iTWire reported on ‘Darkness in the Ukraine” where 225,000 residents lost power due to what is the first known ICS hack.
Check Point Software, a global software and hardware security provider, has been following the Ukraine debacle and offered comment on the use of NERC-SIP (North American Electric Reliability Corporation Critical Infrastructure Protection) requirements and how, if these were observed, would have likely protected the Ukraine’s ageing infrastructure.
David De Laine, regional managing director for Australia and New Zealand at Check Point Software, has offered more commentary following the recent Sydney Morning Herald report that power networks need to be on high alert amid cyber threats.
We present De Laine’s sage advice.
The recent government announcement on the national cyber-security strategy highlights just how important it is for all of us to start thinking differently and also brings a very relevant and crucial subject to everyone’s attention – protecting critical infrastructure.
The mission of protecting critical infrastructure (industrial control systems - ICS) is so vital that it cannot be left to just any security solution. Every day we expect water to flow from our taps, our electricity to work, and traffic lights to move traffic along quickly and efficiently. Interruptions in any of these essential systems, even if only for a few hours, wreak havoc.
In a recent blog post The Next Battleground – Critical Infrastructure, Check Point Software Technologies highlighted that the threat to critical infrastructure could no longer be ignored especially after the blackout in Ukraine and the manipulation of “Kemuri Water Treatment Company“ water flow.
As the cyber threat world is big and extensive — to fully understand the scope of threats to nationwide critical infrastructures, the blog highlights a few insights and perspectives based on Check Point’s vast and longstanding experience in the cyber world. Three areas that Industrial Control Systems (ICS) are vulnerable include:
- IT network
- Insider threat (intentional or unintentional)
- Equipment and software
Attacking through the IT network
ICS usually operates on a separate network, called OT (Operational Technology). OT networks normally require a connection to the organisation’s corporate network (IT) for operation and management. Attackers gain access to ICS networks by first infiltrating the organisation’s IT systems (as seen in the Ukraine case), and use that “foot in the door” as a way into the OT network. The initial infection of the IT system is not different to any other cyber attack we witness daily. This can be achieved using a wide array of methods, such as spear phishing, malicious URLs, drive-by attacks and much more.
Once an attacker is successfully in the IT network, they will turn their focus on lateral movement. Their main objective is to find a bridge that can provide access to the OT network and “hop” onto it. These bridges may not be properly secured in some networks, which can compromise the critical infrastructures they are connected to.
The threat within
Traditional insider threats exist in IT networks as well as in OT networks. Organisations have begun protecting themselves against such threats, especially after high-profile attacks such as the Target hack or Home Depot (and the list is continuously growing). In OT, however, the threat is increased. Similar to IT networks, insiders can intentionally breach OT networks with graver consequences. In addition to this “regular” threat, there is the unintentional insider threat. Unlike IT networks, OT networks are usually flat with little or no segmentation, and SCADA systems have outdated software that goes unpatched regularly.
Unwitting users often inadvertently create security breaches, either to simplify technical procedures or by unknowingly changing crucial settings that disable security. The bottomline remains the same either way: the network that controls the critical infrastructure is left exposed to attacks. This is proven time and again as one can easily encounter networks that were connected to the internet by accident.
Meddling with critical components
The last avenue that endangers ICS is tampering with either the equipment or its software. There are several ways to do so:
- Intervening with production of the equipment. An attacker can insert malicious code into the PLC (Programmable Logic Controller) or HMI (Human Machine Interface) which are the last logical links before the machine itself.
- Intercepting the equipment during its shipment and injecting malicious code.
- Tampering with the software updates of the equipment by initiating a man-in-the-middle attack, for example.
So, how can we protect our critical infrastructure?
To fully protect any critical infrastructure, whether it is an oil refinery, nuclear reactor or an electric power plant, all three attack vectors must be addressed. It is not enough to secure the organisation’s IT to ensure the security of the production floor. A multi-layered security strategy is needed to protect critical infrastructures against evolving threats and advanced attacks.