The National Cybersecurity Awareness Month commences today, with week 5’s theme, Protecting Critical Infrastructure from Cyber Threats.
The Department of Homeland Security (DHS) states that the essential systems that support our daily lives – such as electricity, financial institutions, and transportation – are all dependent upon the Internet. Building resilience in critical infrastructure is crucial to our national security. Week 5 looks at cybersecurity in relation to keeping our traffic lights, running water, phone lines, and other critical infrastructure secure. It also facilitates the transition to November’s Critical Infrastructure Security and Resilience Month (CISR), highlighting the tie between cybersecurity and our nation’s critical infrastructure.
Critical Infrastructure
So what is critical infrastructure exactly and how does the average person interact with it? The DHS defines critical infrastructure as “sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety or any combination thereof.”
Basically, there are two components to critical infrastructure: (1) it supports some basic necessity of modern life, like electricity and (2) it is a big organization that would impact a lot of people.
There are 16 critical infrastructure sectors. Think about where you work — odds are, you contribute to the success of a critical infrastructure sector, even if only a small piece of it.
- Chemical. Basic chemicals, specialty chemicals, agricultural chemicals, pharmaceuticals and consumer products.
- Commercial Facilities. Entertainment, gaming, lodging, events, public assembly, real estate and sports leagues.
- Communications. Internet, telephone and cable wired lines, wireless frequencies (cellphones) and satellites (GPS, DirecTV, satellite phones).
- Critical Manufacturing. Primary metals, machinery, electrical equipment and transportation equipment.
- Dams. Hydroelectric power, water supplies, irrigation, flood control, river control and recreation.
- Defense Industrial Base. Design and production of military weapon systems.
- Emergency Services. Police and fire departments, medical services and public works.
- Energy. Electricity, oil and natural gas.
- Financial Services. Banking, credit, investment and insurance.
- Food and Agriculture. Farms, livestock, restaurants, food manufacturing, processing and storage.
- Government Facilities. Federal, state, local and tribal government buildings.
- Health Care and Public Health. Hospitals, clinics, mental health, youth care and family services.
- Information Technology. Hardware, software, systems and services.
- Nuclear Reactors, Materials and Waste. Reactors, enrichment and nuclear medicine.
- Water and Wastewater Systems. Water treatment, storage, drainage and sewage.
One of the biggest concerns with critical infrastructure is with industrial machinery, which can take many forms. Irrigation control, water filtration systems, manufacturing machinery, medical devices, gas meters — all of these types of devices contain computer chips to control some aspect of industrial operation and, increasingly, these devices are connected to the Internet to allow remote control and monitoring.
The DHS says that the best thing you can do to help is to pay attention to potential security concerns and alert the appropriate people at your organization when you notice them.
If you work in any industrial setting — whether it is a farm, doing facilities work on buildings, working in a factory or in other skilled labor jobs like plumbers, electricians or HVAC specialists — pay attention to any devices you interact with, especially if they are internet-enabled.
Industrial Control Systems
What is industrial control systems?
Think of air conditioning in the summer time or heating in the winter. Or, even building security – do you like knowing that the door will unlock when you swipe your badge, or maybe more importantly, do you enjoy having the security that comes with the knowledge that when someone who doesn’t belong in your building swipes their keycard, the door stays locked? All of those luxuries are controlled by Industrial Control Systems (ICS).
Industrial Control Systems or “ICS” is a general term used to encompass several types of devices that manage or regulate the behavior of other devices.
These devices are typically referred to as SCADA, which stands for supervisory control and data acquisition. The meter that measures how much water, gas and electricity you use at your house is an example of a SCADA device. So is a meter that measures the temperature of a nuclear reactor to prevent a meltdown.
Most SCADA devices were designed to reliably perform some task and worried little about security. Furthermore, when those devices were purchased and installed by companies, they were typically installed in industrial settings or in locked boxes, so things like passwords were not even considered. The problem is that, as these devices are connected to the internet, they are exposed to hackers online.
Cybersecurity professionals often do not have good visibility into SCADA devices, since they are usually operated by non-IT personnel. So, if you ever come across electronic devices that use very bad usernames and passwords — like admin/admin or no password at all — let somebody know.
Remaining Vigilant is Key to Preventing ICS Hacks
Why would someone want to target a HVAC system? Think back to the 2013 Target Data Breach that is estimated to have compromised 110 million people. Target was actually compromised through their HVAC system, while using a third-party company to manage their HVAC systems that were not properly cordoned off from the rest of their network. Hackers were then able to break into the network using malware, exposing the card processing system.
While Target is an example of someone using an ICS as a pivot point to reach other critical infrastructure, what about someone using a primary network? In March of 2016, hackers took control of hundreds of PLCs that governed the flow of toxic chemicals that were used to treat water at a regional water utility. The cyber thieves took advantage of the water company’s poor security architecture that had multiple internet-facing systems with high-risk vulnerabilities on the same network as their SCADA platform. The actors were actually able to change flow rates of the toxic chemicals.
Luckily, the alert system provided the water treatment facility enough time to reverse the chemical flow changes, minimizing the impact on the facilities customers. But the hack of the water treatment facility is an important lesson in ICS architecture and highlights the need for independent infrastructure.
The hack of the water treatment facility is an important lesson in ICS architecture and highlights the need for independent infrastructure. Had the PLCs been on their own network that was segregated from the water treatment facility’s primary network, the malicious actors would have never been able to access the PLCs from that vulnerable server.
Enterprises have vast network of industrial control systems from building door badge scanners and HVAC to refueling systems for our ships and planes. The need to protect these systems is as great as ever in 2017 as the landscape of potential threats to our safety is no longer purely physical.
The water treatment facility attack could have put hundreds of thousands of lives in danger had it not been for a couple of alert operators paying attention to their monitoring systems. However, even with the proper safeguards in place; ICS networks are starting to become a bigger target for malicious activity because they have such a high potential of a catastrophic outcome. The only way to aid in eliminating these risks is to always be vigilant and maintain situational awareness.
How Companies Can Protect the Energy Grid and its Most Critical Assets
American electric companies, as owners and operators of this critical infrastructure, are working to keep our energy grid secure. And luckily, the electric power industry understands that a safe and reliable flow of electricity is paramount not only to our nation’s security but also to the well-being of all Americans.
Protecting the energy grid and its most critical assets is the electric power industry’s top priority. In fact, U.S. electric companies invested more than $52 billion last year in transmission and distribution systems. This level of spending is more than twice what it was a decade ago and helps to make the energy grid stronger, more resilient, and more secure.
Because the energy grid is so complex and interconnected, managing it requires constant diligence, planning and coordination. Complicating matters, cyber threats to the grid are not static. They evolve — and so must the industry’s efforts to prepare.
There is no single solution that can make the energy grid completely safe and secure. That’s why electric companies continuously evaluate the different threats they face and the potential damages that can occur from them in order to manage these risks effectively. Given the range of potential incidents, the electric power industry takes a risk-based, holistic approach to grid protection. This approach is four-pronged.
- The electric power industry is subject to mandatory reliability standards developed by the North American Electric Reliability Corp. NERC is an independent, government-certified, standards-setting body that develops and enforces critical infrastructure protection standards for the grid, all under the oversight of the Federal Energy Regulatory Commission. The electric power industry is the only critical infrastructure industry subject to mandatory and enforceable cyber and physical security standards. To comply with these standards, users, owners and operators of the nation’s energy grid implement risk and security training, background checks, and site-specific security and incident-response plans to protect against an attack.
- The electric power industry takes a comprehensive “defense-in-depth” approach to protecting its most critical assets and networks. This involves enhancing resiliency, redundancy and the ability to recover should an extraordinary event occur. As part of this effort, electric companies across the industry work to maintain both the cyber and physical security of the substations, transformers and other assets that help companies make, move and deliver a reliable supply of energy. The industry also routinely exercises its incident-response plans against a variety of threat scenarios, which helps to enhance grid resiliency and strengthen the industry’s ability to return more quickly to normal operations if an attack occurs.
- The federal government is an essential partner in securing the energy grid from cyber- attacks. The electric power industry, through the Electricity Subsector Coordinating Council (ESCC), coordinates closely with the government to prepare and respond to national-level incidents affecting critical infrastructure. Led by electric power industry CEOs, the ESCC and its government partners at the White House, the departments of Energy and Homeland Security, FERC and the FBI are working together to identify and respond to potential threats and to improve the overall security posture of the industry.
- The industry believes critical infrastructure protection is a responsibility shared by all electric companies. Working with the ESCC, the Edison Electric Institute developed the cyber mutual assistance program. Industry cybersecurity experts from more than 120 companies are part of the program and can be deployed in the event of a regional or national cyber incident.
Until next year’s NCSAM, check out the NCSAM Resources page to see content from previous Awareness Months, including one pagers, blog posts, presidential proclamations, and more.