Cyber-physical Vulnerabilities: New Threats and Impacts

October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.

Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—Do your part. #BeCyberSmart— encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2020, we’ve put together short “Interview Bytes” to discuss cybersecurity from an operational technology (OT) and industrial control system (ICS) perspective.

Interview Bytes | Week 3: Securing Internet-connected Devices.

“It’s not just malicious; it’s financial. If these places can take your plant down, all of a sudden, the price of oil goes up.”

The downside of our internet-connected world is massive disruption from cyber-attacks. Case in point, criminal charges were recently brought against six Russian military intelligence officers for their role in the NotPetya malware attack. With an estimated $10 billion in total damages, NotPetya impacted shipping, trade, and commerce around the world and is considered one of the most destructive cyber-attacks to date.

As operations across industries digitally transform, they leave critical operational technology (OT) networks exposed. In this segment, Ed Suhler, VP of Defense Services, and Mark Baggett, VP of Industrial Control Systems, share their insights into the new cyber threats facing today’s interconnected, cyber-physical systems and their potential impacts.

Question: What are the impacts of cyber threats today?

From a Defense Perspective | Ed Suhler, VP of Defense Services: The change that we’re seeing today is that we have to move beyond the implications of data itself into the things that we control with these systems. Whether it be operational technology or the things that we proliferate out into our homes, all these interconnectivity points lead to a different class of cyber threats.

From a Commercial Perspective | Mark Baggett, VP of Industrial Control Systems: It’s not just malicious, it’s financial. Now, we’re looking at countries that can do industrial espionage that can sabotage what you’re doing, so their products are being bought as opposed to yours. If these places can take your plant down, all of a sudden, the price of oil goes up.

Since we have all these open devices, we’re more susceptible to these attacks. We didn’t have these attacks before.

From a Defense Perspective | Ed Suhler, VP of Defense Services: And in the defense world that proliferates into things like drones, into our ships. We’re doing more with less people that means that those people control more things through automated services. So, the threats really reside in the things that they’re controlling.

All of these things can be used as threats that are different than what we typically thought of as threats before. So, it’s a new world.

Securing Internet-connected Devices: Tip of the week

Technology has slowly blurred the cyber and physical lines over the last several decades. Today, the majority of cyber-physical systems rely on OT, and OT is notorious for being unsecure and a target for cyber adversaries.

From a cybersecurity perspective, OT and IT are different in several ways. On staffing, there is a cybersecurity specialization on the IT side. Professionals have been specifically trained and certified in application security, network security, or other security disciplines. In OT, those tasked with security are usually operational technology people. As part of their day job, they have to also deal with security—it’s an add-on, not a specialization.

OT and IT are different, especially in attack outcomes. An attack on IT could lead to data theft, while an attack on OT could lead to injury or loss of life, asset damage, or environmental impact. Traditional cybersecurity measures fail to protect operations from cyber-attacks and leave the OT network exposed, falling short on providing the visibility and protection required for cyber-physical processes underlying in today’s critical industries. And with the convergence of IT and OT, organizations must balance the use of traditional IT security tools at the network and endpoint layer with specialized security tools designed for OT requirements.

Tip of the Week: It’s not just data. Think about the physical processes being controlled by technology today. And protect those.

The escalating attack frequency, combined with an increasingly sophisticated threat landscape, highlights the need to make critical systems more resilient to cyber threats. Organizations and governments must deal with scenarios where they are actively under a cyber-attack, requiring a proactive response, not just a reactive one.

Do Your Part. #BeCyberSmart

OT systems will not be replaced wholesale with more secure systems any time soon. And they need to be cyber resilient—encompassing capabilities for monitoring, detection, correction and protection—today. It is no longer enough just to keep the adversary at bay. A new approach is needed to ensure that critical operational functions continue in the face of today's cyber threats.

More from Ed on OT Cybersecurity in Defense: The OT Cybersecurity Blind Spot: The need for visibility and protection for Level 0

More from Mark on OT Cybersecurity in Commercial Operations: Cybersecurity and safety: Increasing risks and escalating impacts

About the Speakers:

Ed Suhler currently serves as the Vice President of OT Cybersecurity Implementation Services at Mission Secure, where he focuses on implementing Mission Secure’s patented technology to secure client operations from cyber risks. Ed often leads as the technical project manager for customer engagements, including Fortune 10 and 1000 clients in oil and gas, maritime, smart cities, and defense industries. Ed cybersecurity projects cover a range of control systems and critical assets, including transportation management systems, power distribution systems, and unmanned aerial systems (UAS) for the U.S. Navy. Ed holds five patents for applications of cyber protections to cyber-physical systems and has filed additional patents on his research efforts on system-aware cybersecurity methods and techniques. He’s authored numerous white papers on the application of system-aware cybersecurity and its use in industries such as transportation, oil and gas, autonomous systems, and electrical distribution systems. Ed holds a Bachelor of Science in Management and Management Information Systems from the University of Virginia.

Mark Baggett has over 30 years of experience and is an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector, where he’s designed, engineered, and implemented control systems for the industry’s biggest players, including BP, Total, Shell, Exxon, and ConocoPhillips, among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific, and North America. As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities, and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants, and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at the SCADA Technology Summit and AIChE’s 2020 Spring Meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.