By Jane Lo, Singapore Correspondent (includes Cyber Security Weekly Podcast)
Critical infrastructures are “luxurious targets”, said Ido Yitzhaki (VP Business Development, ODI Ltd) at the second edition of Asia ICS Cyber Security Conference 2018, held at Resorts World Sentosa, Singapore, 19th-21st November 2018.
When the Black Energy malware struck the Prykarpattya Oblenergo power plant in Western Ukraine, reports indicated a spear phishing campaign was the initial point of compromise. Three years later in October 2018, Ukraine critical infrastructures were attacked again – this time by Grey Energy malware. While an evolved and more sophisticated variant, the malware relied on the decades-old social engineering technique to gain access to the network – phishing.
Stuxnet, which hit the Iranian Nuclear Power plant in 2010, was delivered via a USB thumb drive into computer systems in the facility.
These episodes highlight that despite “air-gapping” – a physical separation of the network controlling the critical infrastructure (commonly referred to as operational technology or OT) from the corporate infrastructure (or corporate information technology – IT), cyber attacks on critical infrastructures are still on-going and clearly, a risk to be managed.
These case studies illustrate two main reasons for the occurrences:
- heavy reliance on mobile devices for data exchange (legitimate or otherwise) – including USB thumb drives – which facilitates the malware infiltration or,
- infiltration via an insider threat through the inadvertent clicking on malicious emails (or phishing), which opens up initial entry points for attacks to remote-access, conduct more reconnaissance and in many cases, gain understanding of network architectural designs and activities and personnel access credentials.
Increasing awareness on phishing campaigns and instituting a mobile device security policy, or encrypting emails to preserve confidentiality are some standard first line of defences against cyber attacks.
What about Penetration Testing?
The air-gap design prompt many to argue if penetration testing, typically focused on internet-connected networks, is useful for one that is not connected to the “outside” world.
Operational technology is typically multi-vendor, non-homogenous and like any corporate network, legacy equipment adds to the complexities of integration. Inherent shortcomings that are forgotten, unnoticed or simply disregarded become back-doors for malicious actors to gain unauthorised access, become real vulnerabilities in these architecture perimeters.
Penetration testing, therefore, is an additional line of defence against cyber attacks on the critical infrastructure.
David Ong (Attila Cybertech, CEO), “OT systems: To pen-test or not to pen-test?”), referring to the “Penetration Testing of Industrial Control Systems” by Sandia National Laboratories (2005, David P. Duggan, Michael Berg, John Dillinger, Jason Stamp), stressed “performing network penetration testing on operational systems should be taken with a clear understanding of the testing actions”.
The controlled physical processes can cause real world consequences beyond waste and equipment damage: namely, health and safety risks. Some are time-sensitive – such as those powering air traffic control compared to a local train network; some depend on specific external environmental factors for safe operations – such as requiring water at a certain pressure or temperature.
A clear understanding of the possible consequences of actions, whether spurious or otherwise, activated during penetration testing should be formed prior to conducting the testing. For example, identification of networks, hosts and nodes in the Corporate IT environment typically involve Ping Sweep, but scanning may overload the system in the OT environment with legacy equipment constrained by limited bandwidth.
For the operational network, the first step is not necessarily different than for a corporate network – identify the assets, and the threats to these assets and vulnerabilities, and the potential impacts – and be conducted at a regular frequency to reflect changes (e.g. additional vulnerabilities uncovered by the penetration test).
Cyber Risk Impact Assessment
Yosi Shavit (Department of Cyber Defense, Ministry of Environmental Protection, Israel) presented a detailed and renewed Risk Assessment approach in his presentation “ICS Cyber Security Methodology & Regulation”. (see Further Reading below)
The standard risk assessment is derived from a probability and impact measurement of an event occurring. In the context of the “ICS Cyber Security Methodology & Regulation”, probability is derived through a series of questions.
“For example, HMI (Human machine interface) stations technical support that comprises of only employees has the least exposure, whereas constantly changing external suppliers have the highest exposure; an asset linked to the Internet, yet having no defence mechanisms, is highly exposed to cyber-attacks, while an asset isolated in a secured room is less exposed; an asset with orderly, full updates and security patches is less exposed than one that is partially updated with no regular patching schedule”.
Impact measurements in the operational technology environment include considering “atmospheric conditions (wind direction and intensity), location (Including height above sea level), container design (shape and dimensions of the container of hazardous material) and toxicity spreading algorithms (Gaussian dispersion, Heavy Gas dispersion).”, he added.
The critical infrastructure “SRP” (Safety, Reliability, Productivity) impact triad is linked and relates to the classic information system security triad “CIA” (Confidentiality, Integrity, Assessment) in a Cyber Risk Assessment. Yosi further explained:
- Confidentiality (what is the level of damage caused to the plant following data leakage from an asset?)
- Integrity (what is the level of damage of a cyber attack, causing disruption of processes related to hazardous materials, such as uncontrolled change of temperature or pressure?)
- Availability (what is the level of damage to the plant caused by a long-term system shutdown?)
A significant impact could include a scenario where there is a clear and present health and safety danger, a low impact could be where the damage requires minimal time and resources to recover from. Financial consideration is typically an additional factor in the impact assessment.
A further interesting deviation from a standard risk assessment is a scaling of the impact by a factor of three (3), to reflect the higher consideration attached to human life where attacks to critical infrastructure are concerned.
While performing the impact assessment helps the organisation identify the assets to be protected and the protection level, and the protection gaps (such as running automatic updating of all systems for identifying and preventing malicious code), it is well-recognised amongst the professionals, there is no 100% security.
So …. most importantly, test the Recovery Plans!
Recovering from cyber events (or incident response) is a necessary aspect of a security framework and best practices include regular testing of recovery plans to enhance understanding of the infrastructure, tools, as well as the communication protocols.
“Exercise Cyber Star” carried out by The Cyber Security Agency of Singapore (CSA) last year is one example. For the first time, all 11 agencies and owners under the Critical Information Infrastructure (CII) sectors in Singapore were tested on their incident management and remediation plans in response to simulated cybersecurity incidents like a malware infection or a DDoS attack.
CYBER SECURITY WEEKLY PODCAST: Episode 129 – Industrial Control System (ICS) Cyber Security with Daniel Ehrenreich, Asia ICS Cyber Security Conference 2018
Interview with Daniel Ehrenreich, BSc. an Israel based Consultant at Secure Communications and Control Experts, and Lecturer teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security.
The discussion centres around the challenges raised to Industrial Control Systems (ICS) as a result of the Stuxnet attack and the use of uni-directional gateways, or Diodes and importance of physical security systems. Safety, Reliability and Productivity is the key triad for OT.
For further information and reading, visit:
For recent Israel developments on ICS Cyber Security visit:
Recorded 21 November 2018 in Singapore at Asia ICS Cyber Security Conference 2018.
MySecurity Media were conference Media Partners and attended courtesy of the conference organiser.