They have long worked under the familiar, unrelenting demands of continuous production and distribution born by all operators of critical industrial infrastructure.
In recent years, deregulation and 'best practices' have pressured them to infuse openness into facility control systems to allow sharing of operating information throughout the enterprise. Since 9/11, new geopolitical realities have brought an intense pressure to secure their operations as never before. How can they cope with these three imperatives while satisfying shareholders, regulators and customers?
The answer lies in understanding the true nature of the cyberterrorist threat, recognizing the gap most companies currently have in their defenses, and understanding how 'best practices' for defeating control-system cyberterrorism have fundamentally changed.
A new vulnerability to the intruder beneath
In recent years, most companies that operate critical industrial infrastructure have invested heavily in protecting their high-level corporate information systems from cyberterrorism, and for good reason. Significantly, a corresponding investment in securing plant- and facility-level control systems has largely not materialized.
Industrial monitoring and control systems are directly connected to station equipment. A cyberterrorist attacking the control system layer can cause complete service interruptions, loss of generating capacity, environmental damage and unsafe working conditions.
Control system layer computers and other control devices (e.g. IEDs, PLCs and RTUs) increasingly utilize ethernet ports, web servers, wireless networks, and other remote access techniques to enable timely information sharing and troubleshooting. The associated supervisory control systems and software typically also lack adequate cybersecurity upgrades. This combination of evolving control layer technology and lagging security investment make the control system layer especially vulnerable to attack by cyberterrorists.
The cyberterrorist's weapons of choice bear a strong resemblance to those commonly used to infiltrate higher level information systems: Trojan horses, viruses, worms, denial-of-service programs, password/ID theft tools, etc. However, there is a dramatic difference between the security tools that will work effectively at the enterprise level and those required at the control system level. For example, password lockout, frequent patch updates and periodic virus scanning are all examples of tools that have problematic application history at the control system level.
Control level computers must operate with extremely high availability and fail-safe performance. Losing information to a cyberterrorist at the enterprise level might ruin an accountant's day and force backup retrieval; losing control of plant equipment to a cyberterrorist might result in a human and economic catastrophe.
It is also critically important to understand that external threats are not the only part of the problem - they are actually the smaller part of the problem. Nearly 70 percent of documented cyberterrorist incidents come from within the enterprise, often perpetrated by disgruntled employees or contract/consulting staff. Many corporate firewalls are not designed to stop internal threats. For the control system layer, designing a cyberterrorist defense that is entirely outward-focused is a prescription for failure.
Bridging the cybersecurity gap
In the U.S., federal and state government agencies are actively promulgating standards for cybersecurity within critical industrial infrastructure based on five key functions:
- Monitor: an initial, comprehensive vulnerability assessment followed by continuous, automated monitoring.
- Detect: recognition of unusual operational patterns indicating possible attack.
- Notify: real-time notification and alert of appropriate personnel.
- Protect: effective neutralization and quarantine of cyberattackers.
- Recover: safe, timely operational recovery from successful cyberattacks.
A comprehensive, initial security assessment of the control system layer is the foundation of a successful cyberterrorism defense. It should produce an accurate characterization of the nature and magnitude of cybersecurity risks inherent within a particular system, and corresponding corrective actions.
An accurate assessment will enable the design and implementation of a security system to effectively perform the five key functions listed above. Systems are available that will give management a continuous view of its operations and an effective, real-time defense 24x7x365.
Grasping the principles
Effectively securing critical infrastructure operations from cyberterrorism requires that management observe four important principles:
- Understand that the control system layer is a vulnerable point of attack with potentially serious consequences.
- Recognize that security tools designed for higher, corporate-level information security do not adequately address control layer security threats.
- Plan to build a defense that will handle attacks from outside and from within the enterprise.
- Apply 'best practices' in creating a control level security system that will perform these five key functions: monitor, detect, notify, protect and recover.
Today's economic, regulatory and geopolitical realities require critical infrastructure personnel to adequately secure operations while effectively sharing information within an enterprise and preserving continuous operations. The technology exists to achieve this goal. Applying this technology, while observing the principles outlined above, is our best defense against cyberterrorism.
Brian M. Ahern is president and CEO of Verano, Inc. (www.verano.com).