Why Industries in Critical Infrastructure Are Doing Cybersecurity Vulnerability Assessments
For years we have heard the doomsday warnings of an imminent cyber-threat and each time it is going to be “bigger and badder.” From TV series like Mr. Robot (2015) to feature films like Live Free or Die Hard (2007) we have been told that because of the hyperconnectivity of society enabled by the internet and our increasing tendency to depend on this technology, that it is also our greatest weakness.
A key point of exploitation.
Well, that’s exactly right to some degree, it is a key point in which we can be exploited. Now, normally when someone mentions a hack you may think to yourself, “yeah like when that person's photos got stolen” and you would be correct, but the next level is when a hack can result in physical harm as well.
Not only are we humans connected, but so are the systems and infrastructure we use every day to function as a society, the very tools we built turned against us and what’s more, these attacks are happening remotely, over the internet.
But this is just a hypothetical, movie thing, right?
Wrong. This type of thing has already happened back in 2010 with attacks such as the famous Stuxnet the first digital weapon of its kind, and many more since then. This event fundamentally changed what it meant to deploy a cyber-attack with this blow on a countries infrastructure, and targeting their SCADA systems was the first major step towards a digital attack causing physical harm.
The age of digitalization has meant that more and more of these control systems have been increasing in their scope and the technologies used have meant the emergence of the term Operational Technology as opposed to Information Technology, to delineate the hardware, software, and systems used in this type of environment.
Okay, so we’ve established that there are some pretty sophisticated cyber attacks going on, which now seem to target critical infrastructure, can’t we assume that we simply need the highest security measures in place to prevent these big hacks?
The answer is yes, and no. You can build a wall low or high, and depending on how high you want to build your wall the price will increase, whereas, the functionality and performance will decrease accordingly. Therefore it is not always possible to have every critical infrastructure owner to put a significant portion of their finances on “just” cybersecurity.
Measuring the wall that is cybersecurity isn’t an easy job, but one measuring stick we have is to compare it against a standard. Yes, those beautiful standards that all engineers end up familiarizing with.
Some standards will say, to have the system you should get a Cyber Vulnerability Assessment (CVA) as defined in NERC-CIP-101-2. What system do you believe is more secure: One that has never been hacked, or one that has been hacked a few times, but improved their security each time?
So now we know that CVA is being performed, but why, why now?
Here are the 3 main drivers:
1. Increased Cyber Attacks
Over the years we have seen reports of major threats and hacks such as WannaCry or the 2017 NotPetya attacks against Ukraine but with the world left as collateral. There are several other hacks that you may have heard of, major data leaks, ransomware, etc but these cyber-attacks, in particular, caused physical or environmental harm as well.
NotPetya, in particular, was probably one of the first incidents that people in the industry would consider an act of cyber warfare. A nation was targeted specifically with known zero-day's and one that even Microsoft had announced it did have a patch for. But the attack came too soon. Far too soon for the majority of PC's to be updated prior to the attack. Just imagine the case where you can't get home because you don't have cash. The payment systems are down, you look for an ATM, it has a ransomware screen that reads
"Your system is encrypted. Pay us 2 BTC to unencrypt."
That is quite an eerie scene and although this didn't quite hit your home or where you live or work, the fact of the matter is the number of attacks is increasing.
Engineering best practices Whilst there have always been standards and engineering best practices, it is becoming more and more the case that governments are requiring companies to meet cybersecurity standards. Not just in the United States, which you would expect but even in Australia with bodies such as the Australian Cyber Security Centre. Although some bodies are only guidelines or best practices and not legislative you can’t deny the trend and awareness of nations addressing their cybersecurity for industry and critical infrastructure.
You may even think that Australia is not a particularly high target - and you would be correct.
This was partially my point of mentioning Australia's moves is that even with a relatively low "target" this is a very important area to be aware of, at least according to the government. Just look at the number of potential attacks are happening around the world with Australia mostly doing its own thing.
If you haven't seen these types of live cyber-attack websites before they give you some indication of the amount of traffic on the internet that is a cyber threat in the categories of Malware, Phishing or Exploits.
3. Digitization / Industry 4.0
This trend has been building up particularly over the last 5-10 years as you can see the words Industrial IOT come into play. We’re not quite there yet but we are on the cusp and if you know anything about the history of industry you know the first industrial revolution around the 1700s was the move to steam and between 1700 to 1800 the next revolution came in the form of superior technology, particularly electricity. Industry 3.0 was the use of computers and improved automation capabilities and now in Industry 4.0 we are now in full swing of “Digitization”, increased connectivity, increased data for informed decisions and of course more vigilance on cybersecurity.
There is also the fact that the demand for cybersecurity jobs is increasing and has been for the last 6 years according to IBM and there's no reason to see this trend moving away as the world becomes ever more connected and an increasing amount of aspects of our lives depends on critical infrastructure.
No digitization or connectivity is possible without cybersecurity standards being raised first. Consider online banking, everyone does it now, but without the security afforded by https encryption and the increased cyber capabilities of both the banks and technology, you better believe no one is banking online.
Check out this interesting infographic where you’ll notice that the online banking concept was around in 1994 and by 2005 financial institutions began requiring banks to perform risk-based assessments amongst other security measures.
And there it is.
You see, this is the way it goes for industry, and don’t get me wrong, there have been thoughts and some implementation for network security in the industry, it’s just not that sophisticated. Most of it was predicated on the infamous "air gap" solution and while this seems to fix all problems, it doesn’t, and both the times, needs, problems, and technology have changed. The industry is generally 5-10 years behind the current technology because there is a high value placed on “proven solutions” in industry.
Vulnerability Assessments have been around for 15 years at least and now it is being made a necessity for industry, but this is not a simple copy and paste exercise where the same techniques are used. It is completely different mainly due to the differences between an IT and OT system, the requirements are completely different and in essence in an OT environment, the show must go on, you cannot impact the processes while doing any of the CVA activities.
As an OT Cyber Security Specialist, I have had the opportunity to go to various critical infrastructure sites and can tell you the approach is completely different from a standard IT approach. Industry’s awareness of the importance of a CVA has meant it is beginning to reach a maturity where these activities can take place safely even in an OT environment.
Critical Infrastructure need not fear.
Business needs, technology, and society has changed over the years and the drive for better efficiencies both financially and environmentally is further achieved through data. This means a more hyper-connected industry and leaning wholly on traditional air gap solutions as a cybersecurity solution will no longer cut it.
Attacks have increased and nations are now putting their focus towards improving their cybersecurity efforts towards industry and critical infrastructure. The increase in cybersecurity vulnerability assessments in the industry is not due to an imminent cyberwar, although helpful, but to build any solution requires defining and identifying correctly the problem itself. That is exactly what a CVA can help a business in industry accomplish, protecting their process which keeps the business safe and humans safe.
The industry is starting to catch up.