I have had the privilege of conducting some great podcasts over the last few weeks, and I have at six more shows booked, with more coming. I have also been doing some transcription for a new client of mine. They interview some very top leaders from the Federal Government and private sector.
One of the key questions that is being asked (and in fact even is brought up in the natural course of conversation) is the potential for an attack on critical infrastructure.
As I have mentioned, this is now an area of concern for many Cyber security firms. But, what exactly is critical infrastructure? It is the essential services that a city or even a small town has for its residents. This includes the electric utilities, water supply, food supply, the gas stations, you name it.
If you take any one of these out, the people of that locality will face some serious consequences.
For example, just imagine if you had no water supply for a few days, or couldn’t fill up your car? These are all scary thoughts for sure, but the main focus on critical infrastructure is the national power grid.
In fact, this is so important that the Department of Energy is going to actually simulate a Cyber-attack on the electric grid and from there, study the consequences of an event like this that could bring to the entire country.
During and after this simulated attack, there will be four areas of grave concern that will be addressed:
*Where is the Cyber-attack coming from?
*How it is had affected the supply chain as it relates to the national electric power grid?
*How can the electric service can be brought back up and running?
*How much of the national electric grid run on its own resources until the impacted areas are completely rectified?
According to the Department of Energy (DoE), at least 30% of this nation’s overall critical infrastructure has been hit with some sort of Cyber-attack, and it was not necessarily the national electric grid, there were other areas that were impacted.
Even worse, according to a recent study that was conducted by Valencian International University, cyberattacks on Industrial Control Systems (ICS’s) have nearly increased by two-fold in the last few years.
Other examples of attacks to critical infrastructure include the following:
*The Ukrainian Government was hit when its power stations were suddenly left unable to provide electricity. It was caused by the malware known as “BlackEnergy”. This also the computers from restarting as well.
*The UK is no stranger to this, as they were hit with the arrival of WannaCry, which impacted their entire healthcare infrastructure.
And yes, even us here in the United States we have launched Cyber-attacks against other nations’ critical infrastructure as well. A perfect example of this is was back in 2010, when the Federal Government launched the worm Stuxnet to disable 1,000 centrifuges at a power plant in Iran.
My thoughts on this?
Trying to fortify the security levels of critical infrastructure is going to be a very complex task. It is important to keep in mind that most of these systems make use of industrial controls that have been in place since they first became operational.
Meaning, they could be well over thirty years old or so. So, you simply cannot rip them out in put in newer systems with the latest security technologies in them. Instead, the only option is to literally piece by piece, add on newer forms of security technologies on top of these legacy systems.
But one has to be extremely careful of this, because you have to make sure that whatever you add on will work harmoniously with the existing industrial that are already in place. In other words, you don’t want to make a bad situation even worse.
So, here are four, extremely general tips as to how one fortifies an existing infrastructure:
*Detecting weak points:
It is very important to conduct an exhaustive audit on where the weak points are in the critical infrastructure. From the IT perspective, this is a relatively easy task, as you can rely on Penetration Testing. But auditing the industrial controls will probably require a very labor intensive, manual audit.
*Protect your systems:
Once again, this will be very difficult. You need to make sure that whatever you add on will “behave nicely” with the existing systems, both from the IT and industrial control aspects.
*You need to react quickly:
In your IT Infrastructure, you probably have some sort of an Incident Response Plan that you would enact in case you were hit with a Cyber-attack. The same holds true even for your critical infrastructure components, which will include primarily your critical infrastructure. But you have to make sure that you practice your Incident Response Plan here as well, on a regular timetable.
*Have alternative methods available:
The first thought is if something is impacted in a critical infrastructure is to immediately shut that part of the system down when it is impacted. While this is true, because you want to mitigate the spread of the Cyber-attack, you also need have alternate sources available of that impacted system at least on a minimal level. For example, if the water supply was hit, you simply cannot turn it off for a long time. After all, people need water in order to stay alive. So, you need to have something in place that will provide some levels of water to the town or the city while full recovery is underway. But also keep in mind that the alternative sources need to have protective layers as well.
Finally, here are two links that provide much greater detail on the level of risk that the critical infrastructure faces here in the United States: