According to research published on March 12, 2013 by James R. Clapper, the Director of National Intelligence, “We are in a major transformation because our critical infrastructures, economy, personal lives and even basic understanding of – and interaction with – the world are becoming more intertwined with digital technologies and the Internet. In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.”
Once considered the unthinkable is now a reality; real-life cyber attacks on critical infrastructure have taken center stage in the past few years. Rapidly changing technologies, evolving cyber threats and advanced, targeted malware have catapulted cyber security of real-world infrastructure from an academic backwater to a top government and industry priority. From power plants to water treatment sites, from traffic control systems to financial systems – all critical infrastructure – that once thought invulnerable to targeted cyber attacks now lies squarely in the crosshairs of nation states as well as individual hackers.
Over the past two decades, asset owners and operators have added IT systems to help improve management of the ubiquitous industrial control systems (ICS) that perform essential mechanical functions of all kinds. These systems have led to improved service, lower costs and technological marvels such as Smart Grids. Unfortunately, they have also exposed critical infrastructure to software vulnerabilities that adversaries can exploit through malware and Advanced Persistent Threats (APTs). These attacks first became main stream with the Stuxnet malware, however this past summer we have seen other vulnerabilities such as Energetic Bear (also known as Crouching Yeti). This past July, DarkReading reported that more than 2,800 computers have been comprised. This number comes from monitoring known command and control servers.
In the wake of these new attacks system owners of ICS now can no longer say that they are not under attack. With this new state of mind they need to take steps to remediate risk. To protect themselves and their stakeholders from escalating cyber threats, critical infrastructure owners must first acknowledge five hard truths.
Truth #1: “Air gaps” do not provide infallible protection against cyber threats and APTs
Critical infrastructure protection has always been a high-stakes business with strong economic and national security implications. Until recently, critical infrastructure providers focused almost entirely on physical security, installing multiple layers or “rings” from the front gate all the way to the most critical inner recesses. The rings are physically separated and not connected to the Internet, creating what are commonly known as “air gaps.”
At the same time, providers are taking advantage of the IT revolution by adding IT systems to improve the management of their ICS systems and the Supervisory Control and Data Acquisition (SCADA) systems
that monitor and control them. This development is important because SCADA and ICS systems are not so much soft targets as brittle ones, hardened against physical threats to operating reliably in one specific way for years or decades. Any deviations from accepted operating conditions – such as those malware can introduce – can jeopardize the controller and anything the controller affects.
Air gaps and brittle, unpatched IT systems make a dangerous combination. Many asset owners, operators and regulators worldwide believe air gaps provide fail-safe protection against cyber attacks and APTs. The physical air gaps have thus fostered mental ones, an “it can’t happen here” sense of invulnerability that can lead to negligent or even reckless behavior when it comes to cyber security.
The reason? Cyber attacks can pass through traditional safeguards – “guards, guns and gates” – like ghosts. Connectivity isn’t just via a hard line anymore. Whether intentionally or hoodwinked through social engineering, the insider threat is as real as with the government classified data or next generation product IP.
Interested in learning more? Over the next couple of weeks, check back on the blog for Truths 2 through 5.