 that develops IEC 62351 standards for power system operations.
“The best solution is for SCADA systems to use security with their communication protocols,” she says. “Security does not necessarily mean encrypting messages, but at least adding authentication and authorization as well data integrity checking, while still allowing packet-inspection of the messages themselves which can help IDPSs determine if invalid data is being passed.”
International standards and conformity assessment
International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
The industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
In an ideal world, power stations and other critical infrastructure would be secure-by-design. In addition to security standards for key communication protocols, IEC 62351 provides guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. The thinking is that trying to patch on security after the fact can at best be only a quick fix and at worst comes too late to prevent the damage being done.
A holistic approach
A recently published IEC report on cyber security recommends prioritizing resilience over other more traditional cyber defence approaches. The report says that achieving resilience is largely about understanding and mitigating risks, as well as being able to detect and cope with security events when they happen. There is no way to prevent them completely. Even secure-by-design systems, although safer, require continuous and pervasive monitoring. IEC Standards for cyber security emphasize the importance of applying the right protection at the appropriate points in the system, while paying attention to safety, security and the reliability of processes.
It is vital that this process is closely aligned with organizational goals because decisions about what steps to take to mitigate the impact of an attack can have operational implications. “Resilience is not just a technical issue,” warns the IEC report, “but must involve an overall business approach that combines cyber security techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions”.