Disaster movies of the 1980s and 1990s attempted to predict the “end of times” due to a major computer systems failure, including fears over “Y2K.” One of the reasons the premise of these movies seemed plausible is that understanding the nuances and impacts of compromised operational technology (OT) systems on critical infrastructure is more of an art than a science. From social media and online work environments to microchips under the skin to validate user identities, society is increasingly dependent on information technology (IT) to sustain life. As IT dependency affords many security challenges, OT supporting critical infrastructure is no less important and, in many ways, more so. For example, people can survive without social media for a month, but not water. However, OT is taking longer to catch up to IT and modern security challenges. OT systems are designed to run and operate for much longer cycles than IT systems, 30+ years or more, depending on industry growth. This is key when understanding the differences and the reliance critical infrastructure has on OT systems.
The National Institute of Standards and Technology states that OT “encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.” This process was simple in the 1860s, with punch cards controlling textile machines. However, since the 1950s, technology and the ability to build “widgets” faster and smaller has led to significant advancements for all the right reasons in the OT world.
“With IT’s developments and fast-paced innovations, OT may be unable to catch up without radical changes, regulatory oversite, and significant sacrifices.”
Regulatory oversite for OT in the energy sector is guided by FERC/NERC, whose efforts focus on network monitoring sensors, centralized collectors, and information-sharing practices. Although these efforts are encouraging, other sectors do not have the same regulatory oversite or cyber enforcement, hindering resilience between the cyber-physical ecosystems. The impact of the COVID-19 pandemic made this situation worse. Due to teleworking mandates and remote work environments, these measures forced some owner-operators to use remote access tools to manage OT. This quick-fix response using industrial internet of things or IT remote access systems opened the door to more attack vectors and compromised OT systems.
The Target data breach of 2013 highlighted the risks of having OT and IT systems on the same network. The breach was successful because a third-party heating, ventilation, and air conditioning (HVAC) vendor used a remote access solution that was not secure. As a result, the HVAC network provided a path for the attacker to gain a foothold into Target’s point-of-sale network, which resulted in the theft of data on over 110 million Target customers.
Over the past 50 years, IT’s developments and fast-paced innovations in flexibility, availability, and security have lapped the OT environment. OT may be unable to catch up without radical changes, regulatory oversite, and significant sacrifices by companies and agencies. According to Tripwire, IT/OT security can be challenging:
“It’s not realistic to apply cybersecurity best practices from the [IT] side of your organization to the [OT] side. IT and OT environments consist of completely different types of devices and network structures. OT environments also experience wildly different risks and threats than IT environments.”
The risks and costs to mitigate these threats are driving different equities of how companies and agencies invest in protecting these ecosystems.
Connecting OT to critical infrastructure systems is defined using Industrial Control Systems (ICS), which are the onsite or remote systems that control hydroelectric dams, energy infrastructure, chemical plant operations, transportation systems, food and agricultural operations, communications, and other critical infrastructure assets. There are three classes of ICS: Distributed Control Systems, Programmable Logic Controllers, and Supervisory Control and Data Acquisition (SCADA) systems. These three classes define how OT interacts and functions with the physical side of infrastructure – for example, moving valves, operating sensors, controlling/measuring flow, etc. Some processes use digital and analog signals depending on how the software interacts with physical hardware or how the switch moves a valve. These two communication mediums present security risks and are a major gap where many vulnerabilities hide.
According to a Forescout report in 2022, OT “vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography…, insecure firmware updates and remote code execution via native functionality.” In the same report, Forescout’s Vedere Labs discovered 56 vulnerabilities from ten OT equipment vendors that provide systems to critical industries, such as oil and gas, chemical, nuclear, manufacturing, water treatment and distribution, and mining. Many vendors sold these systems as “secure by design” or “certified” with OT security standards. However, the security evaluation of these systems proved otherwise.
Two recent cyber incidents provide valuable lessons. In February 2021, a threat actor gained access to a Florida city water treatment plant’s SCADA control system and manipulated the amount of sodium hydroxide introduced into the system. Fortunately, plant personnel noticed the change and corrected the issue before the water became toxic. The reported vulnerabilities were an outdated Windows operating system and poor password management that leveraged TeamViewer software and allowed remote desktop access. In another 2021 case, Colonial Pipeline decided to proactively shut down its ICS system in response to a ransomware attack on its IT system. Unfortunately, that shutdown caused cascading disruptions and delays in the pipeline’s logistical supply chain.
One of the most notable incidents in recent history is the attack on Ukraine’s energy infrastructure. In 2015, Ukrainian power companies experienced unscheduled power outages impacting many of their customers. Threat actors used a combination of OT and IT vulnerabilities to compromise the Ukraine power grid. The threat actors used a “spear-phishing” attack against the Ukraine utility company, which installed malware to seize the utility company’s SCADA control systems, subsequently shutting down the power substations. Next, the attackers targeted the utility company’s IT infrastructure components – including uninterrupted power supplies, modems, and remote terminal units – and the emergency power supply at its main operations center. Reports stated the attack shut off 30 power substations, impacted over 230,000 customers, and turned off power in some areas for one to six hours.
Understanding the fundamentals between IT and OT systems is a good place to start in assisting agencies and companies with being better prepared to mitigate and respond to threats and attacks on critical systems. Instances of retired persons returning to work to teach new and current employees how to bypass a compromised or inoperable OT system – for example, manually turning on or off valves or switches using hand tools – are becoming more common. With the great resignation still looming, it is time for employers, companies, and even governmental agencies to discover, collate, document, and train on this legacy knowledge. Failing to do so now may permanently lose the tacit knowledge needed in an emergency.
These stories are abundant in the kinetic world of infrastructure, especially in long-standing systems like water, energy, and transportation. Since OT is older and designed in an era when technology was not as advanced, there have been fewer updates. Although some OT systems are not connected to the internet, organic vulnerabilities remain because threats have changed. Understanding how the networks are connected and how the workflow is handled is one solution to discovering vulnerabilities and c-suite staff understanding how to protect company property, IP (intellectual property), and brand reputation. According to Tripwire, there are three risk factors to consider:
- Unintegrated technologies – Many ICSs are purpose-built, proprietary, and created when cybersecurity impacts were not a concern.
- Flat networks – Many ICS networks are flat, meaning each device has access to the rest of the network. In a flat, non-segmented network architecture, a malware attack against one device allows the malware to propagate through the control environment with impunity
- Workforce challenges – A skills gap for securing ICS has emerged through an aging workforce and the adoption of IT technologies within ICS at a faster rate. With an estimated 3.5 million unfilled cybersecurity jobs by 2014, the skills gap is another challenge to overcome
Cascading impacts of industrial internet of things or IoT (internet of things) systems coming online quicker than staff can be hired, oversimplification of systems’ security protections with one IT person having administrative access to all systems, technology moving faster than industry standards can keep up, plus a looming skill, knowledge, and ability gap growing with an aging workforce, and fewer people going into the trades create a perfect storm for catastrophes. In addition, with more successful cyberattacks and possible long-term economic concerns pushing this narrative, the industry is not fully prepared. For example, many independent service operators in the energy industry can re-route electrical supplies and effectively monitor the system, but there are still significant gaps. ASCE’s 2021 Infrastructure Report Card states, “The electric grid is becoming more vulnerable to cyberattacks via industrial control systems, consumer Internet of Things devices connected to the grid’s distribution network, and the global positioning system.” With natural and person-caused threats and hazards to infrastructure, specifically, lifeline critical infrastructure, being prepared now will mitigate the loss of life and economic impacts.
Solutions and Action Items
Although separating IT/OT systems also has been adopted as a threat mitigation strategy, some companies are now combining them again to help with overall cybersecurity. According to the Center for Internet Security, there are some simple solutions to consider:
- Ensure firewalls are configured to deny by default
- If a location is not staffed or critical process data flows through a perimeter device, ensure that redundancy exists and that device failure will not prevent this data from being received by its intended destination
- Ensure systems are kept up-to-date and pay attention to security patch releases, vulnerability notifications, and firmware releases. Unsecure services, poor firewall configurations, and default credentials remain issues
- Use the principle of least privilege – only grant access to data and systems to those that require it
- When leveraging an IT-based security information and event management solution, ensure that it supports the ICS environment because many logging analytic and alerting solutions do not support or correctly interpret or correlate ICS-specific events
Lastly, staying informed about emerging threats, vulnerabilities, and cybersecurity tools and resources is critical to mitigate threats and shorten the return time to a “cyber normal.” Categorizing systems into simple processes and discussing solutions around this process might help owners and operators tackle the prioritization challenge:
- Older un-interrogatable ICS/SCADA systems (know systems that need to be updated and or cannot due to operational software boundaries)
- Current/existing ICS/SCADA system (these can be a combination of older and newer systems, those that have had past updates or have the potential of adapting new ICS/SCADA systems); and
- Future or advanced integration of ICS (these are systems being updated or proposed to be updated by choice or regulation)
Preparedness professionals have options for sharing knowledge and facilitating changes to mitigate IT/OT threats. For instance, organizational leaders can become members of the Information Sharing and Analysis Center (ISAC). In addition, procurement officials can leverage contracts to incorporate IT/OT threat mitigation. For example, firmware updates for new security cameras can be included within a new contract vehicle in order to avoid additional costs or delays when future updates are needed.
The future of IT/OT systems is improving, with more resources and monies dedicated to this space. Under the guidance of the Cybersecurity and Infrastructure Security Agency (CISA), the federal government warns owners and operators of “critical infrastructure OT and control systems assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The House passed the DHS Industrial Control Systems Capabilities Enhancement Act of 2021 (Bill H.R. 1833), which guides CISA’s National Cybersecurity and Communications Integration Center to ensure that its activities address the security of both IT and OT, including ICS. These efforts in Congress continue under the direction of the Department of Homeland Security.
In California, cybersecurity is a top priority. The California Cybersecurity Integration Center is part of a growing effort to centralize and mitigate cyberattacks, offer solutions, and provide education to the public and other state agencies. Across the nation, federal and private entities are engaging in the cyber-to-physical space, with more small and large agencies and companies taking notice. Small rural critical infrastructure owners and operators are getting solutions with options for cybersecurity grant programs.
Looking at threats from an all-hazards perspective is the future of how emergency managers, cyber response agencies, and private entities can tackle the convergence of cyber-physical threats. Cyber-physical systems is a new buzz phrase to help group the problem and support resilient OT systems. With the ever-decreasing gap between the cyber and physical worlds, efforts across industries and governments must be streamlined to prepare for, mitigate, and respond to these threats. Continuing the conversation and allowing for data sharing and trust is paramount to ensuring that the lights stay on, the water keeps flowing, and life continues thriving.
Nathan DiPillo currently serves as a California Governor’s Office appointee assigned to the California Office of Emergency Services as a Critical Infrastructure Analyst in the State Threat Assessment Center. Before state service, he functioned as a critical infrastructure specialist with the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA). He also spent over 15 years with the Transportation Security Administration, where he assisted in standing up the agency with policy development, training, and recruitment. He has over 25 years in the emergency management and security industry, beginning as a resident firefighter/emergency medical technician. He also served with the California State Military Department, and Army National Guard in the 223rd Training Command ending his career as a Sergeant First Class. During that time, he served in many units, finishing his career attached to the 102nd Military Police Training Division in an Opposition Force Unit. He currently serves on a small-town planning commission and assisted in coordinating an emergency family communications group in his local area. He possesses a Master of Emergency Management/Homeland Security from the National University and other Federal Emergency Management Agency (FEMA), U.S. Department of Homeland Security (DHS), and military certifications. He currently serves as an advisor to the Domestic Preparedness Journal.
Paul Galyen, CISM, is an experienced information security professional skilled in vulnerability management, security architecture, and endpoint security hardening, currently working with the California Cybersecurity Integration Center. Before state service, he worked as a contractor providing cybersecurity and digital forensic analysis for a large IT company and a major aerospace company. In addition, he served eight years as a communications specialist with the United States Army Reserve with the 801st Engineering Company (Horizontal Construction) and the 305th Engineering Company (Route Clearance), including a military deployment to Afghanistan in 2014 in support of Operation Enduring Freedom. He received a Master’s of Information Technology Management with a specialization in cybersecurity from Colorado State University Global Campus.