Credit: Greg Dunlap Sophisticated cyber-attacks known as Advanced Persistent Threats (APT) are a growing challenge to the energy sector of our nation’s critical infrastructure. These attacks can largely be attributed to well-funded, dedicated nation-state actors.APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS/SCADA hardware (87% of vulnerabilities are web-accessible).There is a firm business argument that support the protection of ICS/ SCADA. Without proper safeguards in place, continued APT attacks will cause disruption, degradation, disability, and possible destruction of costly and/or irreplacible Energy Sector equipment and facilities. The economic impact to energy companies would be minor in comparison to the impact of a loss of electricity, natural gas, and petroleum throughout the United States. It is in the best interest of both Energy Sector companies and the Nation to immediately plan, fund, and effectively secure ICS/SCADA from front-to-back.Critical Infrastructure interdependencies identified by the Department of Homeland SecuritySector Short- to medium-term dependencies or interdependenciesChemical↔Chemicals necessary for natural gas operations; feedstock required for operationsCommercial facilities←Power needed to run facilitiesCommunications→Monitoring and controlling production and distribution responseCritical manufacturing←Power needed to run facilitiesDams←Electricity needed to power facilities may come from NGDIB←Power needed to run facilitiesEmergency services←Power needed to run facilitiesEnergy: electric power↔Some electric power generation relies on natural gas; electricity may be used to power NG operationsEnergy: natural gas N/AEnergy: petroleum↔Petroleum operations may rely on NG; petroleum products may be used to power NG operations (directly or indirectly)Financial services→Data collection systems to ensure accurate billingFood and agriculture←Power needed to run facilitiesGovernment facilities↔Power needed to run facilities; provides control, regulations and standrardsHealthcare and public health←Power needed to run facilitiesIT→ICS and other data collection softwareNuclear reactors NoneTransportation: aviation NoneTransportation: mass transit NoneTransportation: motor carrier→LNG transport infrastructureTransportation: pipeline→LNG transport infrastructureTransportation: rail→LNG transport infrastructureTransportation: maritime→LNG transport infrastructureWater←Backup generation, sludge treatment, biological efficiency and collocation→ denotes natural gas sector’s dependencies← denotes other sector dependencies on natural gas sector↔ denotes bidirectional interdependencies Only operating dependencies are considered; does not consider the purchase of machinery and equipment [ ALSO:The processes and tools behind a true APT campaign: Overview ]Controlling human factor variablesHuman Machine Interfaces (HMI) are popular attack surfaces. The use of phishing, spearphishing, and other social engineering techniques continues to provide adversaries with access to administrative and ICS/SCADA systems. In spite of the best internal training programs and monitoring, an infected vendor or associated network connection can often open the gates to attackers, even within an otherwise well-protected system. An intentional insider threat is even more difficult to anticipate, identify, and often, act upon. Employees are unlikely to identify issues with colleagues for fear of litigation, embarrassment, or loss of prestige within the company. Training is an effective tool for reducing or eliminating human-borne attacks. A dynamic program that informs, instructs, verifies, and requires written agreement of compliance should be mandatory within all Energy Sector organizations. Instructional System Design pre-tests employees and tailors the amount/level of instruction to their needs. Engaging training should not be entirely online or computer based; effective training should include live presenters, webinars, and case studies or practicum.At the conclusion of training, a post-test should be administered. Passing the test with a high average indicates the lessons were internalized and, more importantly, demonstrates that the employee did indeed receive and understand the information. An employee who successfully passes the testing cannot at a later time claim “I didn’t know,” or claim ignorance if aware of a colleagues security failures.ICS/SCADA systems originally were designed to operate alone, without network connection. Once networked, information is remotely requested. This human-machine communication is viewable by attackers unless precautions are taken. Secure connections, similar to the systems used in online banking, must always be established during the HMI to deny attackers visibility into network command, control and communications. VPNs are a necessity for mobile, remote communication with ICS/SCADA equipment.Other best practices to control the HMI technical threat include the use of least-privilege accounts, two-person control for critical activities, careful control of portable media, and assigning personal passwords and accounts to superusers as opposed to a general “admin” logon in order to maintain attribution for system access and changes.It is important not to overlook interconnected networks such as vendor organizations. Lack of access controls within a third-party company may result in unauthorized persons being granted administrative privileges. These privileges, if misused or hijacked, can be used to access the primary company and achieve control via the interconnected system (as happened to Target in 2014 via an HVAC vendor). Third-party vendors may not have the resources or motivation of the primary company.External partners may be encouraged to enforce cyber-security by offering preferential contracts for those who comply or even by levying business restrictions against those who fail to meet energy sector standards for safe network operation. SCADA/RTU InterfaceRedundant, secure communication links between RTUs and the central ICS/SCADA application form the basis of a reliable, secure, and safe enterprise. The processes of power routing automation, warning systems, and production/transmission all require communication mediums that may include low-speed dial-up phone lines, medium speed radio frequency, and high-speed, broadband wired/wireless IP.Most RTU systems do not meet Data Encryption Standard (DES) and Advanced Encryption Standard (AES) requirements. There is an expense associated with upgrading and incorporating new RTU systems using industry standard encryption routines. There is an even greater expense when an entire company suddenly goes black, perhaps because their ICS/SCADA security-by-obscurity policy — the vain attempt to remain safe because nobody would ever look for them – was ineffective.Data must be encrypted, both in transmission and at rest. Data exfiltrated in encrypted form generally is useless to an attacker. Watermarks may be used to identify company data and, if data is stolen, identifies the rightful owner; simplifying the identification and prosecution of the thieves. Intrusion Detection Systems and Intrusion Prevention Systems must be configured to verify all packets as valid to deter man-in-the-middle attacks as well as preventing unauthorized access by rogue programs.The RTU interface may be enhanced by allowing for multiple passwords at multiple access levels. Multiple passwords support the compartmentalization of application software and ICS/SCADA hardware access control to least-privileged users. All hardware should cloak IP addresses through the use of hardware firewalls. Organizations should maintain a non-repudiation based system – assigning a digital log in for each and every action. An RTU must autonomously keep track of all access related activities as well as fulfill its basic function. Always remove, disable, and rename default accounts and require the use of strong passwords. Consider the use of asymetrically encrypted password protection and maintenance programs like LastPass.Legacy/stand alone designICS/SCADA systems have long operational lives (10+ years). With some systems up to 30 years old it is difficult not only to find replacement parts but even technicians familiar with the components and operating systems. Legacy systems often are associated with legacy communication equipment with similar issues. Companies blindly continue to depend upon “security-by-obscurity.”Were this ever an effective technique, it has been defeated with tools such as the SHODAN search engine. SHODAN, instead of indexing web page content, indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet. So what? An attacker could instantly discover specific devices and manufacturers by using a simple Google-like search. Obscurity is dead.Many manufacturers have long-since abandoned the support or production of legacy ICS/SCADA hardware, hardware that continues to faithfully serve. With no need for a functional replacement, the need for a secure replacement often is ignored. Developers are not willing to incur the cost for research and development on a replacement for a perhaps unique, decades-old electromechanical device, while business managers are reluctant to spend money to replace a system that still functions. This is false economy. Legacy systems cannot withstand modern attacks and APTs.Mandiant, a U.S.-based security firm, released a report in February 2013 that disclosed a recent Chinese military-related cyber-attack on a single company with remote access to more than 60 percent of oil and gas pipelines in North America. If the attack had been intended to disable, it could have had far-reaching consequences on energy supply and the environment across the US and CanadaCall to actionLegacy systems are not designed to function within the Internet, or to communicate securely, or to defend themselves from the above-described attacks. The energy sector must come to terms with this and accept the operating cost of upgrading or replacing legacy and unsecured systems with those that support cloaking, firewalls, encryption, and other self-defense measures.It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.No longer is the question, “Can we afford the equipment?” The question has become, “When my industry becomes incapacitated in a cyber-attack, who will the public blame? Who will find their names in the newspaper? Who stands to lose everything?” The answer is, you and your company.Colonel Bryk retired from the USAF after a 30-year career, last serving as an Air Attache (military diplomat) in Central Europe. He holds an MBA from the University of North Dakota and hopes to combine that knowledge with his upcoming MS in Cybersecurity in order to protect our Critical Infrastructure. Related content news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Cyberattacks Cybercrime news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security feature How to maintain a solid cybersecurity posture during a natural disaster Fire, flood, eathquake, hurricane, tornado: natural disasters are becoming more prevalent and they’re a threat to cybersecurity that isn’t always on a company’s radar. Here are some ways to prepare for the worst. By James Careless Nov 30, 2023 8 mins Security Operations Center Data and Information Security Security Practices news analysis Attackers could abuse Google's SSO integration with Windows for lateral movement Compromised Windows systems can enable attackers to gain access to Google Workspace and Google Cloud by stealing access tokens and plaintext passwords. By Lucian Constantin Nov 30, 2023 8 mins Multi-factor Authentication Single Sign-on Remote Access Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe