Sophisticated cyber-attacks known as Advanced Persistent Threats (APT) are a growing challenge to the energy sector of our nation\u2019s critical infrastructure. These attacks can largely be attributed to well-funded, dedicated nation-state actors.APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS\/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS\/SCADA hardware (87% of vulnerabilities are web-accessible).There is a firm business argument that support the protection of ICS\/ SCADA. Without proper safeguards in place, continued APT attacks will cause disruption, degradation, disability, and possible destruction of costly and\/or irreplacible Energy Sector equipment and facilities. The economic impact to energy companies would be minor in comparison to the impact of a loss of electricity, natural gas, and petroleum throughout the United States. It is in the best interest of both Energy Sector companies and the Nation to immediately plan, fund, and effectively secure ICS\/SCADA from front-to-back.Critical Infrastructure interdependencies identified by the Department of Homeland SecuritySector\u00a0Short- to medium-term dependencies or interdependenciesChemical\u2194Chemicals necessary for natural gas operations; feedstock required for operationsCommercial facilities\u2190Power needed to run facilitiesCommunications\u2192Monitoring and controlling production and distribution responseCritical manufacturing\u2190Power needed to run facilitiesDams\u2190Electricity needed to power facilities may come from NGDIB\u2190Power needed to run facilitiesEmergency services\u2190Power needed to run facilitiesEnergy: electric power\u2194Some electric power generation relies on natural gas; electricity may be used to power NG operationsEnergy: natural gas\u00a0N\/AEnergy: petroleum\u2194Petroleum operations may rely on NG; petroleum products may be used to power NG operations (directly or indirectly)Financial services\u2192Data collection systems to ensure accurate billingFood and agriculture\u2190Power needed to run facilitiesGovernment facilities\u2194Power needed to run facilities; provides control, regulations and standrardsHealthcare and public health\u2190Power needed to run facilitiesIT\u2192ICS and other data collection softwareNuclear reactors\u00a0NoneTransportation: aviation\u00a0NoneTransportation: mass transit\u00a0NoneTransportation: motor carrier\u2192LNG transport infrastructureTransportation: pipeline\u2192LNG transport infrastructureTransportation: rail\u2192LNG transport infrastructureTransportation: maritime\u2192LNG transport infrastructureWater\u2190Backup generation, sludge treatment, biological efficiency and collocation\u2192 denotes natural gas sector's dependencies\u2190 denotes other sector dependencies on natural gas sector\u2194 denotes bidirectional interdependenciesOnly operating dependencies are considered; does not consider the purchase of machinery and equipment[ ALSO:The processes and tools behind a true APT campaign: Overview ]The Business Argument for Securing ICS\/SCADA.The major benefits of funding and supporting ICS upgrades and replacements are as follows:The economy and lifestyle of the United States will be preserved.U.S. Critical Infrastructure will be preserved and operational.Corporate profitability and shareholder security will be preserved.Corporate liability will be minimized.The U.S. Government will be less inclined to seek additional power and\/or impose additional regulation, and therefore expense, on the Energy Sector.Controlling human factor variablesHuman Machine Interfaces (HMI) are popular attack surfaces. The use of phishing, spearphishing, and other social engineering techniques continues to provide adversaries with access to administrative and ICS\/SCADA systems. In spite of the best internal training programs and monitoring, an infected vendor or associated network connection can often open the gates to attackers, even within an otherwise well-protected system. An intentional insider threat is even more difficult to anticipate, identify, and often, act upon. Employees are unlikely to identify issues with colleagues for fear of litigation, embarrassment, or loss of prestige within the company.Training is an effective tool for reducing or eliminating human-borne attacks. A dynamic program that informs, instructs, verifies, and requires written agreement of compliance should be mandatory within all Energy Sector organizations. Instructional System Design pre-tests employees and tailors the amount\/level of instruction to their needs. Engaging training should not be entirely online or computer based; effective training should include live presenters, webinars, and case studies or practicum.Security challengesA human operator is the most likely cause of unauthorized access, malware infection, or inadvertent damage to ICS\/SCADA networks and\/or equipment.ICS\/SCADA receives information from Remote Terminal Units (RTU) which communicate via digital networks and\/or radio telemetry.Networks may be compromised by malware or denial of service. Radio telemetry is a new attack surface being exploited by threats.Humans are required for most tasks within the Energy Sector Infrastructure.Accidents happen. Critical Infrastructure can still be disabled.ICS\/SCADA systems are often one-off (especially created for a single purpose or industry) and operate using legacy operating systems and data links. The growth of digital networks and the inevitable Internet connection of ICS\/SCADA equipment never designed for network operation continues.Stand-alone systems offer increased security but have economic and functional drawbacks.At the conclusion of training, a post-test should be administered. Passing the test with a high average indicates the lessons were internalized and, more importantly, demonstrates that the employee did indeed receive and understand the information. An employee who successfully passes the testing cannot at a later time claim \u201cI didn\u2019t know,\u201d or claim ignorance if aware of a colleagues security failures.ICS\/SCADA systems originally were designed to operate alone, without network connection. Once networked, information is remotely requested. This human-machine communication is viewable by attackers unless precautions are taken. Secure connections, similar to the systems used in online banking, must always be established during the HMI to deny attackers visibility into network command, control and communications. VPNs are a necessity for mobile, remote communication with ICS\/SCADA equipment.Other best practices to control the HMI technical threat include the use of least-privilege accounts, two-person control for critical activities, careful control of portable media, and assigning personal passwords and accounts to superusers as opposed to a general \u201cadmin\u201d logon in order to maintain attribution for system access and changes.It is important not to overlook interconnected networks such as vendor organizations. Lack of access controls within a third-party company may result in unauthorized persons being granted administrative privileges. These privileges, if misused or hijacked, can be used to access the primary company and achieve control via the interconnected system (as happened to Target in 2014 via an HVAC vendor). Third-party vendors may not have the resources or motivation of the primary company.External partners may be encouraged to enforce cyber-security by offering preferential contracts for those who comply or even by levying business restrictions against those who fail to meet energy sector standards for safe network operation.\tSCADA\/RTU InterfaceRedundant, secure communication links between RTUs and the central ICS\/SCADA application form the basis of a reliable, secure, and safe enterprise. The processes of power routing automation, warning systems, and production\/transmission all require communication mediums that may include low-speed dial-up phone lines, medium speed radio frequency, and high-speed, broadband wired\/wireless IP.Most RTU systems do not meet Data Encryption Standard (DES) and Advanced Encryption Standard (AES) requirements. There is an expense associated with upgrading and incorporating new RTU systems using industry standard encryption routines. There is an even greater expense when an entire company suddenly goes black, perhaps because their ICS\/SCADA security-by-obscurity policy -- the vain attempt to remain safe because nobody would ever look for them \u2013 was ineffective.Data must be encrypted, both in transmission and at rest. Data exfiltrated in encrypted form generally is useless to an attacker. Watermarks may be used to identify company data and, if data is stolen, identifies the rightful owner; simplifying the identification and prosecution of the thieves. Intrusion Detection Systems and Intrusion Prevention Systems must be configured to verify all packets as valid to deter man-in-the-middle attacks as well as preventing unauthorized access by rogue programs.The RTU interface may be enhanced by allowing for multiple passwords at multiple access levels. Multiple passwords support the compartmentalization of application software and ICS\/SCADA hardware access control to least-privileged users. All hardware should cloak IP addresses through the use of hardware firewalls.Organizations should maintain a non-repudiation based system \u2013 assigning a digital log in for each and every action. An RTU must autonomously keep track of all access related activities as well as fulfill its basic function. Always remove, disable, and rename default accounts and require the use of strong passwords. Consider the use of asymetrically encrypted password protection and maintenance programs like LastPass.Legacy\/stand alone designICS\/SCADA systems have long operational lives (10+ years). With some systems up to 30 years old it is difficult not only to find replacement parts but even technicians familiar with the components and operating systems. Legacy systems often are associated with legacy communication equipment with similar issues. Companies blindly continue to depend upon \u201csecurity-by-obscurity.\u201dWere this ever an effective technique, it has been defeated with tools such as the SHODAN search engine. SHODAN, instead of indexing web page content, indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet. So what? An attacker could instantly discover specific devices and manufacturers by using a simple Google-like search. Obscurity is dead.Many manufacturers have long-since abandoned the support or production of legacy ICS\/SCADA hardware, hardware that continues to faithfully serve. With no need for a functional replacement, the need for a secure replacement often is ignored. Developers are not willing to incur the cost for research and development on a replacement for a perhaps unique, decades-old electromechanical device, while business managers are reluctant to spend money to replace a system that still functions. This is false economy. Legacy systems cannot withstand modern attacks and APTs.BackgroundSector descriptionThe natural gas sector includes the production, processing, transportation, distribution and storage of natural gas; liquefied natural gas (LNG) facilities; and gas control systems.There are more than 478.562 gas production and condensate wells and 20,215 miles of gathering pipeline in the country. There are almost 319,208 miles of interstate pipeline for the transmission of natural gas.Natural gas is distributed to homes and businesses over 1,200,000 miles of distribution pipelines.Most of the natural gas consumed in the United States is produced domestically.Key concernsNatural Gas infrastructure is automated and controlled by utilities and regional grid operators which rely on sophisticated energy management systems.Many industrial control systems are connected to the internet and are vulnerable to insider cyber threats.Critical functionsThe natural gas sector produces, processes, stores, transports and delivers natural gas to consumers.Mandiant, a U.S.-based security firm, released a report in February 2013 that disclosed a recent Chinese military-related cyber-attack on a single company with remote access to more than 60 percent of oil and gas pipelines in North America. If the attack had been intended to disable, it could have had far-reaching consequences on energy supply and the environment across the US and CanadaCall to actionLegacy systems are not designed to function within the Internet, or to communicate securely, or to defend themselves from the above-described attacks. The energy sector must come to terms with this and accept the operating cost of upgrading or replacing legacy and unsecured systems with those that support cloaking, firewalls, encryption, and other self-defense measures.It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.No longer is the question, \u201cCan we afford the equipment?\u201d The question has become, \u201cWhen my industry becomes incapacitated in a cyber-attack, who will the public blame? Who will find their names in the newspaper? Who stands to lose everything?\u201d The answer is, you and your company.Colonel Bryk retired from the USAF after a 30-year career, last serving as an Air Attache (military diplomat) in Central Europe. He holds an MBA from the University of North Dakota and hopes to combine that knowledge with his upcoming MS in Cybersecurity in order to protect our Critical Infrastructure.