In this article:
For some, the September 2019 drone attack on Saudi Aramco oil facilities was a wakeup call. Industrial, utility, and other critical infrastructure are subject to ever-evolving external security threats; while cyberattacks have become inevitable, physical risks are intensifying as well. Understanding this harsh truth is a necessary first step toward developing, implementing, and maintaining a comprehensive threat mitigation plan.
Though it’s easy to assume that a devastating attack isn’t likely to happen to your organization, consider how we thought about school and workplace shootings – or even cyberattacks – in the not-too-distant past.
Adversaries are determined to create or exploit vulnerabilities, whether via organized terror cells, criminal networks, malevolent nation-state or nonstate actors, hacking groups, or the lone wolf who is radicalized or randomly intent on doing harm. The threat landscape is further complicated by geopolitical tensions as well as climate hazards that literally burn or blow down trusted lines of defense.
Countering security threats requires resilience born of expectation, prevention, mitigation, preparedness, response, and recovery planning. Following are examples of why and how companies, industry, and the government are working to protect critical assets and systems from attack and optimize response and recovery when disaster strikes.
What’s at risk?
Industrial espionage, sabotage, and destruction are among the goals of attacks on critical assets, systems, and networks. Disruptions to electricity or water supplies, communications, transportation, refineries, dams, or other crucial infrastructure can have significant consequences to human health, the environment, and the bottom line.
Unfortunately, external threats are growing in scope and complexity. “Critical utilities such as oil and gas facilities are increasingly vulnerable to attacks from adverse foreign powers – not only by physical drone attacks, but also from hostile nation-states executing professionally orchestrated multistage cyberattacks,” observes Elad Ben-Meir, CEO of SCADAfence.
Coincidentally, the drone strikes on the Saudi Aramco oil processing facility and oilfield occurred just days after the conclusion of the Global Security Exchange (GSX) 2019 conference, where friend and foe drone applications were a prominent topic. One eye-opening session covered how drones pose a 3D threat and why counter-drone measures are necessary.
The speaker described several potential malicious uses of unmanned aerial vehicles (UAVs), such as using them to access, disrupt, or manipulate encrypted electromagnetic systems; carry chemical, biological, or radiological (CBR) agents or contraband such as guns, improvised explosive devices (IEDs), flamethrowers, or virus-bearing flash drives; or carry and disperse hazardous aerosols or powders. He added that inadvertent threats from negligent drone use must also be mitigated.
It is a reminder of how lines are blurring between physical and cyber threats: A physical intrusion by a person or drone carrying malware on a flash drive is as risky as someone penetrating the network from a remote computer. Likewise, a system disruption can compromise networked physical security devices.
Increased exposure to cyber risk is an unintended consequence of digital transformation. “A compromised internet-connected device could create a pathway for attacks on connected systems, including critical control systems,” says Sid Snitkin, vice president of cybersecurity services at ARC Advisory Group. “Recent incidents like the Ukrainian power outage and disruption of Norsk Hydro aluminum production demonstrate the importance of sustaining cyber defenses.”
However, the benefits of digital transformation are too large to ignore. “Every company will eventually be impacted by the introduction of new technologies in plants, and the need to support open connectivity with other systems. Consequently, digital transformation will create the need for integrated cybersecurity strategies that span information technology (IT), operations technology (OT), the internet of things (IoT), cloud, and mobility,” explains Snitkin.
While security-by-isolation may remain the approach for highly critical situations, such as with nuclear power plants, this will no longer be an acceptable approach for most facilities, Snitkin believes. The focus on avoiding cyberattacks will have to be replaced by efforts to proactively manage attacks. This will require everyone’s involvement and the use of common tools that enable coordination.
“It will require more-advanced endpoint and network security technology to detect, identify, and isolate attackers,” says Snitkin. “This will also require secure remote access to facilities for external cybersecurity experts to manage sophisticated attacks.”
Control systems are not the only cyber targets: Phishing and hacking campaigns and intellectual-property breaches are also occurring. An October 2019 ransomware attack on Pilz, a German manufacturer of industrial automation tools, affected the company’s server and communication systems worldwide and, for a period of time, all computer systems were disconnected from the internet as a precaution.
In the announcement of its recovery one month later, Pilz included a call to action: “We must all make a great effort to ensure that this type of organized criminality is given greater attention and that companies, associations, authorities, and politicians work more closely together in the future to ensure that other companies and institutions are spared what we went through.”
Countering security threats requires resilience born of expectation, prevention, mitigation, preparedness, response, and recovery planning.
Establishing priorities
With security being a global imperative, it is necessary to prioritize the efforts. The U.S. government has identified the following 16 critical infrastructure sectors:
- Chemical sector
- Commercial facilities sector
- Communications sector
- Critical manufacturing sector
- Dams sector
- Defense industrial base sector
- Emergency services sector
- Energy sector
- Financial services sector
- Food and agriculture sector
- Government facilities sector
- Healthcare and public health sector
- Information technology sector
- Nuclear reactors, materials, and waste sector
- Transportation systems sector
- Water and wastewater systems sector
“Critical infrastructure assets, systems, and networks face many threats, including terrorists and other actors seeking to cause harm and disrupt essential services through physical and cyber attacks; severe weather events; pandemic influenza and other health crises; and accidents and failures due to infrastructure operating beyond its intended lifespan,” says William (Will) McNamara, security and resilience analyst and a leader of voluntary vulnerability assessments at the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
The federal government is concerned about all of these threats and the risk they pose to each of the 16 sectors “because the safety and well-being of American citizens and our national economy depends on essential services provided by critical infrastructure,” explains McNamara. “The capabilities of an organization to identify and adapt to changing conditions and disruptive events are as important as the physical design of infrastructure in achieving resilience.”
Influential alliances
Public/private partnerships and global industry alliances help to establish, implement, and continually improve security best practices.
The federal government works continuously with its partners in private industry to prevent threat events from happening in critical infrastructure and mitigate the impact they might have. Voluntary assessments, protective measures guides, threat bulletins, risk analyses, and other material and resources from DHS are all valuable in supporting risk management decisions.
90% of OT organizations experienced at least one damaging attack in the last 2 years, according to Cybersecurity in Operational Technology: 7 Insights You Need to Know by the Ponemon Institute, for Tenable, March 2019.
DHS’s voluntary critical infrastructure assessments, such as the Infrastructure Survey Tool (IST), analyze and provide insights into the security and resilience of facilities, identifying capability gaps and vulnerabilities, says McNamara. This helps inform owners’ risk management planning and resource decisions, allowing them to make changes that may serve to deter would-be attackers, improve detection of potential threats, or minimize the impact of a possible attack on the physical facility components, its personnel, or operations.
“Effective response and recovery are important aspects of achieving infrastructure resilience,” explains McNamara. “Coordination and communication with local first responders; the ability to continue operations despite the loss of a critical service; the existence of plans for various incidents (including terrorism); plans and resources that enable rapid repairs or replacement of damaged assets – all are areas explored through CISA assessments that speak to a facility’s ability to perform timely and efficient response and restoration.”
The Operational Technology Cyber Security Alliance (OTCSA) was recently established to help OT operators in industrial, utility, and critical infrastructure organizations to better mitigate evolving cyber threats. ABB and Mocana are two of its founding members.
Dean Weber, chief technology officer of Mocana, attributes three “game-changing” OT cyberattacks to intensifying attention to risk assessment, mitigation, and response preparation: TRISIS (aka TRITON/HatMan), Havex, and StuxNet. OTCSA aims to help address the challenges.
Open to all OT operators and IT/OT solution providers, OTCSA differs from other alliances that are focused on cybersecurity education and standards. “OTCSA member organizations will collaborate to deliver actionable recommendations, tangible standards, and critical protections to OT operators,” explains Satish Gannu, chief security officer and SVP of architecture and analytics at ABB Ability.
“While addressing the aspects related to people, process, and technology, these robust security guidelines will cover the entire lifecycle from procurement, development, and deployment to installation, operation, maintenance, and decommissioning,” Gannu says.
For example, the security for SCADA and manufacturing execution systems (MES) has traditionally been regulated on individual devices rather than on one system, making protection more challenging to manage, says Gannu. To combat this, OTCSA member organizations will encourage operational executives to integrate individual systems into the overall enterprise cybersecurity governance for better protection.
The Global Cybersecurity Alliance was created in 2019 by ISA, the developer of the ISA/IEC 62443 series of consensus-based industrial automation and control systems cybersecurity standards. This alliance was established with the objective of accelerating and expanding standards, certification, education programs, advocacy efforts, and thought leadership to proactively improve cybersecurity readiness. Membership is open to any organization involved in industrial cybersecurity, such as end users, automation providers, system integrators, consultants, and government agencies.
Resilience-focused strategies
Because external attacks are inevitable and the consequences can be devastating, today’s ever-evolving threat environment demands dynamic, proactive resilience strategies that combine a variety of security technologies and practices.
DHS CISA programs and services for infrastructure security, cybersecurity, and emergency communications are available to public and private sector partners. CISA seeks to “help organizations better manage risk and increase resilience using all available resources, whether provided by the federal government, commercial vendors, or their own capabilities.”
Property risk assessments support security planning by evaluating risk factors such as hazardous materials, processes, and waste; combustion; environmental impairment; and climate-related conditions such as fires, flooding, and hurricanes. Look to insurance companies or risk management professionals for this service.
Threat modeling and simulation tools help organizations better understand and manage their security vulnerabilities and the impact of changes. This strategy can be applied at the enterprise, plant, process, asset, or industrial control system (ICS) level.
Business continuity management systems (BCMS) strive to ensure resilience should a disruption occur, regardless of the reason. Standards for BCMS are the focus of ISO 22301:2019: Security and resilience—Business continuity management systems—Requirements and its predecessor from 2012. The standards address how to implement, manage, and improve a management system to protect against, prepare for, reduce the likelihood of, respond to, and recover from disruptions.
Following BCMS standards is beneficial for high-priority sites and processes, even in industries that are not highly regulated. For example, a BCMS helps to understand dependencies in the global supply chain – upstream and downstream – and determine where to certify backup suppliers so that products and services can still be delivered at an acceptable capacity should there be a disruption with the primary supplier.
Disaster recovery plans, a subset of the BCM strategy, methodically detail instructions for getting systems up and running after a disaster. The plans should be updated at least annually.
Physical and cybersecurity standards help companies advance their reliability and resilience efforts through compliance and certification. Examples include the Certified Protection Professional (CPP) and Physical Security Professional (PSP) certifications from ASIS International; ISA/IEC 62443 Cybersecurity Certificate Programs for IT and ICS professionals; and Critical Infrastructure Protection (CIP) standards and requirements for electric power utilities from North America Electric Reliability Corporation (NERC).
Security technologies and systems are numerous and varied; these encompass surveillance via drones, robots, radar, or sonar; smart fencing and access control systems; body scanners; biometrics; pass-through or handheld X-ray scanning of packages, parcels, cargo, or vehicles; gas and radiation detectors; secure-by-design IoT devices; and ICS monitoring solutions. When the inevitable occurs, emergency communications systems, backup power, and data recovery capability are imperative.
Physical attack response technologies such as gunshot detection and locator systems or anti-UAV systems can prove useful. For protection from drones by drones, one example is AeroGuard, an autonomous, rapid-response drone interdiction system from SCI Technology that captures and disposes of UAV threats. For fixed or vehicle-mounted drone detection and protection, there is GUARDION from ESG and its technology partners.
Optimal OT/IT resilience systems enable continuous monitoring of control system networks, rapid response, and continued digital transformation. For example, the SCADAfence platform for large-scale industrial/OT networks detects anomalies and security events and issues alerts and actionable warnings. The Dragos platform identifies, analyzes, and provides guided investigation and response to ICS threats.
Because external physical and cyber security threats are dynamic, so should be the resilience strategies applied. Ensuring a timely, efficient response and restoration when – not if – an attack occurs is fundamental to holistic security threat management.