Could hackers get up to similar mischief in other areas of critical infrastructure?
The problem with OT cybersecurity
Part of the problem is that OT has traditionally been safeguarded by its isolation from other networks, said Cyber Work Podcast guest Francis Cianfrocca, CEO of Insight Cyber Group, a cybersecurity startup developing a new AI-powered security service to provide insights and protection against a wide range of threats in cyber-physical environments. He knows this area well, having extensive experience with control systems for oil refineries.
“Beginning about 25 years ago, we began to replace older analog protocols with ethernet-based computer networking,” he said. “That opened up many wonderful opportunities to manage processes better, save money and achieve better control. However, OT-based industrial control systems (ICS) were designed for robustness and safety, not security.”
Why does operational technology cybersecurity matter?
Hackers and cybercriminals have attacked home users and businesses for years. Cybercriminals infected PCs, laptops and servers with viruses, trojans and other malware. It wasn’t until about 10 years ago that you began to see industrial sites targeted. “If I can destabilize a robot or a water filtration system, the impact is at a whole different level, far beyond corrupted or stolen information,” said Cianfrocca. “You are now talking about injuring or even killing people in extreme cases.”
The Stuxnet Worm
The first well-publicized example was a malicious computer worm called Stuxnet uncovered in 2010. Designed to target supervisory control and data acquisition (SCADA) systems used in industrial settings, it successfully infiltrated equipment used as part of Iran’s nuclear program and caused substantial damage. Other scenarios that could potentially be accomplished include:
shutting down power grids sabotaging traffic systems poisoning water supplies.
IT and OT convergence challenges
“A lot of the problems that people have with managing cyber defenses for their infrastructure are because they don’t have deep enough visibility,” said Cianfrocca. On the surface, it appears to be simple: bring OT and IT cybersecurity solutions and processes together. But Cianfrocca explained why convergence is so difficult to achieve: ICS processes are streamlined, often laid out directly onto the metal and are not designed to add extra packets or features. That makes it challenging to introduce firewalls and other security safeguards. Adding extra layers of security software typically throws off the timing of processes. One reason industrial control system (ICS) security so bad | Cyber Work Podcast “Patching systems with the latest security fix can be difficult or even impossible with some industrial controls as they are designed, built and tested for safety,” said Cianfrocca. “Any small changes made for the sake of security invalidate all your safety testing.” A different approach is needed for operational technology cybersecurity.
How do you make infrastructure technology secure?
One radical idea is to completely isolate ICS and other OT systems from the internet. But that isn’t feasible as both worlds are already partially fused. In any case, a separate network would contain its weaknesses and vulnerabilities. Cianfrocca believes the solution revolves around better monitoring and gaining a real understanding of the threats that may target ICS. Part of the problem is scale. There are millions of potential vulnerabilities when you consider all the infrastructure systems out there and the increasing influence and interconnectivity that comes about courtesy of the internet of things (IoT). The IoT alone already amounts to billions of devices and sensors. No one is going to be able to patch all of them. But for a moment, let’s pretend it is possible. By the time they are patched, many additional vulnerabilities will have appeared. “Instead of looking for vulnerabilities, look for attacks and find what is really going on that is problematic,” said Cianfrocca.
OT cyberattacks and how to respond
To attack a power station, auto assembly plant or telephone’s central office, for example, the bad guys need to know what’s in there. They may find a route in via an infected PC. But once inside, they still need to conduct detailed reconnaissance of how things work if they wish to do any real damage. “Instead of looking for vulnerabilities, we look for traces where people are already trying to recon you, and we close those off,” said Cianfrocca. That’s a job for artificial intelligence (AI). AI does not replace the need for general cybersecurity safeguards, nor does it replace the input of humans. But it is really good at finding patterns in very, very large and high-dimensional data spaces.
AI is adapting how we execute OT security
One way to simplify the operational technology cybersecurity problem is to harness AI in conjunction with network instrumentation by placing many sensors on industrial systems. This approach enables AI to assess endless information streams to locate where malicious software may be trying to hide within a vast network. Abnormal behavior, too, stands out — once the AI systems achieve a baseline assessment of what routine, standard network behavior and traffic look like. “Rogue devices and suspicious traffic patterns begin to show up,” said Cianfrocca. “AI will tell you there are nine potentially suspicious processes things running port scans, but it takes skilled people with problem-solving abilities to act on that information and keep our infrastructure secure.” You still require people with a background in IT and OT to get to the bottom of what is really happening. And this represents a massive career opportunity. There is already a shortage of skilled cybersecurity talent. Very soon, the operational technology cybersecurity sector will also be in heavy demand. To learn more about securing operational technology, listen to the Cyber Work Podcast with Francis Cianforcca.