Cyber Resilience in Industrial Control SystemsJanuary 10, 2020 by Weston Floyd
Take a look at the concept of cyber resilience in control systems and how it relates to cybersecurity for critical infrastructure in the age of security vulnerabilities
National defense, corporate necessity, and social privacy imperatives govern the need to factor cyber resilience into modern industrial control architectures. Critical infrastructure is left exposed to surveillance and interference by foreign state actors without investment; shareholders risk severe losses through legal exposure, destruction, or theft of information and damage to the physical plant, and customers or clients may find their data compromised.
What initiatives are being implemented by the government to bolster industrial control cybersecurity?
What essential steps and strategies are crucial to consider if you are responsible for an industrial control system?
Examples of an (a) open loop, (b) forward-feed, and (c) feedback (closed-loop) control system. Image used courtesy of Alastair B. McDonald [CC-BY 3.0] based on Hopgood (2002)
What Is Critical Infrastructure?
Critical infrastructure is any collection of assets that are essential to the continued functioning of the society of any nation. These include the economy, energy generation, and distribution, living essentials supply like food and water, transportation, communications, and the health and safety of its citizens. Industrial control systems play a central role in such systems and must be protected.
Legacy infrastructure. Image used courtesy of Hoshner Sigmaniax [CC BY-SA 2.0]
How important is this to the Industrial Internet of Things (IIoT) space? The U.S Department of Homeland Security (DHS) has specified 16 critical infrastructure sectors considered to be so vital to the United States that damage could have devastating consequences:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems Sector
In addition to the US Department of Homeland Security, the Environmental Protection Agency, Department of Defense, Department of the Treasury, and Department of Agriculture are all involved in monitoring these 16 sectors. Because of the vital importance of these sectors, the issue of cyber resilience is considered a national priority.
The Surprisingly Low-tech US Government Infrastructure Cybersecurity Guidelines
At a CyberwarCon conference in Arlington, Virginia recently, a Microsoft security researcher ‘Ned Moran’ reported that Microsoft’s threat intelligence group has asserted that the Iranian government supported hacking team “Advanced Persistent Threat 33” (APT33) have shifted their active password spraying attacks on over 2,000 organizations per month to increased focus on manufacturers, suppliers, and maintainers of industrial control system equipment that underpins critical infrastructure such as the electrical grid.
“They’re going after these producers and manufacturers of control systems, and we don’t think they are the end targets. They’re trying to find a downstream customer, to find out how they work and who uses them. They are looking to inflict some pain on someone’s critical infrastructure that makes uses of these control systems”
The US government has adopted a strategy of securing the country's power grids by using ‘retro’ technologies in the wake of several attempts by foreign actors to launch cyberattacks on it.
The ‘Securing Energy Infrastructure Act (SEIA) requires the implementation of old analog and manual technology to isolate critical grid control systems to limit the extent of any physical damage, forcing adversaries to touch the target physically.
The U.S government has also mandated key automated systems replacement by low technology redundancies like manual procedures controlled by human operators. The solution was arrived at by examination of the 2015 cyberattack that took down the Ukrainian power grid.
If this is the nature of the solution derived for the electricity distribution network, how does this retro technology strategy impact industrial control systems in the remaining 15 critical infrastructure sectors?
This direction would seem utterly contrary to the technology trends of the day and must inevitably lead to additional system overheads, increased operational costs, and interface considerations.
There is a growing interest in cyber resilience in the private sector. The 2019 annual intellectual property report to Congress states that the combined cost of IP theft to the U.S government and companies is over $300 Billion/year.
There are now severe litigation risks in the IoT sector for those companies that do not implement a digital management strategy that incorporates cybersecurity, and these same pressures are even more concerning in the IIoT space.
As of January 1st, 2020, Californian law requires manufacturers to equip connected devices with a ‘reasonable security feature.’ Even more stringent, the European Union Cybersecurity Act is establishing a certification scheme that bolsters ENISA (the EU Agency for cybersecurity) by devices to improve safety and security. The FTC has bought enforcement actions against companies that don’t make adequate provision for this, and law firms are tooling up for an influx of litigation and class action lawsuits as the boundaries of the rather vague Californian regulations will undoubtedly be tested. Among the six security predictions for 2020 offered by IoT World Today, they claim that ‘secure by design’ strategies will become vital, and the market for managed security services will surge as companies will need to mitigate their legal exposure. They also predict that attackers will increasingly target building control systems as a conduit to get access to I.T data due to interconnectivity. Hackers using this strategy could also target networked industrial control systems to get access to critical data.
As enemy state actors increase their cyber warfare capability, hackers discover new cybercrime strategies, and cyber terrorists find new ways to infiltrate industrial controls, and cyber resilience strategies will have to incorporate response management plans. What happens when the industrial controller in the chemical plant is compromised? When should this be reported and to whom? What processes need implementing to mitigate for a compromised system or when an associated emergency event occurs? It is becoming increasingly vital for those engaged in the IIoT space to consider how the government handles an emergency management response so that if and when a catastrophe occurs, first-line responders can take corrective actions, and not exacerbate a crisis. Draft reference materials like Avoiding the Digital Maginot Line: Emergency Managers Guide to Modernizing Cyber Resilience by Dave Sweigert are beginning to become available that are focused on improving the cohesion of emergency response teams and improving the outcomes for stakeholders. There is still a tendency to focus upon attacks upon the data systems of telecommunications, health and safety, government and economic infrastructures. Programmable Logic Controllers (such as was the target of the Stuxnet virus) and SCADA systems are a very likely target in blended attack scenarios (those involving concurrent cyber and kinetic attacks).
FEMA conducts massive cornerstone exercises for validating progress towards achieving a culture of preparedness for catastrophic events every two years, called ‘National Level Exercises’ (NLE). NLE 2020 will focus on national cybersecurity preparedness. This collaborative effort between government and the private sector is the most massive exercise of its type ever conducted and differs in that it factors in the physical consequences of a cyber disaster. The U.S government Cybersecurity Division (CISA) considers the threat on industrial controls systems is so vital that it has a special page dedicated to industrial control systems to provide real-time alerts for critical infrastructure networks, advisories about current security issues, vulnerabilities and exploits, and considerable technical information useful to professionals engaged in protecting industrial control systems.
Why You Should Build Cyber Resilience into Your Control Systems
It would be nice to live in a world where system designers did not have to accommodate for bad actors. However, such fanciful thinking will not make the world a safer place, protect customer data, and it won’t prevent your company from being sued for negligence.
Building in cyber resilience is a vital aspect of industrial system design. Looking ahead, some consider artificial intelligence to possibly be the future intelligent gatekeeper, but this fails to recognize that, in the future, artificial intelligence may also be a tool of the aggressor.
Regardless, it may be useful to consider testing existing systems, modeling failure scenarios that incorporate cybersecurity or even using techniques like red (attack) vs. blue (defense) team style games to prove a system is robust.
Despite best efforts, failure occurs. Bear in mind that, in this situation, first responders need to be able to deal with the potential crisis and that requires taking measures in implementation and documentation that factor in their needs, considering the increasing levels of automation seen in many systems, manual controls are becoming few and far between, so this will become increasingly important.
Consider the interconnectedness of today’s systems and the interdependency of infrastructure. Systems not rigidly controlled by government safety regulations can become targets that could be used by bad actors to damage and disrupt the economy.
Uncle Sam and our shareholders ask us to adopt a culture of cyber resilience—how resilient are you?