As some of you may already know, elections aren’t the only thing Russian hackers are meddling in. They’ve infiltrated our energy and manufacturing sectors as well. This year, the FBI and Department of Homeland Security announced Russian government actors have hacked into energy, nuclear, water and critical manufacturing sectors. In July, they announced Russian hackers had infiltrated utility control rooms where they could have thrown switches if they chose to do so. Russia aside, it has become painfully obvious our industrial IoT (IIoT) and infrastructure are vulnerable.
According to the Houston Chronicle, the Department of Homeland Security (DHS) identified more than 900 security vulnerabilities in energy companies between 2011 and 2015, more than any other sector. In 2017, nearly 40% of all analyzed Industrial Control Systems(ICS) in energy organizations were attacked by malware according to Infosec, and the energy industry was the most frequently attacked sector, followed by engineering. Here are 9 ways to proactively protect your ICS and SCADA systems starting now.
Manage Authentication
Hackers are increasingly focused on acquiring legitimate credentials so that they may manipulate systems undetected. It should go without saying, but: do not use factory passwords, do not use easy-to-guess passwords, do not leave passwords on post-its where anyone can find them. All of the above happen on a regular basis. Implement multi-factor authentication wherever possible and limit user access to what is required for employees to do their jobs. Use separate credentials for business and ICS networks, and require password changes on a regular basis.
Manage Remote Access
It’s common for managers to monitor critical systems from tablets, and it’s not unlikely they use insecure Wi-Fi connections to do so from time to time. Anyone accessing the ICS remotely should be using a VPN. Also, if at all possible, enable “monitoring only” mode for those accessing systems remotely. Do not depend on “read only” access enforced by permissions. Another measure you can take is to put a time limit on remote sessions, logging the user out once a predetermined number of minutes have passed. Use dual factor authentication for logins from other devices.
Whitelist Applications
Due to the static nature of many ICS systems, whitelisting applications is an efficient way to identify malware installation. Rather than identifying and preventing what it deems malicious activity, which is what most anti-virus programs and intrusion-detection services do, whitelisting technologies will notify users of any application files that do not belong to whitelisted applications. Evaluate and install an application whitelisting technology. Learn more.
Isolate and Segment Networks
Isolate ICS networks from untrusted networks, especially the Internet, and lock down any ports that are not being used. Segment networks into logical enclaves and restrict host-to-host communication paths. This segmentation and containment will limit hackers’ reach and mitigate damage if an attack is attempted. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path.
Know Your Contractors
If your company has implemented strict cybersecurity measures and upped your cybersecurity budget, it doesn’t mean much if your contractors’ cybersecurity is weak. It is critical to evaluate vendors and contractors that have access to your systems to ensure they comply with your standards. Make sure their credentials are managed just as strictly as any employee’s.
Operations Must Think Like IT
As Charles McConnel of Rice University’s Energy and Environment Initiative commented to the Houston Chronicle, most oil companies rush to deploy new technologies that improve operations, but considering how they might mitigate cyber threats is an afterthought. Operations-minded staff are just not as focused on security as traditional IT staff. They did not have to deal with cybersecurity issues in the past. They traditionally managed automated systems with minimal or nonexistent connections to the Internet. There needs to be a culture shift in operations to be more cautious and adopt the attitude of “if it can happen, it will.”
Follow DHS and FBI Alerts
The DHS’s Computer Emergency Readiness Team (US-CERT) provides security alters like this one that include downloadable files with signatures, IP addresses, domain names, file hashes and other information companies can give to their network security teams to update their protection programs. Check their site regularly or follow them @USCERT_gov to get updates.
Protect Older Equipment
Many energy companies use equipment that was designed two decades ago, without cybersecurity in mind. This equipment was built to last over 30 years, so no company wants to lose the capital invested in the equipment when it still has a decade or so of life left. Some companies manufacture hardware, such as CommLock, designed specifically for protecting older equipment that was built without network security features.
Install Software to Streamline IoT Security
The problem with IoT devices is that every device is different, not like a bunch of x86 servers. They are also not as secure as they could be. “A lot of the chipsets being used have the hardware to be fundamentally secure, but 90% to 95% of the OEMs are not implementing those functions,” Asaf Ashkenazi, vice president of IoT security products at Rambus reported to Semiconductor Engineering. The diversity and lack of enabled security features make IoT systems extremely difficult to manage. Ashkenazi reported, “We had a company come to us that had deployed 1,000 devices, but 3,000 had connected to the service.” IoT security companies like Rambus have created software development kits working with manufactures to help companies streamline their IoT security.
Cyber warfare is the war of the future, and those who have the most power to control an adversary’s basic infrastructure have the upper hand. Adversaries could use this power, not only in situations of war, but to force hands in negotiations. Protecting your ICS and SCADA systems not only protects your company from threats like ransom, fraud and intellectual property theft, it also protects the country’s interests. For more information, view DHS’s strategies for defending ICSs.