Want secure critical infrastructure? Secure your control systems
Warnings of a “Cyber Pearl Harbor” attack on the critical infrastructure of the U.S. have been issued by a parade of experts and high-level government officials for decades. And given events of the past several months — major ransomware attacks on both fuel and food suppliers — those warnings seem both prescient and more urgent now.
But what hasn’t been a component of those warnings is that the U.S. might not be able to tell if a major cyber event that took down a significant portion of the nation’s critical infrastructure was simply a catastrophic accident or a malicious attack. Or, even worse, it might not know for sure who did it if it was an attack.
And that’s not a tinfoil hat conspiracy theory according to Joe Weiss, managing partner at Applied Control Solutions. Weiss is also an expert on industrial control systems (ICSs), which run the physical components of most of the nation’s critical infrastructure — pipelines, power plants, water and sewer systems, transportation controls (i.e. traffic lights etc.), and more.
ICSs were not originally designed to be connected to the internet, but now they are. So if the software that runs them and the sensors that monitor them can be hacked, the damage could be catastrophic.
While no known cyber attack has taken down a major element of U.S. critical infrastructure for an extended period, there are multiple examples of shorter-term effects. ”Control system cyber incidents have occurred in just about every critical infrastructure that uses control systems including power, water, oil/gas/chemicals, pipelines, manufacturing, transportation, defense, buildings, etc.,” Weiss wrote in a recent blog post.
One of the most notorious was the Stuxnet attack on the Iranian nuclear program in 2010, attributed to the U.S. and Israel, which destroyed nearly 1,000 uranium enrichment centrifuges by tricking the system controlling them to think they were fine when in reality they were spinning out of control.
According to Weiss, the sensors were detecting what was wrong, but the hackers had been able to take control of the display monitors, which were showing that everything was normal.
After a failed attempt in February 2021 to poison the drinking water of Oldsmar, Florida near Tampa, Weiss said he had documented almost 100 control system water/wastewater cyber incidents throughout the U.S. and internationally, although “not all cases could be identified as cyber-related.”
“Many incidents were unintentional. However, the impacts could be devastating,” he wrote, citing a water utility that inadvertently pumped water from a Superfund well site into a drinking water system.
The wrong focus
Weiss has been warning for years that an escalating danger to critical infrastructure is due to too much focus on network security and not nearly enough on control systems.
“IT network cyber attacks are short-lived as they do not damage equipment such as turbines, transformers, pumps, motors, valves, etc. which is why IT cyberattacks are not a ‘Cyber Pearl Harbor’,” he wrote.
“Yet [networks are] the government’s focus. For control systems, it is the opposite. Usually when a control system is impacted, the effects can’t be hidden — a pipe breaks, a train crashes, the lights go out, sewage is discharged, etc. Instead, the challenges are identifying if cyber electronic communications played a role while distinguishing an attack from an accident.”
And Weiss says there is not nearly enough forensic capability built into ICSs to do that quickly, if at all. “It is the control systems that will comprise a ‘Cyber Pearl Harbor’ yet there is minimal cyber security, authentication, or cyber logging available for these critical systems and devices,” he wrote.
In the case of recent ransomware attacks on critical infrastructure, that hasn’t been a problem because the perpetrators identified themselves.
The DarkSide ransomware gang took credit for the Columbia Pipeline attack, which led to the cutoff of nearly half the fuel supply to the East Coast for nearly a week. The attack on meat supplier JBS, which disrupted a major portion of the nation’s food supply, was conducted by the REvil gang, which more recently attacked network management company Kaseya Ltd.
Those didn’t qualify as acts of war, but they were ominous examples of the physical damage online attacks can cause.
And it could be much worse if there is no good way to tell how an event happened or who did it. “There are few events as unambiguous or as easily attributable as a missile launch,” Weiss wrote, but added, “the phenomenology of a cyber attack is by no means that clear. You may know that a control or safety system has failed or is not working as expected, but it’s unlikely to be obvious that what occurred was unintentional or a cyber attack.”
Indeed, in September 2018 after a series of natural gas explosions and fires in the Merrimack Valley region of Massachusetts, it took weeks to confirm that the cause was human error, because the event — the failure of a work crew to disable, which then showed low pressure when pressure was actually increasing — was the kind of thing a cyber attack could cause. The explosions killed one person, injured 22 others, and damaged hundreds of homes. In 2020, Columbia was ordered to pay a criminal fine of $53 million.
In an interview, Weiss wanted to make clear that he’s not saying the “who and why” are the most important things — avoiding a catastrophe is. “If I’ve got an engine on fire in a plane, I don’t care about why it happened or who might have caused it until I get the plane on the ground,” he said. “Then I care.”
But he said government and the critical infrastructure industry still aren’t focused on fixing the vulnerabilities unique to control systems. Better network security to prevent ransomware attacks is a good and necessary thing, he said, but is not sufficient, because it doesn’t address the threats to ICSs.
Michael Fabian, principal security consultant with the Synopsys Software Integrity Group, agrees that more cybersecurity attention needs to be focused on operational technology (OT) as well as information technology (IT).
He told The Daily Swig that the Colonial Pipeline attack didn’t directly affect OT systems, but the company feared that the attackers had “gained information allowing them to potentially attack OT areas of their operations. In the OT/IT evaluations that I’ve conducted over the past 12-plus years, I have observed many violations of basic security concepts.”
But he said he thinks Weiss’s warnings about catastrophic damage from attacks on ICSs is vastly overstated. He noted that during the past 15 years there have been eight presidential executive orders on critical infrastructure and that many critical infrastructure organizations have implemented security plans for their OT.
“Some low-level devices in ICS don’t have the capability to do certain logging and digital forensics, but that doesn’t mean we can’t figure out what happened,” he said. “The excellent reverse engineering on Stuxnet done by the community and (Ralph) Langner (founder and CEO of Langner, an OT security consultancy) is proof of that.”
And there does seem to be a more intense focus on ICS security in both the public and private sectors — witness the recent flurry of government advisories and orders regarding the security of critical infrastructure, some of which mention control system security specifically. They include:
- This past week, the Department of Homeland Security’s Transportation Security Administration (TSA) issued a directive that “requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.”
- Last month, the federal Cybersecurity & Infrastructure Security Agency (CISA) published “Rising Ransomware Threat to Operational Technology Assets,” a fact sheet detailing the threat to “operational technology assets and control systems.”
- In February, following the Oldsmar water treatment system attack, the FBI, CISA, the Environmental Protection Agency, and the Multi-State Information Sharing and Analysis Center issued a joint advisory on protecting control systems, including a recommendation to “install independent cyber physical systems security (CPSS) to limit any damage if the control system is compromised. These can include the size of the chemical pump and of the chemical reservoir, gearing on valves, and pressure switches.”
In the private sector — automotive specifically — Donald Davidson, director of cyber supply chain risk management programs at Synopsys, said there is “lots going on in SAE (Society of Automotive Engineers) G32 CPSS, looking at both hardware and software in IT and OT.”
He agrees that it is long past time to recognize that cybersecurity has to cover more than information systems (computer and network) to also address “things” that are “digitally enabled with integrated circuits (hardware) and software.”
But he said the SAE has “initiated a new CPSS standard in response to a “significant and increasing volume of cyber physical system exploits due to a broad range of attack vectors exploiting vulnerabilities and weaknesses with the integration of complex hardware, software, and firmware supporting the cyber physical system.”
And a cyber physical system is what most critical infrastructure is.
A long way to go
Still, Weiss contends that both the industry and government remain a long way from dealing effectively with control systems threats.
He noted that President Joe Biden’s “Executive Order (EO) on Improving the Nation’s Cybersecurity,” didn’t mention control systems or supervisory control and data acquisition (SCADA), the system of software and hardware that allows companies to control industrial processes locally or remotely.
Indeed, Robert Chesney and Trey Herr, in a post on Lawfare, acknowledged that “if you wanted a document that deals with critical infrastructure … this EO is not for you.”
And Weiss said a recent study of the cybersecurity of state-of-the-art pressure sensors used in ICS safety systems such as the liquified natural gas tanks in Boston Harbor found that “there is no cybersecurity and no authentication. So there is no way to know who told it to do what it’s doing or if it’s even coming from the sensor.”
“You do have continuous recording of pressure data, but it’s periodically overwritten, so you don’t have logging beyond the recent past.”
What would help to secure control systems, he said, are “sensors that are offline, that aren’t on the internet, so you know you can trust them. Right now that’s not the norm. And that’s a problem.”