Whenever the power goes out, modern life comes to a sudden halt. If water and communications links are also cut, the impact on residents, businesses and government services is vast.
Critical National Infrastructure (CNI) now supports everything from homes and offices to factories and transportation networks. It’s easy to take CNI for granted, but if disruption occurs, the implications are huge and can potentially affect millions of people.
For this reason, the physical security of CNI plants and assets has long been a focus for governments and service providers. When looked at in the context of modern global terrorism, such a focus is understandable. Preventing criminals from accessing power plants, pumping stations and control rooms is vitally important.
The cyber security dimension
While physical security has long been a priority when it comes to CNI, cyber security is often less so. This means the industrial control systems (ICS) that sit at the heart of much CNI, such as supervisory control and data acquisition (SCADA) systems, aren’t always as secure as they need to be.
This is a very worrying situation when you consider that attacks on these systems are already taking place. In 2017, Ireland’s electricity transmission grid EirGrid, was attacked by what was believed to be state-sponsored cybercriminals.
Meanwhile, security company Symantec provided further evidence of the scale of the threat facing CNI when it reported in September 2017 Russian-linked hacker group Dragonfly had penetrated power grid networks in both the United States and Europe.
The high-level ICS and SCADA systems within CNI oversee and coordinate the operation of plants and machinery and have the ability to control large-scale processes across multiple sites and large distances. They connect with other controllers to monitor processes and issue commands and are designed primarily for reliability, safety and uptime – rather than security.
The problem with interconnections
A big security challenge stems from the fact that, historically, SCADA systems have been fairly isolated and unconnected. This, however, is changing and it’s now common for them to link with other corporate networks and even the public internet. This is a result of CNI providers looking for ways to generate efficiencies and enable new services.
Another concern stems from the fact SCADA systems often use legacy operating systems that haven’t been updated to cope with more modern cyber threats. They often lack basic security practices and are not regularly patched. Often there is no antivirus tools installed, back-ups undertaken or network filtering and access control deployed, making them vulnerable to attack.
Also, because they tend to be embedded in critical tasks and have complex change control systems, it’s also difficult to update or replace them.
While perimeter protection can help make SCADA and ICS more secure, cyber threats are becoming increasingly sophisticated and fast moving. It’s likely attackers will find a way through even these defences if they feel the target is worth the effort.
Real-time monitoring and analysis
With the number of threats against CNI continuing to climb, operators must be encouraged to take a more IT-centric approach to security. Indeed, it’s good practice for them to make use of real-time network monitoring and forensics to ensure all activity within their infrastructures can be seen.
Because a number of legacy and embedded systems generate data that ends up in separate storage siloes, the creation of a central data lake can also help. This involves combining the data and storing it centrally. Once there, it can be accessed by analytics tools that can support machine learning and automation.
Such a central data repository will support user and entity behaviour analytics (UEBA) that can detect and respond to intrusion attempts and unusual behaviour. For example, a user could be accessing information in larger quantities than normal, or for an area of work they don’t normally deal with. While this activity may be perfectly innocent behaviour, it could indicate the account has been compromised.
The role of SIEM
Once such anomalies have been detected, CNI organisations must then quickly respond to them. This is where security incident and event management (SIEM) can play a key role, by flagging and prioritising activity for further investigation by security analysts and automating the containment of threats.
If, for example, the temperature in a power generator appears to be rising, the situation needs to be investigated to determine whether it’s a real problem or rather spoofed data generated by an attacker to interrupt supply.
The latest SIEM technology also provides the ability to deal with hundreds of different technologies, log data and create audit trails – something that’s particularly relevant when it comes to ICS and SCADA. SIEM can translate a huge range of machine data (such as error codes) into a standardised language, enabling analysts to identify even the most unusual cyber threats.
Deploying security technologies such as SIEM onto ageing ICS and SCADA systems isn’t likely to be a straightforward process. Customised interfaces may be required to allow data to be collected and analysed.
However, these challenges should not prevent CNI operators from undertaking such a project. Overcoming challenges now will mean critical infrastructures will be much better prepared to prevent attacks in the future.
By Simon Howe, LogRhythm