Building resilience and security into critical infrastructure

This is the last week of the the National Cyber Security Awareness Month, and it focuses on ‘Building Resilience in Critical Infrastructure’. It’s therefore a great time to discuss exactly why critical infrastructure resilience is so important, and how it relates to cyber security.

‘Critical infrastructure’ means any major system that impacts on the day-to-day life of a large number of citizens. Organizations within the energy industry, such as power plants, are key examples, along with water companies, sewage works and major transport organizations.

Resilience is enormously important for critical infrastructure organizations because, should anything go wrong and impact on their day-to-day operations, then thousands if not millions of lives will be affected. The knock-on financial effect might be huge – if, for example, thousands of businesses are suddenly without electricity and cannot function. In worst case scenarios, lives may even be in danger – if, for instance, a nuclear power plant malfunctions.

Under attack?

Historically, the major threats to resilience in critical infrastructure organizations were things like mechanical failures and user errors. The computer systems controlling machinery and processes within these organizations were designed to remain reliable in the face of such failures or errors – but they weren’t designed to remain reliable in the face of sophisticated cyber criminals.

In days gone by, a criminal might have had to bribe a guard, scale a fence, identify a set of obscure cables and attach alligator clips to them in order to take control of a power plant. As such, cyber crime simply wasn’t a major threat to critical infrastructure resilience.

Now, however, things have changed. Critical infrastructure organizations have become a potential target for cyber crime – and this means that their resilience has become dependent on robust network security.

Programmable Logic Controllers: not password protected

To understand why, we need to know a little more about the computer systems and networks that support a typical critical infrastructure organization.

A unifying factor across all types of critical infrastructure is that each contains a large number of ‘cyber-physical’ systems. These comprise physical, industrial processes such as turbines generating electricity or pumps pushing water, which in turn are controlled and managed by computerized devices – PLCs.

PLCs are highly sophisticated systems in terms of the specific tasks they were built for – but unlike regular desktops and laptops, they weren’t built with the concept of user privileges and don’t require a user name/password to access them. Generally, a PLC isn’t interested in who is making a particular instruction and whether that person is authorized to do so – it is interested in the instruction itself, and the physical process it needs to trigger.

In turn, this means that, should a malicious party gain access to the device itself, then there are no user privileges to bypass. In that sense, the PLC is, in theory, more vulnerable than a corporate smartphone that has been stolen by a cyber criminal but locked with a password.

How, then, could a cyber criminal hypothetically gain access to a PLC?

Connections and communications

As outlined above, such malicious access once depended on criminals actually getting inside critical infrastructure premises, and physically interfering with the network. This is because, decades ago, the communication networks inside critical infrastructure organizations were proprietary. Now, however, it has become more cost-effective for PLCs to connect via IP-based communications – which means they can be accessed remotely over the internet.

PLCs have to communicate both among themselves and with higher level command and control centers– masses of information must travel across different traffic paths. If a malicious party can find a way to access the network – and remember, they don’t have individual login credentials to bypass – then they can, in theory, find their way to those command and control centers and interfere with their behavior – potentially doing a huge amount of damage. That’s exactly what happened with the now infamous Stuxnet attack, which targeted the Windows-based SCADA servers in an Iranian nuclear plant.

Playing into criminal hands?

From a cyber criminal’s point of view, this IP connectivity coupled with outdated systems is a dream come true. Little wonder that Kaspersky recently stated that industrial control systems should not be connected to the internet, and that ‘by its very nature, the Industrial Control Systems environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues’.

Compounding the problem is the enormous cost of replacing these control systems. It is unlikely to be high on the CEO’s priority list because it isn’t seen as driving additional efficiencies. That is, robust network security is not yet seen as part of critical infrastructure’s resilience. Whereas a bank might be constantly under attack from cyber criminals and understand that good information security is essential to maintain day-to-day operations and customer loyalty, critical infrastructure organizations tend not to place cyber crime high on their threat models. Yet.

Building resilience and security into critical infrastructure

What, then, can be done?  A key principle for securing critical infrastructure organizations is network segmentation. Just as organizations that store customer credit card information  are required to keep that information securely separate from other forms of sensitive data, so too should critical infrastructure organizations ensure that their critical assets (their PLCs) are kept separate from each other, and from other forms of sensitive information. Industry regulations are also becoming increasingly focused on cyber security and are demanding that the control network is separated from the IP network.

National Cyber Security Awareness Month recognizes that even basic tools and processes can be the foundation for truly robust and resilient information security; the very first week in this year’s month was themed around ‘Every Day Steps Towards Online Safety’. Securing critical infrastructure and ensuring its resilience is undoubtedly a complex challenge – and yet the same good security best practices that are effective in other sectors are equally effective in protecting these vital networks. An intelligently structured and carefully segmented network, in which each critical system and the services they control is kept securely isolated from others, can better protect not only the organizations in charge of critical infrastructure, but also the general public.