Cybersecurity risk spikes with mingling of operations and IT technologies
As a technology concept, the term "Industrial Internet of Things (IIoT)" denotes, among other things, the ongoing proliferation of intelligent sensors and better means-to-connectivity. These devices and means are then used in the control and management of a wide variety of industrial assets throughout the energy sector, including in midstream oil & gas and electricity transmission.
IIoT-enabled technologies not only enhance the ability to monitor asset-performance in real-time, they also enable management of SCADA from remote locations. In the past, industrial control systems (ICS) were separate from corporate IT networks. Today, precursors to, and the growing prevalence of, IIoT blur the lines between at-the-process technologies and information technology, creating new vectors of cybersecurity exposure and increased threat vulnerability wherever PLCs, SCADA, and ICS are installed.
As these operations systems are adapted to an open-standard, digital-age IT infrastructure, enhanced connectivity will include a combination of wireline and wireless technologies—rather than being hardwired and linear. Increasing digitization of operations technology delivers benefits, Including improved productivity and more reliable energy supplies.
Unfortunately, it also makes it easier for malicious actors to hack into operational systems and remotely control, or cause catastrophic damage to, critical energy infrastructure. Alternatively, hackers can surreptitiously access operations systems to quietly gather data from within an ICS, which can later be shared with "bad actors."
The growing threat
The threat is not hypothetical. The global energy industry has already experienced a number of significant incidents. Remote cybersecurity attacks were reportedly used to cause the 2008 explosion of a pipeline in Turkey. In December 2015, the first successful disruption of a public energy grid occurred in Ukraine when attackers used a spear-phishing campaign to obtain administrator credentials, then remotely accessed the SCADA network and halted electricity distribution. The resulting blackouts affected more than 230,000 customers.
Also in 2015, a major reconnaissance and data exfiltration attack targeted the American natural gas and geothermal electricity company Calpine Corp. Attackers operating from IP addresses in Iran delivered a Trojan that established remote access to the company’s networks, including its operations-technology environment. The hackers made off with more than 19,000 files, including drawings that detailed the energy company’s network architecture; the devices used to manage gas turbines, boilers and other critical equipment; and a mapping of data flows between facilities around the country and Calpine Corp.’s cloud environment.
Even more recently, in 2016 the U.S. Justice Department revealed that Iranian operatives used a cellular modem to compromise the command-and-control system of a dam in Rye, New York. Finally, in an alarming warning delivered in December 2016, United Nations Deputy Secretary-General Jan Eliasson spoke of the growing threat of potential hacking attacks targeting nuclear power plants.
While cybersecurity attacks in any industry can cause disruptions or damages that cost money for businesses and individuals, a cybersecurity attack that compromises SCADA in the energy sector can be disastrous-and deadly. For this reason, the security measures developed in other industries—such as virtual private networks (VPN), firewalls and antivirus technologies—simply are not sophisticated enough to prevent advanced cyberattacks that specifically target industrial-control systems in the energy sector.
Securing today’s energy infrastructure requires a combination of sophisticated cybersecurity frameworks, training and software solutions specifically designed to address the unique threats our industries now face in the digital age.
As you might imagine, responsibility for U.S. federal government functions related to industrial cybersecurity is spread across several departments and agencies. Good places to start your quest for more insight into energy sector cybersecurity include the following:
- The "Cybersecurity framework implementation guidance" from the U.S. Department of Energy includes standards, guidelines and practices to promote the protection of critical infrastructure.
- The U.S. network of oil and gas transportation and distribution pipelines is the purview of the same Transportation Security Administration responsible for security in the 440 airports of the United States. Oil and gas pipeline managers’ can look to the cybersecurity recommendations in the Transportation Security Administration’s "Pipeline security guidelines."
- The Federal Energy Regulatory Commission (FERC) is an independent agency that regulates interstate transmission of electricity, natural gas and oil. The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s "electric reliability organization," has developed critical infrastructure protection (CIP) cybersecurity reliability standards for electric smart grids.
Note that while these standards are a good place to begin, following their recommendations is in no way mandatory. Moreover, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving threats.
In addition, The SANS Institute’s "CIS critical security controls" provide guidance for implementing cybersecurity and risk management programs specifically for critical infrastructure. The SANS Institute was established in 1989 as a cooperative research and education organization. It says it is the largest source in the world for information-security training and security certification in the world.
Besides the adoption of frameworks, energy-asset owners and operators should develop appropriate supporting management practices, including employee training, performance tracking metrics and business intelligence related to their cybersecurity program.
Cultural aspects of security
Energy companies must develop a risk-management culture that focuses on identifying and preventing cybersecurity vulnerabilities. This can be done in much the same way a culture for identifying and eliminating threats to physical safety of individuals and infrastructure was developed in the U.S. and Europe in the past. The cultural aspects of security are especially a matter of concern because employees are often one of the weakest links in cybersecurity. The cause of many, if not most, intrusions is that individuals unintentionally provide systems access to hackers by falling victim to spear-phishing campaigns in which malicious email attachments are opened, or laptops or USB drives are inappropriately connected to networks.
Employees at every level of the organization, from the executive suite to engineers to operators, should receive ongoing cybersecurity training tailored to their job role. Those responsible for operations technology, the operators and engineers, must be equipped with the knowledge needed to identify and address threat vectors. Energy companies must make these individuals their first line of cyberdefense.
Energy-asset owners and operators can leverage the SANS Institute’s Global industrial cybersecurity professional certification program, which trains ICS operators how best to recognize and react to cyberattacks. The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also provides both in-person and online training courses.
For the energy sector
Energy companies must architect their systems to minimize exposure to the possibility of bad actors accessing systems from a remote location. Threat-detection tools specifically designed for industrial networks in the energy sector are available. Unlike general-purpose IT security solutions, technologies purpose-built for the industrial energy sector can help identify security incidents, malfunctions or misuse in the industrial-process network, service disruptions, anomalies in the ICS and other relevant parameters.
Important features to look for in cybersecurity solutions include machine learning, the ability to be fully passive, and the ability to provide situational awareness. Machine learning enables industrial cybersecurity solutions to dynamically map the entire network and "learn" industrial processes, such as what each PLC "touches," whether these be control valves, switches, actuators or other devices.
Armed with this knowledge, a cybersecurity solution can identify in real-time if something out of the ordinary is occurring during the normal industrial-process cycle. The ability to be fully passive means that a solution should be non-intrusive, requiring zero downtime and zero interruption to the existing industrial-control network to install, setup, learn and monitor the network.
Important for cybersecurity solutions in the energy sector is the ability to provide situational awareness to specific security incidents. With an increasing number of sensors and digital technologies throughout our energy infrastructure, operators can be overwhelmed by a deluge of data originating from multiple systems. The reason for this is clear. Simply creating an alert about an atomic event or anomaly without the proper situational context will not provide operators with the insight they need to make decisions that allow a quick and appropriate response.
Cybersecurity solutions can correlate individual anomalies into threat events and present to operators and engineers perceived threat levels and the context needed for appropriate action to avoid service disruption, damage or downtime.
Cybersecurity threats to ICS are increasing and evolving as the propagation of digital-driven IoT technologies in the energy sector continues to grow. But by making our critical infrastructure more secure and resilient through the adoption of detailed cybersecurity protocols, educational programs and solutions designed specifically for the critical infrastructure in these energy sectors, companies can minimize cyber vulnerabilities and better protect industrial infrastructure against new threats that will come with ever-increasing industrial digitization.
Ransomware proliferation spurs increase in cybersecurity attacks
A recent Booz Allen briefing confirmed that spearphishing remains the primary method of cybersecurity attacks. It was the "initial attack vector for Operation Clandestine Wolf, one of the largest ICS attack campaigns [of 2016], as well as attacks on a German steel mill and Ukrainian electricity distributors, the two most destructive attacks disclosed [in 2015]," stated the Booz Allen Hamilton Industrial Cybersecurity Threat Briefing.
For 2015 and 2016, even though many intrusions went unreported, it is known that at least 15 major industrial incidents occurred. While there are no reported ransomware attacks on industrial-control systems yet, vulnerability has been a well-known fact for more than a decade. The difference today is that the availability of bitcoin digital currency allows criminals to financially benefit from attacks. As businesses and other possible ransomware targets become more difficult to penetrate, attackers may turn to industrial-control systems as easier targets. Operators should install intrusion-monitoring systems to alert them if the digital forays of attackers penetrate process-control networks.
By way of enterprise
The penetration of control networks by way of enterprise networks is also on the rise, Booz Allen confirmed, basing its conclusions on a study by the Department of Homeland Security. While enterprise-intrusion remained low, at 12% of reported incidents in 2015, during that time the number of intrusions attempted by way of enterprise networks increased by 33%. The total number of incidents reported by control operators rose by 20% in 2015.
Attacks on control systems can lead to "tangible impacts," said Booz Allen, making them choice targets for attack. Instead of simply encrypting files to make them inaccessible, as can happen when a business is attacked, ransomware attacks on ICS could disrupt operations or prevent access to an asset.
The incorporation of ransomware into exploit kits facilitates a profitable build-once, infect-many approach, Booz Allen said. It has led to a veritable army of attackers, ensuring massive infection rates. Infections for some variants were estimated at 90,000 machines per day in February 2016, according to Forbes magazine. In fact, per the Cryptothreat Alliance, between January and October 2015 an estimated $325 million in revenue was generated from just one variant, Cryptowall version 3.0.
The undocumented past
The problem is only compounded, Booz Allen pointed out, when ICS are often older systems not restorable from backup. It also may be difficult to obtain a clean version of system software and configuration settings. Access to the system itself may be difficult, and there may be a shortage of trained personnel for the restoration.
"Frequency and severity of ransomware infections on ICS networks are likely to increase," the report concluded.
Ken Hans is a vice president with Trellis Energy, a wholly-owned subsidiary of Blackstone Technology Group, a technical and management consulting firm. Through Trellis Energy it provides technology solutions for midstream oil & gas, as well as for electricity grids.
For more information:
- U.S. Department of Energy; Office of electricity delivery & energy reliability; Energy sector cybersecurity framework for implementation guidance
- Sans Institute; CIS critical security controls
- Transportation Security Administration (TSA); Pipeline Security Guidelines
- Federal Energy Regulatory Commission (FERC) and North American Reliability Corp. (NERC)
- Dept. of Homeland Security, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The site includes mechanisms so that interested parties can receive alerts, advisories and reports.
– See other articles from the supplement below.