Why CNI control systems are more vulnerable than ever
Geoff Krechting, Technical Architect at L-3 TRL Technology, argues that the security of the UK’s operational technology needs to be taken more seriously, and suggests that security is as important as reliability and safety when it comes to our critical national infrastructure.
An unnamed water treatment and distribution company servicing millions of customers is reported to have been attacked by a known hacktivist group. The attack resulted in the manipulation of safety-related chemical treatments, which could have posed a significant and dangerous risk to the health of the households that rely on the company for safe, drinkable water.
The report, which features in the 2016 Data Breach Digest, published by global communications provider, Verizon, identifies typical control system security failings. It adds to the evidence that control systems within worldwide critical national infrastructure (CNI) are of genuine interest to threat groups, and that the capability to attack them not only exists, but will be used (the damaged German steel mill, the Ukrainian power grid etc).
CNI and the Internet of Things
It’s easy to be swept along in the torrent of sensational reporting of such cyber-attacks, and to believe – and fear – that the threat actors are so capable, intent and malicious that maybe, just maybe, the world is about to end in a great cyber storm.
It’s just as easy to jump to a swift conclusion – that it’s too risky to connect critical systems to the outside world: that information technology (IT) and operational technology (OT) systems should never be linked. The truth is, the ability to do so is both useful and valuable.
Let’s continue with the example of the modern water distribution company. These businesses are required to maintain pressure, reduce leakage, and cut operating costs, despite being faced with ageing and growing networks. Pressure spikes and water hammer pose a risk to the integrity of the network, but the need for greater efficiency and decreased leakage means single point controls are no longer good enough.
As a result, cloud services and Internet of Things (IoT) sensor systems are used to monitor pressure across the network. The data collected is centrally analysed and used to command a small number of cyber-physical systems that enable water pressure to be directly controlled. These cloud capabilities are usually owned and run by an independent third party – not the water company itself.
Securing our critical national infrastructure
How do we secure all this? The truth is, the security of our operational technology is one modern engineering problem that simply isn’t being taken seriously enough, in terms of either regulation or wholesale industry commitment.
You’ll notice I used the cyber security dirty word – ‘regulation’. Many believe regulation engenders a race to the bottom, and they may have a point. But let’s look at CNI businesses in general. They are already heavily regulated for safety – no one disputes that need. In fact, despite the typical cyber security failings illustrated by the report (vulnerable websites routable to the control system, poor control of credentials, etc) the attacked water company had safety systems in place that detected the incorrect chemical mix and raised the alarm before any damage was done. No cyber defence in sight.
Given more time to research the control system – and how to disable those alarms – maybe the attackers could have caused a major incident. Maybe not. The point is, detailed risk assessment and engineering work is carried out before the plant can meet safety regulations. Hazards and possible related accidents are identified, and mitigations are designed, tested and approved to reduce the risks to as low as reasonably practicable (ALARP).
Safety engineering is a highly standardised industry, yet the cyber security threat puts that foundation at risk. The need for a joined up effort towards cyber security in CNI and other safety related environments is clear.
The bedrock of safety is the reliable operation of systems, subsystems and their elements. Failure mode analysis and mitigation for safety usually covers just one or two simultaneous failures – not cyber-attacks, but failures – a device stops working, a cable breaks, a pipe ruptures. Mechanical failure and software errors are a statistical likelihood that can be predicted, and it’s vital that the mitigating systems operate correctly and reliably in the case of failure, to prevent further damage.
Validity of the safety case
If underlying control systems and software-based safety systems aren’t cyber secure, the safety case for their operation is arguably invalid. If, for example, a cyber attacker could manipulate a control system HMI (human machine interface) then the well documented human based 2nd Factor Failure could easily be the result and cause of an outage or safety breach.
Right now the only reason I can see for these safety cases remaining valid is lack of regulation on the urgent need to address cyber security. This is changing, and so now is the time to take on this new engineering challenge.
Plenty has been written about how control system operational technology (OT) is not suited to standard IT security methods – we all know regular patching is inappropriate, and inevitably leads to downtime – but standards do exist (NERC CIP in the US power sector, and IEC 62443 as an international generic baseline).
Businesses that want or need their OT systems to continue to operate both reliably and safely have to consider security just as seriously. Let’s not forget the need to link production to business and billing systems, or the fact that many control systems were acquired in mergers, or bought from a supplier who maintains them remotely. Despite the value in these things, the IT/OT boundary, the IT business systems and the maintaining party’s systems must also form part of the safety/security combined scope.
One sector has taken security seriously for a long time – the high assurance government security sector. L-3 TRL Technology is working to develop high assurance OT-specific cyber protection systems based on our long experience of secure-by-design security architecture, and to repurpose high assurance products from our government product ranges. Our IGUANA-Security branded products provide solutions that enable integrity and trust in control systems to be maintained – continuing their reliable and safe operation.
About L-3 TRL Technology
With 30 years of experience at the forefront of technological development, L-3 TRL is an official supplier to Her Majesty’s Government, and part of the Cyber Growth Partnership (CGP). Our cutting-edge, best-of-British technology is accredited and approved by CESG, and we have achieved two Queen’s Awards for innovation.
Based in Tewkesbury, Gloucestershire, the company produces innovative products that safeguard people and information around the world from terrorist threats.
For more information, visit www.L-3Com.com/trl