Cyber War!

The year 2011 may have forever changed the way we think about the security of networks and systems. Following a year many are calling the “year of the hack,” security professionals have fundamentally changed their outlook when it comes to the threat of a network breach. Whereas previously, many considered a breach unlikely and more of an “if” scenario, many have shifted to a mindset of “when.”

Week after week one company after another was breached with high profile impact. Unfortunately public utilities were no different. In November 2011, the deputy assistant director of the FBI's Cyber Division, Michael Welch, told a London cyber security conference that hackers had recently accessed the critical infrastructure in three U.S. cities by compromising their Internet-based control systems.

Around that same time separate reports surfaced regarding hacks into water utilities in Illinois and Texas. These incidents likely led to a reissued warning in December by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS). This warning was targeted to control system owners and operators addressing their potential vulnerability to cyber intrusion and attack on their industrial control systems and supervisory control and data acquisition (ICS-SCADA) systems mainly through their remote access and monitoring systems, which often have no firewall protection and weak authentication systems.

Public utilities provide critical infrastructure, and that makes them a target for cyber war, terrorism, crime, and hacktivism.

These recent incidents highlight concerns shared by many when it comes to cyber security practices and standards employed in the defense of critical infrastructure.

World Wide War

Since American Presidential Directive PDD-63 concerning critical infrastructure protection (CIP) was enacted in May of 1998, progress has been made. However, one has to question whether we’ve caught up or fallen further behind.

2011 was a defining year for the hacktivist, with many government and corporate networks targeted in support of various social causes.

The increasing connectedness of infrastructure not only makes us more vulnerable to cyber security attacks but increases the cascading effect an attack can have on other infrastructure sectors and capabilities. When PDD-63 was enacted, it’s likely those same hacked water utilities weren’t even accessible via the Internet. Today, much, if not most, of our critical infrastructure is either directly connected to the Internet or indirectly via corporate networks that are.

The critical infrastructures public utilities provide make them a target of interest for a variety of threats. The catalysts behind these threats fall into the following primary categories: cyber war, cyber terrorism, cyber crime, and hacktivism.

The United States is the superpower of cyber warfare, but we aren’t alone in possessing these capabilities. As other countries have evaluated their offensive and defensive warfare postures, cyber warfare has become a fundamental capability of many nation states. Cyber warfare is a unique and powerful weapon. It can provide a meaningful deterrence against countries with superior conventional forces. If a country were able to demonstrate the ability to bring down another’s countries energy grid, that countries military and diplomat options could be significant constrained and influenced.

While the threat of cyberwar might seem alarmist, it can’t be ignored. The United States has in the neighborhood of 20,000 cyber warriors. China and Russia have similar numbers. Most European nations have forces along with bad actor nations such as North Korea and Iran. Our country and others wouldn’t be investing in training and maintaining cyber-war forces if these threats were not real.

In June of 2010, Stuxnet gave us a glimpse into the capability of nation states when they harness their tremendous resources in pursuit of cyber war. Stuxnet was an elaborate piece of malware written by a well-funded and highly capable team of software engineers. It was specifically designed to target and compromise Siemens ICS-SCADA systems (PCS 7, WinCC, STEP7, S7 PLC). Furthermore, it was programmed to target ICS-SCADA systems with unique hardware and configuration characteristics. It’s widely believed Iran was the target of Stuxnet and that Stuxnet was successful in damaging their uranium enrichment capabilities, possibly setting them back by years in their pursuit of a nuclear weapon.

While a weapon like Stuxnet isn’t known to have targeted the United States, the U.S. has been victimized by another form of cyber warfare – state-backed cyber espionage. In 2011, an unprecedented amount of intellectual property was exfiltrated from U.S. corporate and government entities by nation state-backed hackers.

Cyber terrorism poses a similar threat as cyber warfare. The main difference between the two is the scope of resources and capabilities that can be applied. However, a cyber-terrorist organization colluding with a nation state or criminal interests could be a potent threat. However, unlike nations, cyber terrorists don’t concern themselves with international laws against targeting civilians or civilian infrastructure.

Cyber crime and hacktivism are two other threats utilities need to be concerned with. 2011 was a banner year for cybercriminals. Able to leverage a significantly mature cybercrime supply chain, an increasing number of companies found themselves targets as cybercriminals had more options and means of monetizing their illegal activities. 2011 was a defining year for the hacktivist as well with many government and corporate networks targeted in support of various social causes.

The reasons a cybercriminal or hacktivist might target a public utility are different. The prior might do so in an effort to extort money less services be disrupted. Insider threats must also be considered whether acting on their own (i.e., fraud) or in voluntary or forced collusion with another. A hacktvist might target a utility in support of environmental activism or other social causes deemed to be unseemly in the eyes of activists.

SCADA Vulnerabilities

Regardless the type of threat, their target is most often the ICS-SCADA environments that support the core services utilities deliver. A fundamental challenge utilities face is that ICS-SCADA was not designed to be secure. Much of the existing infrastructure was developed and implemented prior to the rise of the Internet. Security was most often thought of in the physical sense. Nobody imaged ICS-SCADA devices and their associated serial protocols would later be converted to Internet Protocol (IP) and made accessible to untrusted networks. Many ICS-SCADA devices employ very basic, easily defeated authentication methods. They transmit data in clear text and have limited or non-existent logging capabilities. Furthering the challenge, ICS-SCADA devices employ proprietary operating systems and legacy CPUs where integrated security capabilities are hard if not impossible to introduce.

Furthering this challenge is that most utilities have had a bias and focus on availability of ICS-SCADA vs. security. They either haven’t, or are just beginning to invest in the people, processes, and technologies required to secure this infrastructure. Compliance standards such as NERC-CIP have had a highly motivating effect on some utilities verticals but others lack similar guidance and budgetary motivation.

Fortunately, with focus and resources applied, ICS-SCADA can be secured. The approach to securing ICS-SCADA is similar to securing any high value cyber asset with a few notable differences. Because the primary operational objective of ICS-SCADA is availability, changes to existing infrastructure might not be possible or feasible in support of typical best practice security design. Introducing traditional network security devices may not be feasible based on network latency concerns. Installing security software directly on ICS-SCADA devices is most often not an option. For these reasons, an approach of protective monitoring must be taken.

A protective monitoring approach to security requires the deployment of typical preventative technologies (e.g., firewalls, IPS, anti-virus, etc.) where possible while introducing aggressive real-time monitoring practices across the IT infrastructure supporting high value cyber assets. The objectives of a protective monitoring approach are to: deflect attacks whenever possible, identify successful or pending breaches automatically and in real-time, provide effective situational awareness and intelligence around a breach, and enable swift remediation actions.

To implement a protective monitoring approach, the ICS-SCADA environment must be well understood. All ingress/egress points to/from ICS-SCADA must be identified and protected. This includes private connections to corporate networks as well as the Internet. The ICS-SCADA environment must be considered a separate, private environment that must be protected from any connected entity, whether thought to be trusted or not. Threats will compromise corporate and partner networks if they provide access to the ICS-SCADA environment they are after.

At each ingress-egress point, aggressive monitoring should be introduced. Logs from all network security devices should be centralized in a security information and event management (SIEM) solution. Intrusion detection and prevention systems (IDS/IPS) ideally should be deployed with logs also forwarded to the SIEM. Lastly, network flow data should be forwarded to the SIEM. Network flow logs report on a host and device network communications. This data can be extremely useful in identifying abnormal network communication patterns that can indicate the ICS-SCADA environment has been breached.

Remote authentication paths into ICS-SCADA environments must be highly controlled. Security gateways such as the SEL-3620 Ethernet Security Gateway ideally should be deployed. These devices can provide strong authentication mechanisms into and within the ICS-SCADA environment. Logs from all authentication systems should be collected by the SIEM. This data can be extremely useful in identifying compromised user accounts and insider threats.

If security software can be installed directly on ICS-SCADA systems and devices, events and logs generated should be collected by the SIEM. If ICS-SCADA devices generate their own system, application, or audit logs, these should be collected by the SIEM. Logs from physical security devices such as badge readers and locked enclosures should be collected by the SIEM as well. These logs can be correlated against other logs to identify physical breaches occurring at remote sites.

With preventative technologies in place and logs from all systems centralized, a next generation SIEM can be used to continuously monitor activity across the ICS-SCADA environment for sign of breach with key personnel being notified immediately. Ideally the SIEM should provide an intelligent, automatic remediation capability that allows for tested and approved countermeasures to be immediately and automatically taken. If further analysis is required, the SIEM’s log management and analysis capabilities should provide deep forensic analysis and decision support capabilities.

Hardening Processes

Of course technology is not enough by itself. An effective organizational process must be implemented to support responding to an incident in a timely and effective manner. Organizations that don’t possess the internal capability of designing, implementing, and maintaining effective technology and process might want to consider a managed security services provider (MSSP) to help them fill organizational capability gaps.

Unfortunately, it’s likely to only get worse for utilities when it comes to the threat landscape. Nation states will continue to test and hone their cyberwarfare capabilities. Cyberterrorist capabilities are likely to rapidly improve and critical infrastructure is an ideal target when it comes to low-risk, high-impact strikes. Cybercriminals continue to look for new ways to steal and extort. Hacktivists seem to get bolder by the day and some utilities will likely find their ire. Fortunately, taking a protective monitoring approach to securing ICS-SCADA environments is an extremely effective way to thwart these and other threats.

ABOUT THE AUTHOR: Chris Petersen is CTO and co-founder of LogRhythm, a leading log management and SIEM 2.0 IT security company based in Boulder, Colo.