A Growing Security Threat Against Critical Infrastructure
In 2009 there were less than a billion IoT devices in use. According to Statista, that number is expected to increase to more than 20 billion by 2020 and continue to grow at a rapid pace. Besides a growing number of devices, there are multiple, varied, and connected OT systems that must be defended. How can security controls keep up? How can security professionals accustomed to dealing with standard OSes like Windows, Linux and Unix adapt to the multitude of different OSes utilized by IoT, IIoT, and OT devices that make up critical infrastructure systems? Is it even possible for the SOC to standardize on security tools when the attack surface spans such a broad range of devices?
The future brings a broadened attack surface along with highly sophisticated classes of attackers – from nation-states to criminal groups to hacktivists. And there are dedicated nation-state groups that target OT as evidenced by this Mitre web site. Critical infrastructures will be viable targets for extortionists according to this report by Trend Micro . Ransomware will be the threat actors’ weapon of choice given its destructive impact. Cities such as Atlanta, Baltimore, Pensacola and New Orleans are all recent examples of what happens when you fall victim to some type of ransomware, costing them in conservative estimates from $3M to over $6M to recover. Ransomware attacks have also caused hospitals and health systems to divert patients and even shut down in some instances. Other types of cyberattacks will also likely be conducted: botnets mounting distributed denial-of-service (DDoS) attacks against operational technology (OT) networks; attacks on manufacturing systems that use cloud services; supply chain attacks where third-party vendors are compromised as springboards for threat actors to target critical sectors. Apart from the utilities sector, Trend Micro anticipates attacks in 2020 to increase on the food production, transportation, and manufacturing sectors, which increasingly use IoT applications and human-machine interfaces (HMIs).
Various threat actors have already targeted and reconnoitered several energy facilities across the world for their future attempts to steal credentials of industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems. Machine learning (ML) and artificial intelligence (AI) will be abused to listen in on connected devices like smart TVs and speakers to snoop on personal and business conversations, which can then provide material for extortion or corporate espionage. Building automation systems (BAS) will also be key targets for “siegeware” where attackers combine ransomware with BAS vulnerabilities. With siegeware, the attacker takes control of a building and shuts down critical operations such as heating, cooling, phone systems, alarm systems, and even physical access, and will only rescind control once a ransom has been paid. As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default usernames and passwords. Botnets of compromised IoT devices will be further peddled in the underground, along with access to webcam streams and smart meters with modified firmware.
City-wide impacts may also be felt from a cyber attack against a smart city. According to Deral Heiland, IoT Research Lead, Rapid7 – “With the continued move to deploy smart technology throughout our cities with lighting, traffic control, mobility solutions, fire and safety operations, smart cities will become an even bigger target in 2020. Expect to see more cyberattacks (think ransomware and malware) against them, which will greatly disrupt the smart technology and how these cities operate. This could potentially have serious impacts on day-to-day life and could even bring city life to a screeching halt.”
These thoughts were also amplified by Assaf Harel, Co-founder and Chief Scientist, Karamba Security – “Malicious actors can disrupt and paralyze smart devices with Remote Code Execution, altering their well-planned, fine-tuned operations. Infrastructure disruptions, direct liability and ransomware are just a few of the potential outcomes of losing control over these software defined systems. Attacks can go far beyond ransomware attempts. They can disable utilities, schools, and shopping centers, and take down an entire power grid.”
According to Forbes, attackers are adding to their aresenals of cyber weapons, massively increasing their use of what was referred to previously as fileless malware (which is neither fileless nor malware, really) and now more commonly referred to as living off the land binaries (aka LOLbins). Hackers will also start using AI in different ways: For example, they’ll use AI to make it easier to breach networks. Someone will code an “AI hackbot” against an OT system and unleash it, and the hackbot will attempt to breach a network, fail, and learn from its failure. The next breach will succeed, and the hackbot will continue learning until it becomes almost unstoppable. Threat actors, many of which will be state-sponsored, will increase their use and sophistication of AI algorithms to analyze organizations’ defense mechanisms and tailor attacks to specific weak areas. These tools and ones like them will enable dramatic kinetic effects as more OT systems come under the bulls-eye of cyber attackers.
This growing threat to the critical infrastructure has not gone unnoticed as the National Infrastructure Advisory Council recently announced in a draft report the need to address escalating cyber risks to America’s critical infrastructures. The report states that cyber threats “present an existential threat to continuity of government, economic stability, social order, and national security.” In another recent report and presentation by the Hudson Institute, author Arthur Herman discusses the Chinese cyber threat to America’s industrial and high tech future and presents a case for government and private sector mobilization against this threat.
Risk Assessments Are A First and Recurring Step To Mobilize Responses to Cyber Threats
Critical infrastructure owners need to really up their security game in 2020 and mobilize resources against this growing security threat while they take on new IIoT deployments. Since 85 percent of the US’s critical infrastructure is owned by the private sector—and the DoD and FBI have neither the resources nor the legal standing to defend civilian assets before they’re attacked—enterprises will need to significantly boost their cyber defenses. Owners need to know (and maintain visibility of) what they are defending, what are the likely avenues / tactics of attack, and what are the possible consequences of an attack to effectively plan and mobilize resources to form credible responses to threats. And they can choose from a variety of threat assessment methodologies, services, and risk management tools to start risk planning, such as historical models, scenario-based risk quantification, statistical estimation approaches using cyber Value-at-Risk (VaR) models, and attack surface evaluation approaches.
Historical models capture event occurrences within a timeframe, costs associated with the associated events, and related factors such as causes, mitigations, industry sector or other demographic parameters, and event-specific conditions. Historical models reflect relatively easy calculations, but, there may be insufficient historical data for modeling purposes. Cyber is dynamic, so past history may not be a good predictor of risk.
One example of a historical approach is the “SCada Incident Database” or SCID which can be used to track trends of cyber incidents affecting ICS. The Repository of Industrial Security Incidents is a freely available database of incidents of a cyber security nature that have (or could have) affected process control, industrial automation or Supervisory Control and Data Acquisition (SCADA) systems. The concept of the community-based project is to include critical infrastructure incidents that have transpired over the years.
Scenario-based quantification is an easily understood method that requires a top-level scenario definition, a fact basis, along with estimated costs. It can help identify opportunities to improve risk mitigation and enterprise resilience while also directly informing risk transfer investment for certain risks. But defining representative scenarios and likelihoods as well as cost estimates are challenges to using this approach.
Modeling cyber VaR requires information about enterprise connections and states (through periodic or continuous monitoring) which is organized using a cybersecurity risk framework (e.g., NIST 800.171, NIST 800.53, NIST 800.82rev2, NIST CSF, FAIR). The risk process calculates the business exposure value of key IT systems and data due to vulnerabilities and attack vector using the success statistics of cyber-attack methods and the loss statistics from historical breaches. A benefit of this approach is that it expresses cyber risk the way a risk “should be” expressed. It can help to set and manage risk appetite and risk tolerance levels while putting risk mitigation and risk transfer alternatives on the same page by enabling return-on-investment calculations for mitigation investments (CISO Balance Sheet). The cyber VaR approach requires valid models of cyber-attack methods and success against specific cybersecurity controls as well as good historical breach data to derive functions and statistics.
Attack surface evaluation is a new approach, ususally leveraging the MITRE Att&ck model, for assessing cybersecurity risks by focusing on not just vulnerabilities, but how and why real world attackers target devices. This method basically provides a view of the network from an attacker’s perspective, and enables defenders to quickly direct resources and focus on what is at risk. It incorporates roles of assets (which reflects the importance of an asset), targets, attack vectors, and connections among assets.
One key thing to consider in conducting these risk assessments is the impact of AI/ML technology on the ability to enhance defenses or the ability to create better attacks. This is a critical, unknown wild card in assessing the balance of security in 2020.
One place to get started on a risk assessment, especially if you are a facility manager, is the Whole Building Design Guide portal. This portal takes you to resources that can walk you through threat and vulnerabiity assessments for facilities, including the Federal Security Risk Management process that is being used by several federal agencies as well as commercial businesses to assess their facilities. Software is also available through the portal to assist in performing threat/vulnerability assessments and risk analyses. The software tool associated with implementation of FSRM is entitled FSR-Manager. This tool takes a variety of inputs to:
- Calculate vulnerability to each threat based on existing countermeasures.
- Determine the risk level from each threat and classify the risk level as high, medium, or low.
- Check the existing countermeasures against a list of recommended countermeasures for the given facility security level and specific threats. The user is provided a list of potential countermeasure upgrades from which the user may choose what to recommend for implementation.
- Re-evaluate the vulnerability and associated risk level for each threat based on countermeasure upgrade recommendations.
- Use all of the input information to complete a template report in Microsoft Word.
More information about FSR-Manager can be found at www.ara.com.
DHS CISA also provides threat assessments to private and public sector organizations. A core component of the Cybersecurity and Infrastructure Security Agency (CISA) risk management mission is conducting security assessments in partnership with ICS stakeholders, including critical infrastructure owners and operators, ICS vendors, integrators, sector-specific agencies, other Federal departments and agencies, SLTT governments, and international partners. CISA works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk. More can be found at https://www.us-cert.gov/ics/Assessments.
DHS also offers the Cyber Security Evaluation Tool (CSET®). This product is designed to assist organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now an integral component of CISA. The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. More about CSET can be found here – Fact Sheet — Cyber Security Evaluation Tool (CSET).
You can also find the USCYBERCOM-developed Advanced Control System Tactics, Techniques, and Procedures (TTPs) guidance at the Whole Building Design portal. This document covers the attack surface evaluation approach and provides detailed step-by-step guidance to respond to a cyber attack. The starting point as defined by this guidance is to develop the Fully Mission-Capable (FMC) baseline which consists of documentation that characterizes the control system such as the Topology diagram, Enclave entry points, User accounts, Server/workstation documentation, and Network documentation.
DoD also provides the Unified Facilities Criteria (UFC) – UFC 4-010-06 Cybersecurity of Facility-related Control Systems Sept 2016. The Department of Defense (DoD) initiated the Unified Facilities Criteria Program to unify all technical criteria (UFCs) and guide specifications (UFGS) pertaining to planning, design, construction, and operation and maintenance of real property facilities. The program streamlines the military criteria system by eliminating duplication of information, increasing reliance on private-sector standards, and creating a more efficient criteria development and publishing process. Administered by the United States Army Corps of Engineers (HQUSACE), Naval Facilities Engineering Command (NAVFAC), and the Air Force Civil Engineer Center (AFCEC), the UFC Program organizes numerous working groups with one or more experts from each participating organization to develop the technical publications. This particular UFC describes requirements for incorporating cybersecurity in the design of all facility-related control systems. It defines a process based on the Risk Management Framework suitable for control systems of any impact rating, and provides specific guidance suitable for control systems assigned LOW or MODERATE impact level.
There are also several other risk analysis and estimation tools available. A couple of tools that are designed for building systems include:
- RAMPART™ (Risk Assessment Method—Property Analysis and Ranking Tool). Developed by Sandia National Laboratories as a screening-level software program to determine the risk to a building by natural hazards, crime, and terrorism
- Multi-hazard Identification and Risk Assessment (MHIRA) by Federal Emergency Management Agency (FEMA).
Other relevant codes and standards for understanding comprehensive threats on facilities and assessing risks include:
- Executive Order 12977, “Interagency Security Committee (ISC)” and ISC Security Design Criteria – defines threat/risk classifications and resultant federal protective design requirements (Official Use Only). The ISC is an interagency body exhibiting collaboration and communication between 54 Federal agencies and departments. The ISC is responsible for the creation and implementation of standards, guidelines, and best practices for the protection of nearly 400,000 non-military Federal facilities across the country.
- Federal Emergency Management Agency (FEMA)
Our critical infrastructure owners have a need to mobilize and act now along with our supply chain managers. Security vendors and integrators need to also improve their offerings in the face of such critical stakes. I will talk about some of the requirements they need to consider in upcoming articles so stay tuned.
And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.