By Anil Gosine and Christopher VanPoppelen
Industrial control systems (ICS) are an integral part of the critical infrastructure that facilitates operations in vital sectors such as electricity, oil and gas, water/wastewater, transportation, food, pharmaceutical and chemical. Threats and cyber incidents, both malicious and accidental, occur every day on these systems.
As attacks against ICS systems grow in volume, governmental organizations and private companies that operate critical infrastructure have never faced such significant security risks. It is now easier than ever to learn about industrial protocols, networks and equipment for the purpose of figuring out how to exploit their vulnerabilities. Greater interconnectivity of control systems, more use of Ethernet-based architectures and complex threats being copied by other attackers — these and other factors are introducing additional risks for critical infrastructure, and industry in general, that must be planned for, evaluated and mitigated against.
The continuing progression of automation within water and wastewater utilities, in addition to the need for on-demand information by users, has created complex and dependent relationships across the value chain in this critical infrastructure sector.
The past five years should have been a real wakeup call for the industrial automation industry. For the first time ever, ICS systems have been the primary target of sophisticated cyber attacks like Stuxnet, Night Dragon, Duqu, and the malicious malware known as TRITON, the most destructive post-Shamoon cyber threat. In 2016, GitHub released a penetration-testing solution for ICS systems that included a tool that was eventually used against the widely used Modbus protocol. The public release of this tool is believed to have led to the rise in malicious attacks against ICS systems in the following 12 months. The TRITON incident was an attacker gaining remote access to a Safety Instrumented System (SIS), deploying the TRITON attack framework to reprogram the SIS controllers, which caused some of them to enter into a failed state that shut down the industrial process.
In the past, due to the technology deployed, the isolated environment, and the communication protocols used in industrial control systems, they were mostly immune to the malicious software attacks that have now infected corporate IT networks. With the distributed, interconnected nature of today’s industrial control systems, as well as increased use of non-proprietary technology, achieving end-to-end security has to be a multi-vendor and -organizational effort. Fashioned and specialized threats developed by highly skilled cyber criminals, nation-funded IT professionals, political protest groups and hacktivists are now focusing on critical infrastructure and their ancillary systems more than ever before. Sadly, the effects of these attacks are felt far beyond the perimeter of the intended targets.
Corporations, utilities and governmental organizations must collaborate to further develop critical infrastructure protection solutions that do more than just meet the basic requirement of the ICS and satisfy the regulators. Further, solutions must be targeted to the professionals tasked to keep these critical infrastructure industries operating and to be effective in making the business case that risk is mitigated.
Spotlight on Water and Wastewater Utilities
The U.S. water and wastewater sector has an extensive, complex and successful history in protecting public health and the environment. Many take for granted the nation’s clean, safe and reliable water supply — as well as the wastewater treatment processes that occur prior to discharging effluent into waterways. It is core to everyday life.
Utilities within this sector rely heavily on ICS to deliver on their missions and business functions of improving services, sustainability and affordability. The continuing progression of automation within water and wastewater utilities, in addition to the need for on-demand information by users, has created complex and dependent relationships across the value chain in this critical infrastructure sector.
From your digital instruments to your intelligent switchgear, it’s important to know which security standards are being met by your vendor and installation contractor.
Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber attack on their corporate partners, suppliers, and vendors. These complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information are quickly becoming as much of a benefit as a threat.
To ensure both the protection and resilience of the systems for successful treatment of water and wastewater, vulnerability assessments, recoverability, security compliance and current threat level must be considered by all involved entities. With water and wastewater utilities being designated as one of the sectors in the Critical Infrastructure Protection (CIP) Act, utilities have a responsibility to address compliance of CIP standards from contracted service providers, vendors, etc. In many cases, policies and procedures are not in place and implementation has been a difficult process. Utilities need to change their ICS project specifications, procurement requirements and auditing tools to get the requirements implemented for projects to support the cybersecurity posture of the organization.
The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems:
Automation – enabling rapid incident detection and response. Automation is a strategy that incorporates making decisions with specified actions as a response to cyber situations at machine speed instead of human response speed.
Interoperability – enabling distributed threat detection across devices. Interoperability must remove the technical constraints from organizations so that they collaborate seamlessly and dynamically in cyber defense automation.
Authentication – enabling trusted communication for automated collaboration in a secure manner. As automated decisions are made, authentication provides the assurance that the partners are authentic.
The American Water Works Association (AWWA) has created the Process Control System Security Guidance document to support the utility adoption of the NIST framework. The document outlines 12 steps that the water/wastewater utility industry should take to shore up cybersecurity, and addresses governance and risk management.
It is worth noting that, although the technical infrastructure may be suitable within the water and wastewater industry, cybersecurity culture is years behind where it should be. There is much emphasis on technological solutions, but we must not forget that better cyber awareness and changing of culture are the most critical steps the industry needs to take. The ICS Cybersecurity Governance Committee has been focused on developing the policies and procedures that align with the Critical Infrastructure Protection (CIP) plan and AWWA Security guidance that are refined to our environment.
Implementing a new governance model that enables collaboration among key groups inside the organization (such as IT, engineering, operations, ICS, security) allows us to raise awareness of the need for standardized risk management approaches for sourcing, procurement and vendor management.
We are now faced with determining how best to mitigate risks with capital projects, which include scope that makes changes to the control system, suppliers providing on-site support with their external laptops, purchase of equipment that may need to meet new industry compliance requirements. We must address these and other concerns, such as how far into the supply chain our reach should go: third-tier suppliers (integrated circuits, digital storage), second-tier suppliers (meters, sensors, software) or just first-tier suppliers (major systems, communication systems, integration).
As we have standardized our control system devices to allow for better maintenance, operations, utilization and overall costs, we must also standardize and have our vendors meet minimal cybersecurity protocols and policies that do not place our operational system at unnecessary risk. The system as a whole is only truly secure when all organizations throughout the process carry out effective, coordinated security measures to ensure the integrity of the system.
There are four main responsibilities that we have planned to focus on to strengthen our ecosystem:
Security Standards – functional and technical requirements on cyber assets that enable critical operational processes.
Procurement Risks – risk-based approach that has security standards and security terms and conditions included in RFPs and contracts. Vendors that cannot meet these standards should be excluded from consideration.
Vendor Risks – Suppliers can no longer be viewed as logistical efforts where only time, quantity and price matter. With global supply chains, performance and reliability of systems with 15-20-year life spans must allow end users visibility into the vendors beyond the first tier.
Assurance – We must change the way we perform Factory Acceptance Testing, as well as change pre-installation requirements, strengthen change management controls, and utilize specialized threat detection and control that is anomaly-based rather than signature-based.
As end customers, we must continue to encourage ICS vendors and automation professionals to commit to providing an evolving set of products and services that help mitigate risks and improve security of the production assets. The solution must also include risk analytics that assemble and correlate data in an innovative platform that provides actionable visibility into cybersecurity blind spots before it’s too late. WW
About the Authors: Anil Gosine is chair of the Strategic Efficiency Consortium’s Security and Optimization Workgroup, with over 19 years of construction management, operations and engineering experience within the industrial sector with primary focus on electrical, instrumentation and automation in the U.S., Canada and Central America. Gosine previously managed and administered the department-wide ICS for the Detroit Water & Sewerage Department.
Christopher VanPoppelen is manager of the Great Lakes Water Authority and leads the ICS Cybersecurity Governance Committee, with over 25 years of electrical and controls engineering and management experience within the water/wastewater industry. He currently manages the Industrial Control Systems, Regulatory Group and Process Center Operations at the GLWA Water Resource Recovery Facility, including electrical/automation design and construction oversight for capital projects.
Circle No. 300 on Reader Service Card