The Threat to Critical Infrastructure: Cybersecurity is a safety issue for today’s control systems

If your safety systems were compromised, would you know? Worse, what if your safety systems and HMIs were both compromised? Could you tell?

While industrial control systems (ICS)/operational technology (OT) cybersecurity is a relatively new discipline, its core mission is the same as any other tenet within critical infrastructure and process industries — ensuring the safety and reliability of key operations. This is captured poignantly in the recent Wall Street Journal article on the Oldsmar water treatment facility hack:

“Changes at the facility over the years had made him uneasy. Analog machinery had given way to digital systems, and critical water-treatment processes were now automated. The plant required little human intervention in day-to-day operations. Thanks to remote-access technologies, more maintenance and monitoring activities were being performed off-site by a third party. All this was great for efficiency, especially for his resource-limited operation, but what about the risk? Optimizing for cost and speed meant connecting more digital and networked technologies to his plant floor. Security was no longer simply a matter of gates, guards and guns. It had become a matter of bits and bytes.”

The novelty of OT cybersecurity is it focuses on the digital parameters of critical operations where traditional disciplines (e.g., EHSQ, operational risk management, etc.) primarily focused on the physical aspects.

And the fact is that today’s critical infrastructure and industrial operations — on which society relies — are extraordinarily vulnerable. First, these operations typically leverage control systems with 20 year-plus lifecycles; that is, the majority were designed and manufactured before systems were so digitally connected. Second, in cases where cybersecurity was addressed, organizations relied on security measures that have since become obsolete or ineffective, such as obscurity and air-gapping. Third, with a freer flow of information and cheaper access to technology, cyber adversaries have escalated their attacks; today, we see sophisticated and well-funded cyber attacks across industries and countries. And lastly, these industries — utilities, energy, food and beverage, manufacturing, transportation, and more — are embracing the digital transformation trend, exponentially increasing their exposure with the adoption of new technologies, IIoT, and smart devices.

The world has digitally transformed more quickly than the most fundamental industries on which society requires. This confluence of events has created a sweet spot for hackers. And an untenable situation for operations.

The former CTO of New Jersey and associate partner at McKinsey & Co highlights this situation from his own experience leading critical infrastructure operations. It’s well worth the read. Read More >>

Learning from the Oldsmar and Other Recent Attacks

Oldsmar is just one example of a string of high-profile and far-reaching attacks this year — after ending 2020 with SolarWinds supply chain hack. The fallout from the Microsoft Exchange server attack is still ongoing and is anticipated to have impacted hundreds of thousands of organizations and governments. More recently, Molson Coors, the world’s fifth-largest beermaker, had its operations, production, and deliveries stopped from a suspected ransomware attack.

As the first quarter of 2021 draws to a close, here are a few key considerations:

What is the future of operational technology?

Critical infrastructure and industrial operations have digitally evolved just like the rest of society. However, control systems remain in a unique stage between their analog history and a digital future. For example, programmable logic controllers (PLCs) are now smart enough to be fool-able and capable enough to be leveraged in massive cyber-physical operations. But they aren’t sophisticated or robust enough to run their own cyber defenses. Or, in the case of safety instrumented systems, these can alert an operator when their sensor indicates a physical anomaly against set parameters like volume or pressure. But they can’t determine whether an operator — or an adversary —set those parameters. Human-machine interfaces (HMIs) can show an operator massive and highly complex operations; but they can also be spoofed. Virtually all OT falls within this realm.

If the adoption of IIoT and smart devices is an indicator, it’s probable that control systems will also continue to evolve, perhaps with built-in cybersecurity digitally. But today, existing control systems still have a long life ahead. And even if there were cyber-safe systems, a rip-and-replace approach isn’t feasible for most. Organizations must address the cybersecurity and safety concerns for today’s environment as well as the future.

What is the fail-safe in a digitalized industrial process?

In the case of Oldsmar, it was extremely lucky that an operator happened to be watching the screen at that precise moment and with enough attentiveness to notice his mouse cursor moving independently. But if the hacker was more clever, they could have also hidden their mouse movements and gone undetected.

And that is just two scenarios, a novice versus a sophisticated hacker. But what if an operator or vendor simply made a big error? Or worse, what if a disgruntled worker was the adversary? What would prevent the massive lye increase in those situations?

When dealing with physical components, the potential ramifications are exponentially higher. For that reason, safety systems were added to audit the physical state of the process against the controller’s parameters. But today, we know that is a fallible fail-safe against cyber adversaries. Organizations need to establish a hacker-proof fail-safe system built for today’s control systems within a digitalized environment.

What can organizations do today to protect operations?

A defense-in-depth strategy is a must-have today. And that includes various aspects and components to protect against known and unknown attack vectors. Below are a few crucial ones to prioritize:

• Segmentation and Micro-segmentation: Network and device segmentation should be part of the defense in depth security approach for all critical industrial control system (ICS) environments. Frankly speaking, it is a physical security best practice learned over centuries, and an IT security best practice learned over the last several decades. It provides a much more robust security posture than a simple perimeter-only defense. With perimeter-only protection, once an adversary gains access, nothing prevents them from traversing the network unchallenged. Segmentation and micro-segmentation stop unbridled access in IT environments and should be doing the same in ICS network environments.

  Check out this blog for a deeper dive into segmentation for OT environments.

• Critical process protection: In OT/ICS environments, the most devastating cyber-attack is one that starts as a simple intrusion through the introduction of a simple malware like the SolarWinds Sunburst malware, but then is allowed to proceed until some sort of disruptive or destructive physical attack is enacted. The classic example of this type of physical attack is the Stuxnet cyber-attack ten years ago that was specifically designed to destroy the target infrastructure. Cyber-attacks that reach this phase can dramatically threaten life, safety, and the environment.

  For this reason, conducting continuous signal-integrity monitoring of critical physical assets is key to prevent these disastrous results, even in the face of successful OT network intrusions. Cyber-attacks on physical infrastructure absolutely cannot be allowed to reach this stage, and continuous signal-integrity monitoring is designed to protect against attacks and these consequences. It is a digital safety system.

  Read more to see how continuous signal monitoring would work with the SolarWinds attack.

• Establishing a multi-faceted approach: Traditional IT cybersecurity typically takes a top-down approach, starting with the largest perimeter and moving downward (or inward). In addition to traditional IT security, industrial operations can gain greater protection by complimenting traditional cybersecurity with a bottom-up strategy. This focuses cybersecurity at a more granular level and pushes the cyber protections out to where the impact happens—the cyber-physical processes within the mission-critical OT environment.

  Protect the mission-critical cyber-physical processes within the OT environment and put cyber protections in the physical processes on which mission execution relies. This method should include monitoring and protection capabilities spanning both the entire IT network as well as the control systems that sit on those networks and control the physical processes. And thus, naturally, the “bottoms up” approach complements more traditional IT approaches.

  Learn more about a bottom-up approach for OT protection.

OT cybersecurity is safety. It’s time to elevate and prioritize it.

Many headlines note the close call Oldsmar was, and the warnings being stated throughout recent years to the ability for such an incident to occur. As the Wall Street Journal article states:

“What happened in Oldsmar fell just short of the nightmare scenario. The average person is unaware how dependent the country’s critical infrastructure has become on digital technology. At power plants, waterworks and all manner of public utilities, special purpose computers known as human-machine interfaces connect to ruggedized-process controllers that regulate actuators to spin turbines, rotate robotic arms or, in this case, open valves to release sodium hydroxide.”

To protect industrial processes, organizations must adopt a zero-trust strategy and start to treat cybersecurity as critical as safety. Because in today’s technology-enabled and internet-connected world, the digital and physical lines are becoming more opaque, and it’s likely to escalate in the future.