Protecting Critical Infrastructure
5 Things the C-Suite Needs to Understand
© 2016 FrontLine Security (Vol 11, No 3)

“But... We Have a Very Robust IT Cyber Security System!”

While the typical CEO, IT director, or plant manager feels quite confident that they have a security system that will keep the foxes away from their IT coop, many have no idea that there is a viper, coiled and ready to strike at their unprotected plant, grid, refinery or other critical infrastructure where they deploy Operational Technology (OT). Why? First of all, many aren’t aware that or how their control system innovations can be exploited.

Perhaps the most famous hack on an OT-based critical infrastructure system was that of a German factory. On December 2014, the BBC reported, “A blast furnace at a German steel mill suffered ‘massive damage’ following a cyber attack on the plant’s network, says a report [... from] the German Federal Office for Information Security (BSI). It said attackers used booby-trapped emails to steal logins that gave them access to the mill’s control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.”

In a recent example (December 2015), it was learned that breaches to the operation of a dam outside of New York had been attributed to Iranian-based hackers.

You probably do use Operational Technology, but it isn’t protecting your critical infrastructure. Here are five reasons why:

  1. OT and IT Security Live in Very Different Environments
    IT security lives in the context of an IT stack with tools from many vendors – network, servers, storage, apps and data. It’s in a periodically updated ecosystem, where most hosts are talking to lots of other hosts, and where there are frequent patch cycles (in weeks, or sometimes days) in response to expected and known cyber threats. IT security basically protects data (information), not machines.

    In OT, high-value, well-defined industrial processes – such as in factories, pipelines and airplanes, and which execute across a mix of proprietary devices from many different manufacturers – need protection, not data. Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often, and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

  2. OT and IT Security Have Very Different Goals
    While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats (like hackers or state sponsored actors) or inside threats (like human error), in an environment where companies are operating drills, electric grids, MRIs or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can result in tens of thousands of dollars lost.
  3. Patching is an IT Security Solution; Patching is an OT Security Nightmare
    The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; many organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure that new patches will not impact control of their processes. That takes a lot of time.

    Secondly, many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems.

    Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce.

  4. The IoT Has Minimal Impact on IT Security, but Has Maximum Impact on OT Security
    The Internet of Things (IoT) produces additional data to guard in IT security. However, a hack into the IoT from an OT security viewpoint can mean changes to procedures that can impact both financial results to the organization and safety to its employees.

    To improve OT security, an IoT device that needs to be directly accessible over the Internet should be segmented into its own network with restricted access. The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.

  5. Only Recently have OT Security Solutions been Getting the Focus Previously Held by IT Security
    Cyber attacks on critical infrastructure procedures can result in significant downtime and productivity loss. As a result, more and more organizations are now implementing an OT network security solution that combines the protection of a firewall, IPS and application visibility and control (AVC) to monitor and block malicious activity and attacks to ensure highly available operations for maximum uptime and secure productivity. Aware companies are now devoting as much interest to their OT as they have historically given to IT.

The Problem Will Only Get Bigger
Today, the industrial world runs on critical physical assets and embedded systems known as operational technology (OT). Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day. However, this growing number of connected devices also greatly expands the cyber attack surface. Every new connection adds to that which the Security Department must protect.

Adding to the difficulty, those who attempt to hack into the Industrial Internet tend to have a lower risk/higher reward dynamic than those who attack Information Technology (IT) networks. Operational Technology (OT) hackers have little chance of getting caught and a high payoff of creating havoc if they get through. Versus IT hackers who end up with data, OT hackers can cause immense havoc, such as disabling a factory or turning off the electrical grid. Thus, OT hackers are much more persistent when they decide to target a site. In fact, the odds are stacked in favor of the OT attacker due to deteriorating network perimeters and the rapid increases in connected devices. In spite of such realities, a great amount of budget is typically spent on IT cyber security; not so much for OT security.

Since many security professionals don’t understand the Industrial Internet’s role in today’s chase for increased productivity, they don’t understand the threat. “Intruders can’t get into my critical infrastructure to create havoc because my Industrial Internet is air-gapped.” This is a legacy technique that too many cyber-security professionals still count on. They believe that their Industrial Internet is truly and physically isolated from unsecured networks such as the public Internet or unsecured local area networks. They don’t appreciate that air-gapping, which may have been safe several years ago, no longer does the job that cyber security professionals can rely upon.

Thus, today, there can be a false sense of security when protecting a network that does not have, or may never have had, an active unsecured connection. There are two major reasons why this is not possible.

Number One: Just because the system is operating in isolation doesn’t mean it can’t get attached. An employee simply grabbing for an email with his keyboard can breach the gap.

And second, in today’s world, to raise productivity, a system must be connected. Somewhere along the connectivity chain, the system is going to become attached – either willfully or through a mistake. In fact, most CISO’s are more concerned over accidental activities by authorized users than threats by external adversaries.

Implementing an OT Cyber Security System Is Only the Beginning
Once management has added an OT security solution, the job is not over. To get into OT systems, hackers leverage many different physical assets, including those within the enterprise security system, to gain access to the entire system. They typically start with elements that give them access to specific computers.

Interestingly, security people don’t seem to secure their own security equipment. For instance, IP wireless cameras are favourite target of hackers. Card readers in the access control system are also easy to hack.

In this manner, hackers can then go after control systems directly. Because of this, it makes sense to employ a security and quality testing service to simulate attackers challenging your own system, allowing you to “know yourself” by making sure that you are controlling who is talking to whom. Also, be sure to ask the manufacturers of your mission critical devices if they have been tested to repel cyber attacks. Have they had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated, identified and resolved before they introduced this or these products to the market? Are they certified to be secure?

Lastly, management needs to ensure that the security experts they hire are highly certified and trained to carefully assess, design and implement OT security in their industry environments. If the goal is to help secure operational assets, reduce compliance penalties and enforce supplier security – they need such expertise.

Paul Rogers is President and CEO of Wurldtech, a General Electric (GE) company and General Manager of GE Industrial Cyber Security.