SoS Musings #38 - Critical Infrastructure Cybersecurity

SoS Musings #38 -

Critical Infrastructure Cybersecurity

According to the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors, which include chemical plants, energy, communications, critical manufacturing, emergency services, dams, transportation, information technology, healthcare, and more. These infrastructure sectors are deemed critical due to the necessity and sensitivity of their assets, systems, and networks. Security, national economic security, public health, and safety would be significantly weakened if such elements of a critical infrastructure sector were disabled or destroyed by malicious hackers. Claroty, a cybersecurity company focused on developing security solutions for industrial control networks, released a report in March, titled "The Global State of Industrial Cybersecurity," which reveals that there is a higher level of concern among IT security professionals across the U.S., UK, Germany, France, and Australia, about cyberattacks on critical infrastructure than an enterprise breach. Over 70 percent of the 1,000 participants in Claroty's survey believe that cyberattacks on critical infrastructure are more likely to inflict more damage than a data breach experienced by a company. A major cyberattack on U.S. critical infrastructure could lead to significant consequences. Research conducted by Lloyd's of London and the University of Cambridge's Center for Risk Studies found that if the electric grid in fifteen states and Washington, D.C. were to be taken down by hackers, it would result in power outages for 93 million people. Such an incident would lead to increases in mortality rates, a decline in trade, poor water supply, and the damage of transport networks. A cyberattack of such a scale on critical infrastructure could cost the U.S. economy $243 billion to $1 trillion. As cyberattacks on critical infrastructure have the potential to impact people's health and well-being as well as economic security, it is essential to explore the vulnerabilities and threats faced by such infrastructure and improve efforts to address them.

The different critical infrastructure components face threats and contain vulnerabilities that call for the continued development and research of security solutions. Operational Technology (OT) encompasses the hardware and software used to monitor and control the performance of physical devices, processes, and infrastructure. Industrial Control System (ICS) is the main component of OT that refers to the various kinds of control systems and related tools, including devices, systems, networks, and controls, used in the operation or automation of industrial processes. SCADA (Supervisory Control and Data Acquisition) is a subset of ICS, which refers to systems of software and hardware-based components that enable industrial organizations to locally control industrial processes, monitor real-time data, log events, and directly interact with devices such as sensors via Human-Machine Interface (HMI) software. SCADA systems help to support industrial organizations' efficiency, decision-making, and communication of systems problems to reduce downtime. Several critical infrastructure and SCADA/ICS cybersecurity vulnerabilities and threats exist due in part to the lack of basic security controls for OT systems. According to Check Point Software Technologies, a leading cybersecurity solutions provider for governments and corporate enterprises globally, the most common vulnerabilities include the use of legacy software, default configuration, poor remote access policies, policies and procedures, and lack of encryption. The top threats are distributed denial-of-service attacks, web application attacks, malware, command injection and parameter manipulation, and lack of network segmentation. Other top cyber threats that critical infrastructure firms must be aware of are the growing use of vulnerable Internet of Things (IoT) devices that hackers could use to infiltrate critical infrastructure networks, the lack of security in the design of OT, and the inability to identify all devices connected to an OT network as well as the security flaws these devices possess. The recent growth in remote workers due to COVID-19 increases the risk of cyberattacks on critical infrastructure, as there are employees who must now access ICSs and OT networks from home where secure connections and data protection are often inadequate. The cybersecurity skills shortage also plays a role in the vulnerability of critical infrastructure to cyberattacks as indicated by a study conducted by E&Y, which pointed out the lack of skilled professionals to help identify and remediate threats to OT systems as well as the inadequacy of cybersecurity function organizations within the Oil and Gas (O&G) sector. Jeanette Manfra, former Assistant Director for cybersecurity for CISA, also emphasized the threat posed to national security by the cybersecurity workforce gap. The growing cybersecurity skills shortage means fewer professionals to protect the nation's critical assets from cyberattacks that could allow adversaries to cause damage, inflict harm, or manipulate the public's trust. These vulnerabilities and threats must be addressed.

Several studies highlight the vulnerability of critical infrastructure systems and the different ways in which this vulnerability can be exploited by adversaries. A researcher who goes by the online name Wojciech used a tool that he developed, called "Kamerka" and open-source intelligence (OSINT) to demonstrate how adversaries can easily gather information on critical infrastructure in the U.S. Using Kamerka, Wojciech scanned the internet for ICS devices and protocols, which led to the discovery of 26,000 internet-exposed ICS devices in the U.S. Kamerka could also be used to determine where ICS devices are geographically located and which critical infrastructure targets may be considered attractive to an adversary, further highlighting the ease at which a threat actor could gather intelligence on U.S. critical infrastructure that could be used to find valuable targets. According to researchers at the New York University Tandon School of Engineering, public electric vehicle charging stations could be exploited by hackers to execute remote attacks against urban power grids using information generated about a station's location, charging time, and average hourly power draw, which informs the manipulation of demand at a particular charging station. Another study by researchers at Princeton found that a botnet made up of thousands of compromised connected home appliances such as air conditioners and water heaters could be used to overwhelm the power grid and cause mass blackouts. Security researchers at Ben-Gurion University of the Negev (BGU) also warned of the potential exploitation of firmware vulnerabilities in widely sold commercial smart irrigation systems to allow attackers to control watering systems remotely. The BGU researchers said attackers could form massive botnets of smart irrigation systems that could empty an urban water tower or a flood water reservoir in a short amount of time. The North American Electric Reliability Corporation (NERC) published a report discussing an incident that occurred in March 2019 in which external entities exploited a known vulnerability to cause firewalls at multiple U.S. power generation sites to reboot for ten hours repeatedly. Findings from an audit of the water system in upstate Middleton, New York, conducted last year by the New York State Comptroller's Office, revealed cybersecurity flaws in policies and procedures that could have allowed hackers to infiltrate the city's networked water system. The policies and procedures lacked information on technology employee duties, proper portable device usage, or monitoring of networked water system devices. Employees were also not provided with security awareness training. These studies call for the improvement of cybersecurity policies, IoT device security, maintenance of security systems such as firewalls, security training, and more, to bolster the security of critical infrastructure.

There are efforts to bolster critical infrastructure cybersecurity. The U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) awarded Cyber Apex Solutions, LLC, - a five-year Other Transaction Agreement (OTA) valued at a maximum of $70 million in support of applied research on prototype cybersecurity defense technologies that would bolster the protection of critical national infrastructure sectors. The funding provided by S&T through this OTA contract helps further the testing, evaluation, and transition of prototype cyber-defenses that would reduce the potential damage to critical infrastructure sectors that could be caused by cyberattacks. Security training is one area of focus in the improvement of critical infrastructure cybersecurity. Jeanette Manfra, said the agency is improving its prioritization of training for cybersecurity professionals to fill the gap of talent needed to help strengthen security for U.S. critical infrastructure. According to Manfra, DHS is working on developing a curriculum aimed at cultivating the cybersecurity skills of kids in grades K-12 as well as a workforce training program to recruit and retain those skilled in cybersecurity. Researchers are also continuing their efforts to improve the security of different critical infrastructure sectors. For example, Milos Manic, professor of computer science and director of the Virginia Commonwealth University's Cybersecurity Center, in collaboration with researchers at the Idaho National Laboratory (INL), developed a power grid protection system, called Automatic Intelligent Cyber Sensor (AICS), which is inspired by the human body's autonomic nervous system in that it uses Artificial Intelligence (AI) algorithms to continually learn and improve itself as the power grid faces attempted hacking attacks. INL itself has a cybersecurity program that works to protect control systems such as those used for energy pipelines, nuclear power plants, drinking water systems across the U.S. A new global alliance, called the Operational Technology Cyber Security Alliance (OTCSA), was formed to improve OT security through a five-pronged approach which involves strengthening the cyber-physical risk posture of OT interfaces and guiding OT operating on best security practices. Research, training, and development are essential to improving critical infrastructure security.

The manipulation of these critical infrastructure systems by malicious actors poses significant threats to citizens' safety and well-being. Government agencies, private companies, and the security community are encouraged to develop or improve methods for bolstering the security of such systems.