In the past two years alone, we have seen a greater appetite by adversaries to attack critical infrastructure OT systems, often using the same technologies used to attack IT systems, such as ransomware. The pay-off for the attacker can be huge, ranging from annoyance to inconvenience to huge financial loss to possibly even loss of life. How are they gaining access, and what can be done about it?
When a critical infrastructure system is subjected to a cyberattack, there can be wide-spread loss of essential services to citizens, with results ranging from annoyance at the inconvenience, to financial loss, to possibly even loss of life. One of the vital components of most critical infrastructure’s operational technology (OT) systems – whether in hospitals, mining, traffic control, electricity distribution and generation, gas pipelines, water treatment or transportation – is a SCADA (Supervisory Control and Data Acquisition) system. These provide management teams with essential, centralized, real-time data on production, improves plant and personnel safety, and reduces costs of operation.
There are different levels to a SCADA system, involving different equipment. At field level, there are I/O signals, sensors & actuators; at control level there are Programmable Logic Controls (PLC) and other computer systems that control some sort of physical process; at supervisory level we find human-machine interface (HMI) and historian software; at plant level there are manufacturing execution systems (MES) and at corporate level, Enterprise Resource Planning (ERP). These all serve to improve communications protocols, and increase connectivity to outside networks. But, this efficiency comes at the price of increased vulnerability to the SCADA system – and the critical infrastructure of which it is part - through internal and external sources.
The cyber risks to OT systems come down to four main challenges: lack of cooperation between different teams in an organization, increasing digitization, moving from specialized systems to commodities, and a shift in the electricity supply chain. Here we consider the challenges and offer possible solutions to help build more cyber-resilient critical infrastructures and OT systems.
Challenge 1: Cooperation
Traditionally, there is a barrier between the operational units managing the OT systems and the organizational units operating the IT systems. OT staff are specialists in the processes they lead, and their priority is to keep everything up and running as it should be. They don't necessarily focus on cyber risks, and have a tendency to skip basic cyber rules when installing or modifying hardware, software, or processes. For example, in many cyber compromises, the generic password of PLC (programable logic controller) had been left unchanged, opening a wide door to cyber adversaries or any unauthorized access. Undoubtedly, the cyber experts' involvement, usually in the IT area, would not have allowed this weakness and vulnerability.
Challenge 2: Digitization
In recent years, there has been a clear trend to digitalize critical infrastructure, specifically electric utilities, largely to make those systems more accessible to a broader group of entities, including customers, new players, regulators, and more. Digitalization changes the tightly isolated OT systems and processes, enabling them to interact with the outside world. . Another angle of digitization is the transfer of OT systems to the cloud, even public cloud environments. Without proper expert cyber involvement and mitigations, these trends are potentially a significant risk to supply security, energy security, and the business.
Challenge 3: Moving from specialized systems to commodities
The traditional OT systems on which critical infrastructures are based tend to be specialized, based on hardware, operating systems, software, and firmware built specifically for their intended use, and involving commodity components only in side functions, if at all. In contrast, the modern OT systems that are added to enhance functionality and effectiveness, or to replace aging systems, are based on commodity hardware, Linux and Windows operating systems, standard programming environments, and open-source elements. Today, even Programmable Logic Controllers (PLCs) - the heart of the control systems – are based on standard commodity hardware and software, some of which are software-based only. Again, this is potentially holds great risk for the OT systems.
Challenge 4: Supply chain shifts
This challenge is specific to utilities. Driven by the “Triple D” phenomenon of Digitization, Decarbonization, and Decentralization, the intensive transformation of the electricity supply chain, is causing a paradigm shift across the board.
Electricity generation, transmission, distribution, and supply systems are increasingly equipped with sophisticated new components, such as renewables, sensors, controllers, smart meters, batteries, and more. New players, like aggregators, virtual power stations and suppliers, and new grid architectures, like microgrids and island networks, are involved, and are usually unattended. This opens hundreds of thousands of easy-access entry points that adversary attackers can exploit.
Here too, transition to the cloud is a factor that exacerbates cyber challenges, as the very technology and abilities the cloud provides require access to be granted to multiple vendors. What's more, the electricity supply chain is today made up of smaller and smaller players along the way, many of whom cannot afford to build their own infrastructure and computing systems. Instead, they use shared facilities or SaaS systems, which again increases the accessibility of OT systems to attackers.
Building cyber resilience
In many ways, OT systems are inherently vulnerable. The most effective protection is to segregate them as much as possible from any other environment, ensure that connections are highly secure, and use a jump server as a buffer where access by third parties is unavoidable.
However, there are several steps critical infrastructure operators can take to improve their cyber resilience and prepare themselves for the next attack.
Step 1: Know yourself
The first step is to get familiar with your OT system, down to the smallest detail. This requires a thorough and continuous cyber assessment of all organizational aspects, both internal, and external, including people, technology, and procedures, together with the quality of the organization’s cyber posture, including geopolitical influences, levels of cyber awareness, professionality, internal cooperation, culture, and more.
In addition to identifying cyber security gaps and making recommendations for mitigation, the assessment should provide a clear and practical roadmap for achieving optimal cyber resilience, with a detailed plan to execute, backed by clear KPIs, covering the necessary resources and financial inputs. It should also identify which cyber investments are not delivering value. Finally, such an assessment and the resulting plan should be dynamic plan to enable changes to be made as needed, to increase cyber protection abilities.
Step 2: Prevention is better than the cure
There are specific actions that an organization may need to take from time to time that are known to be high risk. Any change, major or minor that implements or modifies a system or process increases the level of operational and cyber risk. Whether instead of, on top of, or in parallel to what is already in place, or even a minor software or security patch, there is a risk that it may have some unexpected impact on the production system - it may introduce a fault, cause disruption, or even bring operations to a halt. This is even more important in the OT domain of critical infrastructures.
One of the most significant prevention steps to take is testing any new addition to the system, before using it in the production environment. Most OT environments have no dynamic test-and-staging environment, and carry out only static checks and testing before installation. A dynamic, near real-time platform or service emulating the OT production environment is necessary.
Step 3: Train, Train, Train
Everyone, at every layer of the organization - cyber/ IT professionals, management, executive, operations personnel, and regular employees – can contribute to protecting it from cyber threats. From raising awareness of fundamental cyber issues, to fine-tuning cyber experts' skills, training is critical to optimize and advance the expertise and capabilities of your employees, and turn them into cyber defenders.
The bottom line
As attackers get more ambitious, more creative, and more dangerous, it is absolutely imperative that the organizations on which people really for their critical infrastructure take the necessary measures to protect their OT systems from possibly deadly attacks. To this end, CybergymIEC offers a comprehensive suite of cutting-edge, battle-proven solutions and platforms, including unique cyber professional and assessment services, prevention solutions, an emulation platform or service, and training, based on the vast experience of the Israel Electricity Corporation.
Written in collaboration with Yosi Shneck and Raz Mis