Critical infrastructure facilities, whether they are power plants, national railway and local underground systems or other forms of public transport, are increasingly being targeted. Cyber attacks could cut off the supply of electricity to hospitals, homes, schools and factories. We rely so heavily on the efficient supply of electricity that its loss would also carry heavy implications for other vital services. A number of incidents in recent years demonstrate not only that the threat is tangible, but also that on more than one occasion we have escaped incurring nightmare consequences by the skin of our teeth.
The following three examples illustrate the evolution of cyber weapons, including malware designed to disrupt the operation of critical infrastructure. While the growing use of networked sensors and other connected devices in the industrial environment has brought benefits in terms of efficiency, it has also increased the attack surface.
Three times the world has held its breath
The 2010 attack on Iran’s nuclear plant at Natanz has a special place in the history books. The so-called Stuxnet malware made its first public appearance then, managing to bring the nuclear plant to a halt. The Stuxnet worm was engineered to damage motors commonly used in uranium-enrichment centrifuges by sending them spinning out of control. It succeeded in temporarily disabling 1 000 centrifuges.
Five years later, in December 2015, Ukraine experienced an unprecedented assault on its electricity grid. The attack led to widespread power outages. Hackers infiltrated three energy companies and shut down power generation temporarily in three regions of Ukraine. It left nearly a quarter of a million people without electricity for up to six hours in the middle of winter. Attackers used the BlackEnergy 3 malware to shut down the three substations. It is believed the malware was delivered in spear phishing emails, where it was hidden in fake Microsoft Office attachments.
The third and most alarming attack that we know about took place in 2017. Cyber terrorists assumed remote control of a workstation widely reported to be in Saudi Arabia. They used a new kind of malware, dubbed Triton, to take over the plant’s safety instrumented system (SIS). Again, the malware was configured specifically for industrial control systems, also known as operational technology (OT).
Investigators believe it was an act of sabotage meant to trigger an explosion by disabling the safety systems designed to prevent catastrophic industrial accidents. Previous attacks have focused on destroying data or shutting down energy plants. According to some reports, only a coding error prevented this from happening. Evidence points to another phishing or spear phishing attack.
What these incidents show us is that for at least the past decade hackers have been creating malicious code that targets operational technology. The fact that all three were triggered by malware also illustrates the need for adopting a holistic approach to cyber security that incorporates processes, technology and people.
The chief executive of cyber specialists Security in Depth, Michael Connory, recently told the Australian Broadcasting Corporation (ABC) that, “Ninety per cent of cyber attacks worldwide begin with an email”. It is axiomatic that security can only be as strong as the weakest link in the chain.
The other key issue is the importance of understanding the difference between IT and OT. Operational technology is becoming increasingly accessible, with threat vectors now extending to base-level assets such as smart thermostats. The challenge is that cyber security programmes are too often led by an IT approach. In reality, the operational constraints in industry sectors such as energy, but also in a variety of others including manufacturing, healthcare and transport, mean that an approach to cyber security is needed that also safeguards OT.
The primary focus of IT is data and its ability to flow freely and securely. It exists in the virtual world, where data is stored, retrieved, transmitted and manipulated. IT is fluid and has many moving parts and gateways, making it highly vulnerable and offering a large surface for a wide variety of constantly evolving attacks. Defending against attacks is about safeguarding every layer, continuously identifying and correcting weaknesses to keep data flowing.
OT, in contrast, belongs to the physical world, where it ensures the correct execution of all actions. While IT has to safeguard every layer of the system, OT is about maintaining control of systems which may be on or off, closed or open. OT systems are designed for specific actions such as ensuring that a generator is switched on or off, or that an overflow valve is open when a chemical tank is full. OT belongs in the physical world and is about ensuring the security and control of what in the past were usually closed systems. Everything in OT is geared to physically moving and controlling devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency.
With the emergence of the industrial internet of things (IIoT) and the integration of physical machines with networked sensors and software, the lines between IT and OT are blurring. As more and more objects are connected, communicate and interact with each other, there has been a surge in the number of endpoints and potential ways for cyber criminals to gain access to networks and infrastructure systems.
Firefighting puts out the blaze but does not deal with the underlying causes. It is essential to start considering security threats during the initial design and development phase. In many instances, organizations only look at security after implementation, rather than building cyber resilience from the beginning of the development lifecycle. The work of IEC Technical Committee (TC) 57 provides a good example of the standardization of best practices.
Security by design
IEC TC 57 has created a working group (WG 15) to make power grids secure-by-design. The group, which evaluates requirements from a technology perspective and defines a standard way to implement them, has identified the components needed for a secure-by-design power system. These include the end-to-end encryption principle, the definition of roles for all users and identity management, as well as pervasive monitoring of the system itself.
“Everything we do today will remain tomorrow, but we need to change our focus,” says WG 15-member Moreno Carullo. “We need to shift from just looking for the bad guys to security-by-design."
Currently, the IEC 62351 family of standards (see IEC 62351-1: Introduction for an in-depth overview) depicts the architecture of a secure power system and standardizes its protocols and components. An interesting read for a better overview of it is IEC 62351-10: Security Architecture Guidelines for TC 57 Systems.
Standards and conformity assessment
The IEC believes that a holistic, risk-based approach is the best way to build cyber resilience. A risk-based approach can be highly effective, especially when based on an assessment of existing, or potential, internal vulnerabilities and identified, or possible, external threats. This works best as part of a holistic approach that combines standards with testing and certification, also known as conformity assessment, as opposed to treating them as distinct areas.
Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. A systems-approach works by prioritizing and mitigating risks to an acceptable level, which requires a neutral approach that accommodates different kinds of conformity assessment — ranging from self-assessment to independent, third-party testing — according to the different levels of risk.
Many organizations base their cyber security strategies on compliance with mandatory rules and regulations. This may lead to improved security, but cannot address the needs of individual organizations in a comprehensive manner. The most robust defences rely on both ‘horizontal’ and ‘vertical’ standards. Horizontal Standards are generic and flexible, while vertical standards cater to very specific needs. Two examples of horizontal Standards in particular stand out.
Horizontal and vertical standards
The ISO/IEC 27000 family of standards helps to protect purely information systems (IT) and ensures the free flow of data in the virtual world. It provides a powerful, horizontal framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.
IEC 62443, the other horizontal standards series, is designed to keep OT systems running in the real world. It can be applied in any industrial environment, including critical infrastructure facilities such as power utilities or nuclear plants, as well as in the health and transport sectors. IECEE, the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, has created global certification services based on the IEC 62443 series.
Complementing the horizontal Standards are custom solutions designed to meet the needs of specific sectors. There are vertical standards covering the specific security needs of the nuclear sector, industrial communications networks, industrial automation and the maritime industry, among others.
The aim of any cyber security strategy is to protect as many assets as possible and certainly the most important assets. Since it is not feasible to protect everything in equal measure, it is important to identify what is valuable and needs greatest protection, identify vulnerabilities, then to prioritize and to erect defence-in-depth architecture that ensures business continuity.
Achieving resilience is largely about understanding and mitigating risks in order to apply the right protection at the appropriate points in the system. It is vital that this process is very closely aligned with organizational goals because mitigation decisions may have a serious impact on operations. Ideally, it should be based on a systems-approach that involves stakeholders from throughout the organization.
A key concept of defence-in-depth is that security requires a set of coordinated measures. There are four steps that are essential to realize in dealing with the risk and consequences of a cyber attack:
- Understand the system, what is valuable and what most needs protection
- Understand the known threats through threat modelling and risk assessment
- Address the risks and implement protection with the help of international standards, which are based on global best practices
- Apply the appropriate level of conformity assessment — testing and certification — against the requirements.
Another way to think of it is as the ABC of cyber security:
A is for assessment
B is for best practices to address the risk
C is for conformity assessment for monitoring and maintenance
A risk-based systems-approach increases the confidence of all stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively. This means combining the right standards with the right level of conformity assessment, rather than treating them as distinct areas.
The aim of the conformity assessment is to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. This may mean using different kinds of conformity assessment — ranging from corporate self-assessment or relying on a supplier’s declarations all the way through to independent, third-party assessment and testing — and selecting whichever is most appropriate according to the different levels of risk.
In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme is a proven and highly effective approach to building long-term cyber resilience. Standards and conformity assessment, however, can only have maximum impact as part of a risk-based approach based on a holistic assessment of threats and vulnerabilities. Such an approach incorporates not only technology, and processes, but also people, recognizing the essential role of training.