Ghosts in the Machine: Keeping the Lights On and the Hackers Out
This week, The Cybersecurity Infrastructure & Security Agency (CISA) issued 15 advisories dealing with Industrial Control Systems — the systems that keep power plants, manufacturing, water systems, and energy supplies moving.
Much of this is a result of the recognition of sophisticated foreign actors who have conducted pervasive intrusions against domestic targets, especially utilities and government targets. As reported in The Hill, “organizations involved in the electricity sector in particular had seen an ‘unprecedented’ increase in cyber threats during the COVID-19 pandemic.” In addition, the US Government Accountability Office (GAO) recently noted that “the U.S. electricity grid's distribution systems… are becoming more vulnerable to cyberattacks, in part because of the introduction of and reliance on monitoring and control technologies.”
Part of this the heightened focus on critical infrastructure and industrial control systems comes from an understanding of the scope and breadth of the recent SolarWinds breach. Now formally blamed on Russian intelligence services, the breach saw roughly 25% of grid operators download corrupted SolarWinds Orion software. The infected Orion software was used to enable subsequent malware downloads, so even if the SolarWinds software is removed there could be additional malware lying dormant, waiting to be into action for later espionage or disruption.
Security presents a particular challenge for electrical, water, and other utility operators. First, their security staff is typically small — and, in fact, they may not even have dedicated security teams (IT may own both operational and security technology). IT and security teams will often need to monitor multiple locations from a single console, with no onsite staff at many plants. Combined with the work-from-home constraints imposed by the pandemic, and as noted in the GAO report, remote access monitoring and control systems are increasingly used to control the operation of a large, distributed critical infrastructure system. This increases their attack surface and offers an attractive leverage point for attackers, as evidenced by the recent attack against the remote access technology employed by the Oldsmar, FL water treatment plant (which was fortunately thwarted by an alert staffer).
But given the realities of staffing and economics, how should the operators of utilities and other industrial control systems respond to best secure their critical networks? The principle of zero-trust offers an appealing approach. Zero-trust implies that devices should not be trusted by default on the assumption that any device or user could be malicious — that malware could have infected a device and that a remote user may not be who they claim to be. But a complete zero-trust implementation can be expensive and cumbersome to implement and be beyond the immediate budgetary and technological constraints of operators.
However, there is a good way to get on the path to zero-trust with minimal investment of time and resources: Breach and Attack Simulation.
This involves a two-pronged approach to security: making a best effort at keeping intrusions off the network while acknowledging that they may occur and being prepared to respond to them. Breach and Attack Simulation (BAS) solutions let you target both aspects by safely simulating both initial attacks against your network, such as the phishing attacks hackers use to gain an initial foothold, as well as the actions malware will take once established. This allows operators to quickly identify and remediate gaps in their coverage and answer questions like these:
- Can the email security system stop malicious emails?
- Can the perimeter security stack block malware downloads?
- If malware does get on the network as the result of supply chain breaches or other failures, can it spread on the network?
- Can that spread be detected?
- Can the security team properly identify the alerts on the SIEM or other security console to identify a breach, and do they know how to respond?
BAS solutions, such as Keysight’s own Threat Simulator, provide many of the benefits of a dedicated Red Team (essentially, friendly hackers who attack your network) at a fraction of the cost. A typical BAS deployment consists of an initial assessment — which identifies any egregious high-priority security gaps which should be addressed immediately — followed by frequent automated reassessments to quickly spot any drift caused by changes in local configuration or the security landscape. A high-quality BAS solution, such as Threat Simulator, will not only provide information on discovered vulnerabilities, but also detailed instructions on how to fix them.
The challenge of securing industrial control systems isn’t going away any time soon. Many of these systems are decades old and weren’t initially designed for secure network operation. Connectivity was added later to enable centralized, remote monitoring and configuration — which, unfortunately, adds vulnerability to the system. These systems are increasingly targeted by hostile actors because their disruption can have widespread and far-reaching consequences. Now is the time to shore up those networks, taking a cost-effective and outcome-based approach to identifying and closing gaps in both the security systems and the teams that operate them.