Industrial control systems play an integral part in critical infrastructure, helping facilitate operations in vital economic sectors such as electricity, oil and gas, water, transportation and chemicals. The systems, mostly based on Supervisory Controls and Data Acquisition (SCADA) or other networked automation technologies, typically rely on computer networks for effective operations. These control networks are the very technologies that underpin crucial operations and are increasingly vulnerable to cyber attacks.
Modern-day threats are growing in sophistication and are constantly adapting to the latest defensive technologies, changing their behaviors in a relentless counterpoint to protective efforts. Successful cyber attacks against critical infrastructure and the facilities that support them could result in significant disruptions to vital services, economic instability and even loss of life.
Cyber attacks on critical infrastructure, including the electricity grid, financial sector and transportation networks, have increased dramatically over the last decade. Recently, the hacker collective Anonymous has claimed responsibility for hacks into US federal government agencies, such as the Department of Justice, the FBI and the White House; foreign government agencies such as the Spanish National Police and the German Prime Minister’s office; and major corporations such as Monsanto, Universal Media and Symantec.
Cyber attacks are not always the work of rogue anti-government forces. The 2010 Stuxnet attack on the Iranian nuclear enrichment facility at Natanz has also made worldwide headlines, with The New York Times recently identifying it as a joint US-Israeli operation, intended to inflict damage to centrifuges being used to enrich uranium. In a recent press briefing, Gregory Jaczko, head of the Nuclear Regulatory Commission, indicated that cyber attacks are the nuclear power industry’s biggest threat – a major shift from the emphasis on physical security just a decade ago.
Security can no longer be an afterthought in the planning and implementation of a control system network. A vast number of control networks that were built prior to the internet explosion have no real cybersecurity capabilities. Such systems must be retro-fitted with the necessary security capabilities to protect critical infrastructure. These efforts should be based on a defense-in-depth (DID) strategy that executes multiple layers of defense to combat security issues. The strategy, largely employed by the US military, is based on utilizing appropriate security countermeasures throughout the network infrastructure – from the physical layer to the application layer, as well as integrating policies and procedures to manage the people dimension.
Cybersecurity can be defined as protecting interdependent network information systems that involve internet, telecommunications networks, critical infrastructure, computer systems, embedded processors and controllers. The goal in implementing cybersecurity is to ensure the confidentiality, integrity and availability (CIA) of the entire network system in compliance with an organization’s security policy.
In this context, confidentiality is the ability to secure communications, ensuring that only authorized users will have the ability to understand transmitted information; integrity is ensuring that only authorized users will have the ability to create, modify or destroy information within the system; and availability is ensuring the reliability and accessibility of systems for those individuals who are authorized to utilize them. A good cybersecurity solution must implement the CIA construct within the four dimensions of cyber (i.e., data, devices, networks and people).
Recognizing the importance of cyber technology to critical infrastructure – such as energy grids – the North American Electric Reliability Corporation (NERC) has established a critical infrastructure protection program to improve cybersecurity for the bulk power system within North America. The protection of critical infrastructure systems that we rely upon every day is paramount, and industry should be mindful of how a failure in that security could severely, and possibly fatally, impact lives.
The correct way to define a cybersecurity solution is through a risk management process. Defining what is and what is not acceptable will enable operations to determine where function is more important than security, and where security is more important than utility. In reality, choosing utility over security need not mean a reduction in protection. By employing a DID approach to security, both function and security requirements can be met at the same time. The vulnerability exposed to enable more efficient operation can be mitigated with a different layer of security. These different layers combine together to give a level of protection greater than that provided by any single layer.
Industry – including product developers, systems integrators and plant operators – must plan, design for and implement DID security when fielding products and systems, as well as invest in independently validated, robust security products and solutions that protect and defend all aspects of networked control systems. In total, this strategy will reduce the risks associated with cyber attacks when implementing control networks.
Benga Erinle is the co-founder and president of 3eTI, an Ultra Electronics company, and provider of highly secure wireless networks that enable critical systems security, infrastructure security and industrial automation. Erinle has more than 25 years of experience in aligning technology to the needs of government and private business. He was recently appointed by NATO’s Civil-Military Planning and Support Section (CMPS) and the Euro-Atlantic Partnership Council (EAPC) as an Electronics Communications Expert in Critical Information Infrastructure Protection (CIIP). As a selected subject matter expert, Erinle will provide technical advice and guidance on protecting information and communication technology (ICT) and critical information infrastructure systems and services that are relied upon by millions of people around the globe as a crucial combatant to successful threat deterrence.