Any government that wants to set priorities for cybersecurity should probably put its energy infrastructure close to the top.
If your electricity or fuel supplies are down, it's tough to provide just about anything else. Heat, refrigeration, water, factories, financial services, power equipment, groceries, retail, and entertainment — they all depend on the power grid.
So it is no surprise that the energy sector ranks close to the top of targets for cyber attackers. If you really want to cripple anything, from an enterprise to a nation state, take down its power infrastructure.
Another reason energy is an increasingly high-risk industry is the variety of attackers interested in it. Candid Wueest, a researcher for security firm Symantec, said in a recent report titled, "Targeted Attacks Against the Energy Sector," that miscreants ranging from so-called script kiddies to rival corporations, hacktivists with a political agenda, hostile insiders, cyber criminals out to make money through sabotage or blackmail and nation states or those acting under their sponsorship are all looking to steal proprietary information or damage the grid.
Wueest reported that there were an average of 74 targeted cyberattacks per day between July 2012 and June 2013, with the energy sector accounting for 16.3% of them, which put it in second place behind government/public sector at 25.4%.
The U.S. government's Department of Homeland Security (DHS) reported last year that its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013 — with 53% aimed at the energy sector.
There have, so far, not been any successful catastrophic attacks on the grid, and there is ongoing debate about how high the risk is for what both former Defense secretary Leon Panetta and former Homeland Security secretary Janet Napolitano called a "cyber Pearl Harbor" attack.
Some experts contend that while the risks are real and should cause concern, they are unlikely to cause catastrophic, long-term damage. Others say the nation's economy could be paralyzed for a number of months to more than a year while critical infrastructure (CI) systems are rebuilt.
Whatever the present danger, Wueest wrote that, "the increasing number of connected systems and centralized control for ICS (Industrial Control Systems) means that the risk of attacks in the future will increase. Energy and utility companies need to be aware of these risks and plan accordingly to protect their valuable information as well as their ICS or SCADA (Supervisory Control And Data Acquisition) networks."
Indeed, ICS experts like Joe Weiss, managing partner at Applied Control Solutions, have been warning for years about the risk of having not only centralized control systems, but that also having virtually all of them made by the same company – Siemens – adds to the vulnerability.
Add to that the explosion in the number of devices that connect to the power grid – whether through small power generation units like wind and solar collectors or the number of "smart" devices in individual homes – and the potential attack surface is increasing exponentially.
Edith Ramirez, chairwoman of the Federal Trade Commission (FTC), said at a conference last fall on the Internet of Things that the 3.5 billion "smart" sensors now on the network are expected to grow to trillions within the next decade.
The catastrophic breach of retailer Target between Thanksgiving and Christmas is a stark example of how protection of a central system is not enough; hackers didn't break directly into the company's POS (Point of Sale) terminals. Reportedly, they gained access through an email phishing attack on a Pennsylvania HVAC firm that did business with Target.
And in the face of all this, too many control systems are woefully unprepared to withstand the threat. ICS-CERT reported about a year ago on a series of brute force attacks on gas compressor station operators, which means those systems were Internet facing, even though there are numerous recommendations from ICS-CERT that advise against it.
Security guru Bruce Schneier, CTO at Co3 Systems, declared in a blog post this past August, that everything from consumer devices to massive industrial control systems have, "long been hackable."
Craig Heffner, a vulnerability researcher with Tactical Network Solutions, said last fall at the FTC conference that, "consumer devices typically don't have any security, at least not by today's standards."
Earlier this month, at the Kaspersky Security Analyst Summit in the Dominican Republic, Jonathan Pollet, founder of Red Tiger Security and a consultant who specializes in ICS systems told of being able to debug the control system of an amusement park ride in Texas, simply using his laptop, because a Siemens PLC was part of the control system. He needed no credentials to reconfigure the control system.
Terry McCorkle, an ICS and automation security researcher, told of being able to break into a building's automation system over the Internet, which eventually let him control everything from the building's energy system to its door locks and security cameras.
To make things even worse, ICS-CERT reported that it was difficult to analyze the attacks because logging and forensics data from the ICS network was limited or entirely non-existent.
Experts say the obvious thing to do is to take those systems off the Internet. But until that happens, there are some intermediate measures available. Eric Knapp, Director of Strategic Alliances for Wurldtech Security Technologies, said last year that if a system is incapable of producing its own log data, there are commercial security tools designed to monitor networks, systems, and behavior and have built in logging functions.
TK Keanini, CTO of Lancope said if a control system must face the Internet, "There is a concept of 'least privilege' that should be practiced. Any system or subsystem should only be granted the minimal access needed for the tasks performed."
Keanini said a lack of log data is inexcusable. "This is a design flaw and must be corrected immediately," he said. "Any and all networked devices must provide a ledger of their activity such that prior, during, and after any security related incident, there are records of the activities. The ICS ISAC (Industrial Control System Information Sharing and Analysis Center) is painfully aware of this and is trying to put together a reference architecture called SARA (Situational Awareness Reference Architecture).
"This is not rocket science and it is embarrassing that we need to argue for this functionality after the fact," he said.
But he said it may take that catastrophic attack to prompt the kind of security improvements that are needed. "As with all human behavior, it only changes when things go wrong. In fact, they have to go very wrong before system-wide change is put in place and I'm afraid we have not seen 'very wrong' yet in the energy sector."