Credit to Author: Ronald Jules Hebert, Jr.| Date: Wed, 06 Dec 2017 13:45:59 +0000
The Operational Technology (OT) networks (such as industrial control and supervisory control and data acquisition systems (ICS/SCADA) that run today’s modern society are a collection of devices designed to work together as an integrated and homogenous system. If one of these systems fails, it can have a catastrophic domino effect. For example, electricity requires telecommunications to transfer information on wheeling power from the electrical grid. This same telecommunications is used to enable financial transactions for both electrical producers and consumers. Electric generators rely on coal, natural gas, oil, etc. to power the telecommunication and financial companies. Railroads and trucks provide transportation for the delivery of their products to produce energy. And on it goes.
The point is that all of the resources and services produced by the 16 Critical Infrastructure Key Resources (CIKRs) are intertwined in order to enable and sustain society’s standard of living.
The cyber manipulation of the OT systems and devices essential to a nation's security, public health, and economic vitality (known collectively as Critical Infrastructure and Key Resources, or CIKR) and the importance of protecting these and similar CS/SCADA systems has been a key focus as far back as the 1990s. That may seem like a long time ago, but the measures put in place then to protect these systems became the security technologies used to protect IT systems today.
Securing CIKR is a big challenge for a number of reasons. First, these systems were originally designed to be stand-alone and air-gapped, so that no outside protection was needed. They are also workhorses that produce products continuously, so downtime even for maintenance or patching can be difficult. And because they can last 30+ years in their life cycle, the equipment or operating systems running them is often far out of date or even obsolete.
This is all changing. Some of the biggest changes to these OT systems are that they are no longer stand-alone systems. In many cases, they are now connected to corporate networks to provide business information and data. And their telecommunications are increasingly being connected to the Internet and/or telecommunications carriers in order to respond in real time to shifting system or consumer demands.
The CIKR industry has been slow to adopt newer technologies because their OT systems have been able to consistently produce an end product that is essential for our modern society for years using their current processes. Whether that product is electricity, pharmaceuticals, chemicals, food, etc., these OT systems have historically been able to work day in and day out without catastrophic failures. This does not mean that parts in the system don’t fail at times, but such systems are designed with enough resiliency to absorb such failures and keep producing their product. Which is why legacy systems from the late 1980’s are still in operation today that are essential to the production of even the newest products delivered by the 16 CIKRs.
Modern security specialists, especially in IT environments, often ask why OT systems aren’t better protected from cyberattack. It’s clear that many of these legacy systems were never designed for cyber protection, potentially putting critical services and even lives at risk. Of course, layers of cyber defense protection can be added to them today, but that comes with a cost, both in terms of deployment and engineering, as well as ongoing operations overhead. Another approach would be to bake protection into the hardware for continuous coverage. That would be the best long-term answer and is being investigated. But given the lifespan of much of the equipment in place, it may take decades for a natural transition to more secure systems to occur. And besides the risk to interrupting essential services, updating these systems comes at the same sort of expense as overlaying security technologies.
Cost is always a factor in making decisions for long-term investment in OT systems, due both to their longevity and their incorporation of legacy systems. One proposal for how to fund the evolution needed is to pass the costs through to the consumers of the services. This might not be a sustainable solution, however, because the consumers of the products produced by these OT systems and end devices have the long-term fixed costs of these resources figured into other expenses. The additional expense of new technologies, combined with their dramatically shorter lifecycles may quickly become cost prohibitive. Some of these costs also may not be able to be passed on to consumer due to laws, regulations, etc. Achieving consensus by vendors and OT system owners on the cost of protecting OT systems, and how to fund those changes, has been a struggle for decades.
Until recently, there was no real evidence that there was any need for the kind of baked-in solutions required to protect these systems against cyber threats. But with the advent of things like STUXNET, SHODAN, and the Ukrainian Electrical Distribution and Transmission cyber attacks, along with other incidents targeting OT systems, it has become crystal clear there is a need to protect these systems in order to maintain the viability of today’s digital economy. The immediate need is for security products to protect the CIKRs’ OT systems from end to end, while enabling secure external access to OT systems where required.
This is not news to the OT or ICS/SCADA communities, who have been living with this dilemma since the 1990s. The overall concern for all OT or ICS/SCADA systems is to protect them against all forms of OT cyber manipulation so that the CIKRs can continue to provide us with the goods and services our modern society depends upon.
Given the interconnected nation of the CIKRs, what is the best first step to take in building in protection? And what is the best strategy for managing the cost to upgrade all these CIKRs to be inherently protected, especially considering the expected size of that cost?
Given the interconnections between the various CIKRs, the first step of cybersecurity defense protection has to be to segment these networks into individual lines of control. Such segmentation will protect the different OT environments from each other, so that in the event that one is compromised the others can continue to operate. The next step is to encrypt messaging to prevent others from seeing communications between the human-machine interface (HMI), the Database, and the communication switches at the Remote Terminal Units (RTUs) or Programmable Logic Controllers (PLCs) then onto the end devices. Without access to these messages, an attacker is unable to script a malicious software (malware) message that effectively mimics a real message in order to achieve bad consequences.
There are additional layers of defense that need to be applied, and many of them can be added a little at a time, such as two factor wired and wireless authentication, Security Information and Event Management (SIEM) systems, patch management, etc. The bottom line for CIKR owners is that a product still has to be produced at the end of the process for sale to the markets, whether electricity, petrochemical products, natural gas, pharmaceuticals, food products, water, or waste water treatment, etc. So, the return on investment (ROI) for the cost of such cybersecurity defense protection upgrades has to be weighed against the costs of not producing the end products for sale to the markets should a catastrophic cyber event occur. Which in today’s digital world, seems to be more an issue of when and not if such an event will happen.
Watch Phil Quade's recent video where he discusses the strategic nature of attacks against critical infrastructure and the actions necessary to bring focus on finding effective security measures.