According to a recent report by Kaspersky Labs, 91% of public-facing ICS components are remotely exploitable.
The estimated cost of a cyber-attack on the US power grid could be as high as $1 trillion according to Lloyds of London.
The reality is that a persistent attacker will eventually breach critical control systems.
Smart Energy International reviewed Price Waterhouse Coopers Global State of Information Security report for 2018 to look at the sort of risks modern SCADA and grid management systems will be facing, and the trends to look out for in the year ahead.
We’re clear-eyed about how vulnerable we really are to new risks associated with emerging technologies, but not about the solution…
GSISS respondents have recognised that a successful attack on automated or robotic systems could be catastrophic – including disruption of operations, the loss of sensitive data, as well as service reliability and quality issues in an increasingly competitive space.
The risk factors indicated are scarily high: Potential losses of up to 40% operationally, 39% losses of sensitive and critical data, and 32% chance of damage to product quality.
Here are a few examples of attacks in recent years that made international news:
• Australian wastewater company contractor disabled SCADA functions, allowing 800,000 liters of untreated sewage to spill.
• A breach of Ukraine’s power grid left one million people in the dark in 2015. The second, during the 2016 peak December shopping period, lasted an hour, but according to experts, may have served as merely a warning for further nationally crippling attacks
• North Korea accused of breaching South Korea’s public transportation systems in 2014 – but not before North Korea also gained access to over 160 000 computers in the private and public sectors.
There is a further reality to be faced. Cybersecurity threats are not being designed to reinforce the silos of data industries protect – they’re being designed expressly to break them, and malware attacks, simple human error, and man-in-the-middle attacks all have the potential to wreak havoc across systems.
So where does the answer lie?
Smart Energy International spoke to Chris Jones, strategic adviser of Infotecs, about some of the rising threats in utility cybersecurity not just those within ICS / SCADA and office networks, but also those that are increasingly having a direct effect on the safety of the human beings connected to them namely employees and customers.
We asked Chris for three important points to bear in mind when planning preparedness strategies for cyber-attacks at utility-level.
Advanced protection against “Man in the Middle” attacks.
These are intended to either steal data from within a (possibly secured) data stream, for the purposes of vulnerability testing, or industrial espionage or, to feed-in false data for more sinister purposes.
More sinister purposes can encompass a surprisingly far-reaching set of likely scenarios. Chris relates an incident reported by a gas operator where false data was entered into their systems, which concealed, and enabled, the over-pressurisation of a gas pipe system – the results were tragic.
“Infotecs solutions are based on real-world technologies that we have developed for clients worldwide to support mission critical systems. This has required coming up with some very new ways of looking at cyber-threats.
Subsequent to the launch of GDPR, we have noted an increased level of vulnerability within our utility clients operations – a vulnerability that can result in hundreds of thousands of euros in fines, and millions in lost revenues.”
1. Insist on systems that require more than a promise and a “handshake”.
Traditional secure data communications work in a relatively similar way – encrypted data, along with the “key” to decrypt is “packed” and these packets transmitted within the Utility operating systems, meaning that attackers can access this data simply by logging in as an authorised user, and thus creating a vulnerability that is both difficult to impossible to track or detect.
User-cloning, credentials theft through phishing, and brute-force attacks, designed to “crack” user logins are all too common, as are malware attacks, but more on those to follow.
Infotecs has redesigned this interaction in order to cut brute force, phishing, malicious human attacks or user negligence at the start. Instead of transmitting the “key” along with the data, the keys are pre-authorised, “sent ahead” and stored at the data-access control point, ahead of the transmission of the data.
The data is then communicated in a separate stream, and fully encrypted. Each data packet in fact, is individually encrypted, and an individual digital signature attached. If the encrypted packet arrives at a set point, and the signature does not match the one held at that point, the data is rejected.
The result is a fully-traceable, inherently secure system, secured before any data is ever sent, and specific users, or a user, who may have orchestrated a data attack can be traced.
But what if they could be prevented?
2. Be dynamic rather than static or reactive defensive regarding cybersecurity.
The most advanced solutions are seeking to marry advanced threat intelligence with AI and machine learning which creates a self-learning, semi-autonomous system capable of detecting possible attack vectors and sources.
We’re dealing with billions of bits of data, impossible for humans to sort and detect possible patterns that could represent an attack – we need advanced systems capable of detecting all possible sources of attack, beyond false-positives.”
“Malware is becoming sophisticated enough to be able to slip into data streams as separate, undetectable components, self-assembling once a critical mass of data has been reached, only being detected once the damage has already been done.
Furthermore, hackers have developed new forms of malware, capable of lying in this “disassembled” state and dormant, for up to years at a time, before executing its function. One could even patch the system to no effect,” says Chris “In that scenario, even backups would be infected, meaning that the system, once corrupted, would remain vulnerable for years to come.
“The reality is that advanced threat detection should be an essential part of your ongoing systems development, and a partner with the right experience and expertise will ensure you have access to best resources to detect potential threats so business can continue unaffected”.
3. Cybersecurity can always be improved.
“Attacks, in particular malware, are evolving at an alarming rate. Ensure that the system you implement can be modular, and customized to work within your specific scenarios as both growth in operations and the growth in threats, continue. Much of the worlds Critical Infrastructure data is now deployed on Cloud servers, predominantly either Amazon Cloud (AWS) or a Microsoft Azure Cloud. Modern Cybersecurity must be able to secure point-to-point and end-to-end Cloud-based operations and secure monitoring.
Equally important is securing Operational Technology, Industrial Control Systems (ICS) and SCADA.
We need to deploy security solutions that are specifically designed to protect ICS and SCADA infrastructure including IIoT industrial systems, machine-to-machine interaction (M2M) and the more traditional legacy systems.
Last, but not least, Senior executives using tablets and mobile phones, field service personnel using tablets and hardened field diagnostic devices, and even drone based video inspection of critical assets are often using unencrypted communication channels which are, therefore, vulnerable.
From a Cybersecurity strategy point of view I believe that we now need to be using the strongest possible encryption on voice, e-mail, video, chat and file exchange on all commercially available smartphones, tablets and other specialist devices including smart meters, plc’s, and drones throughout the business.” says Chris as our meeting concludes and he preps his next call.
“The reality is that as Smart City infrastructure, IoT, and other unifying technologies continue to grow, so will vulnerabilities. Work with a partner who takes the business of understanding and providing cyber-security now, and in the future, as seriously as you take the business of understanding the future of power”.