The Need to Secure CNI
The harm that can be delivered to the CNI through a successful coordinated cyber-attack is no longer theoretical: actual events and scientific studies demonstrate this.
Lessons from Ukraine
On December 23, 2015 Ukraine power companies experienced power outages that affected hundreds of thousands of customers. An interagency team of American experts visited the Ukraine. This team has now officially classified the outages as the result of a malicious cyber-attacki. Excluding the Stuxnet worm (often considered to be the world’s first cyberweapon), Ukraine is generally considered to be the first successful example of a coordinated attack against the energy sector of a critical national infrastructure.
There are lessons that can be learned from this attack. The first explains why a cyber-attack against a CNI is considered both more likely and more dangerous than a physical attack: it can be coordinated covertly with little chance of valid attribution.
Initial press reports suggested that Russia was behind a state-sponsored politically- motivated attack. This was undoubtedly caused by the geo-political situation in the region, and the apparent Russian origin of some of the malware (BlackEnergy) thought to have been used by the attackers – but there is no evidence to verify this. Equally possible would be any hacking group sympathetic to Russia. There is such a group in Ukraine known as CyberBerkut (which has also been linked to the use of BlackEnergy). Finally, a false-flag attack by Ukraine itself has been suggested. The reality is, it could have been any or none of these – and the first two options at least remain a threat to all electricity substations.
The attack itself is believed to have started with a successful spear-phish against the power companies’ IT networks. This allowed the intrusion of BlackEnergy, which was used to infiltrate the networks and acquire the information and tools necessary to attack the ICS equipment, this is known as the reconnaissance phase of a cyber attack. Most adversaries spend considerable amount of time in this phase collecting information about the target. Many times the adversary knows the target system better than the people responsible for the operations of the system.
The attack against the substations were probably conducted via the power companies’ IT networks, using either existing remote administration tools, or client tools on the ICS equipment via virtual private networks (VPN). This was probably aided by the theft of legitimate credentials from the IT network either before or during the IT network compromise. The attackers subsequently manipulated the substation’s breakers and caused the blackout.
Before leaving they ran KillDisk to overwrite files and corrupt engineering workstations and operation workstation’s master boot records (MBRs), and they corrupted ICS firmware across many other intelligent electronic devices in an apparent attempt to delay recovery procedures.
The second and most important lesson to be learned from this attack is that IT (corporate) networks must be as separate as possible from the OT (ICS) networks. Since air-gapped separation isn’t realistic for unattended substations, great care must be taken to protect the connection between the two. Furthermore, the IT network requires multi-layered security of its own to ensure that it cannot be compromised (as happened in Ukraine) and used as the access point to the OT network.
Although the discovery of new vulnerabilities in ICS systems is fairly uncommon, it’s a well-known fact that ICS are easy targets given most ICS do not have any security implemented to monitor and protect those assets. If the IT network is compromised and adequately privileged credentials are subsequently stolen, then there is no need to exploit the ICS – it can simply be controlled from IT and most likely no one will know its being done.
Lessons from Cambridge University
A study into the wider implications of a successful coordinated cyber-attack against multiple electricity substations in a densely populated region was jointly produced by the University of Cambridge Centre for Risk Studies and Lockheed Martin; and was published in April 2016.
In order to evaluate the effect of a successful attack, the study has to postulate a successful attack methodology. The method chosen involved the actions of a malicious insider working with a well-funded nation-state. The nation-state coordinates the attack and manufactures a number of specialised devices. These devices are placed within the substation and connected to the OT by the insider.
This introduces an additional threat to substations that must be taken seriously and effectively mitigated: the malicious insider. The study also concluded, “This scenario illustrates that IT departments and industrial security teams need to share information and threat assessments to guard against weak points such as critical substations.”
The IT/OT Relationship
There are two fundamental issues for securing electricity substations. Firstly, the design of the OT (ICS) equipment pre-dates any necessity to connect to or be monitored or controlled via the internet, and ICS was consequently not designed with security in mind. Nevertheless, it is now usual for the OT network to be connected to the corporate IT network, either via a dial-up modem, a private cable or the Internet.
Secondly, OT networks tend to be managed by technical engineers with little security understanding. Furthermore, it is common for these engineers to be reluctant to modify critical systems that are actually working. Even where there is a new patch for a known vulnerability in OT, there is often little urgency to implement it because there is concern that the patch may impact the systems operation.
This combination of factors results in an insecure OT network, possibly containing a number of unpatched vulnerabilities, being forced to rely on the cyber security that can be imposed by the IT network from its side of the communication link.
Attack Methodologies and Mitigations
Attack the IT Network and then Jump to the OT Network
An attacker with access to the IT network can seek to subvert and use the official channels into the OT network. With the correct credentials there will be no need to exploit any vulnerability in the ICS equipment. This is probably what happened in the Ukraine.
If it is impossible or not feasible to steal and use privileged credentials, the attacker can seek access to and exploit vulnerabilities in the OT equipment.
Mitigations against this form of attack focus on protecting the IT network from compromise by attackers, and protecting the communication channel between the IT and OT networks.
Attack the OT Components from the Outside
There are two primary ways in which an attacker could seek to compromise an OT network without physical access to that network.
The first would be to compromise the laptop or a USB stick of a maintenance engineer who has physical access to the substation. The engineer will eventually connect his system to the OT network, and upload the malware.
It is believed that this is how Stuxnet was delivered to the Iranian Natanz nuclear facility, via a USB memory stick used by an engineer.
The second method would be to attack any wireless capabilities of the OT network from outside the perimeter. WiFi and Bluetooth should not be available from the OT equipment, but both are sometimes left operational through misconfiguration or omission, there are instances where protection and control engineers install a wireless router to make it easier for them to make changes or test something in a substation. With Industrial Internet of Things (IIoT) becoming an emerging trend, many OT equipment manufactures are including features in their devices to enable plug and play by default.
Such attacks require some knowledge of the internal networks and the presence of the wireless signals. Ivan Sanchez, a whitehat hacker from Nullcode, has used drones flying close to the substation “to scan, enumerate and discover devices” that he can attack wirelessly. Sanchez is credited by ICS-CERT for the discovery of at least 17 different ICS vulnerabilities.
Mitigation against these attacks would require improved governance within the OT network, and better access control for both people and processes. There are simple monitoring methods that could be implemented to periodically scan for signals or rogue devices that might show up on a network. Having a network baseline of devices and visibility are critical to protecting against an attack. Most CISO’s know they have little to no visibility from within the ICS OT networks and that keeps them up at night.
The Insider Attack
Insider attacks are notoriously difficult to prevent. Edward Snowden was an insider. Chelsea (Bradley) Manning was an insider. The difficulty is that insiders often have or can acquire the requisite credentials to enable malicious actions. Monitoring systems can see what they are doing, but will often ignore events because they are entitled to do them.
The putative attack envisaged by the Cambridge/Lockheed Martin study involved the actions of a malicious insider.
Such insiders can be recruited by attackers through political sympathies, bribery, or threats and blackmail.
Mitigations against insider attacks would require better people governance, including stricter HR checks, strong physical access control to the substation, behavioral analysis for actions on the IT network, and strong privileged access management including automatic de-provisioning. There are new technologies that are capable of monitoring employees from several dimensions, did they get ranked poorly in a performance review, have they started posting negative comments on social media, has their travel and spending habits recently changed, have they tried to access systems not in their domain or normal work hours. By monitoring and collecting employee data one can begin to identify potential rogue employees
Network Security For An Electricity Substation
The reality is that the technology configuration for an electricity substation will comprise on-site and unattended equipment linked to and controlled and monitored by a remote OT network which is also connected to the corporate IT network.
Every aspect of this configuration needs to be secured using a layered defense in depth strategy.
? Equipment within the substation needs to be maintained and patched as necessary, and the establishment needs to be physically secure with effective physical and cyber access control.
? The physical link between substation and control room needs to be secure, and its connection to the control room should be protected by a firewall.
? The control room (OT network) needs to physically separate to the rest of the corporate IT, and should be fully patched and locked down. It should have strong authentication for access to the room and to the equipment. ? Any connection between the OT network and the IT network should be via a firewall and all traffic across this connection should be monitored.
? The IT network needs to be fully protected in order to prevent attackers using it as a springboard for access to the ICS.
If the OT control center has a connection to the business IT network then the two should be considered as a single zoned network. It is important to protect the integrity of the IT zone; but it is essential to protect the integrity of the OT zone. In reality, the whole IT network should be treated as part of the layered defense for the OT network. These defenses, in their turn, help to protect any equipment housed in the remote substation.
Incident Response and Contingency Planning
The traditional risk-based approach to IT security seeks to prioritize security efforts to prevent cost to the business: confidentiality and integrity are probably higher priorities than availability. ICS, however, provides critical services to customers and consumers. Loss of availability could put lives at risk.
Although the basic IT incident response process of cyclical ‘plan, prevent, detect, contain, remediate, restore, and analyze’ is still applicable, the potential effect of any incident is different. For IT the priority is to minimize damage to corporate assets such as intellectual property, finance and reputation; but for ICS networks the priority is the resumption or continuation of normal operations.
For this reason, an ICS incident response plan should be geared towards maintaining or restoring services as quickly and safely as possible. There should therefore be a tested methodology to include safe shutdown and restoration of the substation, including manual operation in the case of an emergency.
ICS Isolation
Traditional IT security controls may not be applicable to the OT network. For this reason OT security will rely on the development and implementation of a manual plan and a formal security policy.
The first stage in this is a complete audit and assessment of every device within the OT network.
Every device must be limited to providing only those services that are necessary. WiFi and Bluetooth should almost certainly be deactivated. Use of plug-in media (CDs and memory sticks) should be prohibited or at least very strictly controlled. Portable devices, such as laptops, should be company owned, not allowed off the premises, and locked away when not in use. Personal devices should not be brought into the control room.
Data connection to the remote substation should be controlled by a firewall. If the control room is also connected to the corporate LAN, that should also be controlled by a firewall. Individual hosts within the OT should be protected and controlled by personal firewalls.
Application Whitelisting
The limited and known applications that are required for an ICS control room makes application whitelisting a realistic and effective security control. Whitelisting can impact systems operation therefore its important to test and verify the impact to the ICS. Work with the ICS vendor to make sure all the corner cases are tested that might impact a critical function
Patching
Patching is a particular problem for OT networks. Since the underlying hardware and operating system is likely to be similar to, or the same as, that used in the IT network, similar patch management frameworks could be used across both. However, the always-on requirement for electricity substations makes this difficult.
Engineers are reluctant to patch swiftly, if at all. The possibility that the patch could break other critical processes sometimes leads engineers to delay patching, or even ignore the issue and accept the risk.
In theory it could be possible to use the electricity grid to reroute demand so that any failure during or resulting from patching would have limited or no effect on power supply from individual substations. This would be costly, complex and time-consuming across the hundreds of substations likely to be involved.
It is important, therefore, to have a formal patch management policy that takes account of all the different pressures and difficulties involved. A cross-functional IT/OT work group comprising representation from IT, IT security, process engineering, operations, and senior management best develops this policy
Defend the Control Center Perimeter
The transmission and distribution control center is likely to have two connections: to the remote substation and to the corporate IT network. All other possible connections should be locked down and prevented.
With both active connections the primary control will be a well-configured firewall along with the necessary monitoring in place. Firewall technology is relatively stable, and most firewall failures are due to misconfiguration. Considerable care and concern over the choice of firewall and its configuration must be taken.
Defend the IT Network
IT network security is usually built to protect corporate information assets. Without specific evaluation, ICS security demands can be overlooked. Within the IT network, those security areas that could particularly affect and threaten ICS will need additional consideration:
? The presence of malware of all types that could migrate to the OT network
? Privilege escalation that could be used by an intruder seeking access to the OT – strong privilege access management is important
? Anomaly detection to identify the presence of an intruder who might be conducting reconnaissance
? SIEM technology is useful for early detection and response to incidents that might indicate an intruder.
? Phishing and spear-phishing awareness training for all staff, including senior management
Take Precautions against a Malicious Insider
The insider threat comes in two flavors: dangerous behavior from na?ve insiders, and dangerous behavior from malicious insiders. The former is easier to mitigate, and would normally be detected by standard controls such as network behavior and anomaly detection. The latter is less easy, since the malicious insider is likely to understand the network and how it can be used without raising red flags.
The best defense against a malicious insider is to prevent the presence of a malicious insider.
From the outset, HR should be required to take up full reference enquiries on new staff. Extra care should be taken to not disaffect existing staff. Loyalty schemes can be used to retain good staff. HR can be brought in to advise on good staff relations. And above all, deprovisioning should be instant and complete whenever activated