Assessing and Addressing Risk to Internet-Connected Critical Infrastructure

Advancing communications technology has brought real benefit to utilities of all kinds.  Connectivity allows utilities to gather data from remote industrial control systems, communications devices, and even passive equipment and other ‘things’ as part of the Internet of Things (IoT). This data creates valuable information for greater automation and efficiency, as well as improved customer service.

While this growing connectivity provides significant advantages, it also brings new challenges as networks become more interrelated and automated. From rural cooperatives to public and private power companies, utilities must be aware of the threats posed by cyberattacks in today’s hyper-connected era.

Is My Utility at Risk?

Hackers are constantly attempting to gather sensitive information, such as which SCADA systems are exposed to the Internet using tools such as Shodan. In fact, your SCADA systems and other critical infrastructure may already be at risk through inadvertent connections to the Internet. Even though the number of attacks on SCADA systems are much fewer compared to IT systems, hackers are always looking for easy targets. For example, note the unprecedented attack on a Ukrainian power company by hacker group BlackEnergy APT in 2015. This was the first confirmed attack to take the down an entire power grid.

The software we use to communicate with SCADA systems, IoT sensors and other connected devices makes our work day simpler and more efficient. However, unsecured services, such as management interfaces built into your computer operating system, may be exposing connected devices to vulnerabilities through insecure legacy clear text protocols such as telnet, file transfer protocol (FTP) and remote copy protocol (RCP). Once these protocols are spoofed by hackers in your corporate network, they are one step closer to your SCADA network.

On the SCADA side, protocols such as Common Industrial Protocol (CIP) that are used to unify data transfer have vulnerabilities for threats such as man-in-the-middle attacks, denial-of-service attacks and authentication attacks, etc. Although vendors release upgrades and patches from time to time to address these security vulnerabilities, the very nature of critical infrastructure means that many utilities are reluctant to take it offline to apply security patch updates.

While these legacy protocols have served us well for many years, they were not designed to withstand increasingly sophisticated cyberattacks. For example, legacy systems can be exposed to threats due to default passwords that don’t require updates, or unencrypted transmission of user names and passwords over the Internet. These systems may be unable to run the latest security tools if they are based on outdated standards.

Consequently, many utilities are unaware of the risks to critical infrastructure, exposing employees and the community at large risk of intentional or accidental harm.

How do I Mitigate my Risk?

You can, however, protect critical infrastructure from vulnerabilities. First and foremost, ensure that your network is protected from less secure networks so that SCADA devices and other critical infrastructure are not exposed to the Internet.

Many guidelines and recommendations are available to mitigate security vulnerabilities. Some of the more important ones are:

1. Establish a network protection strategy based on the defense-in-depth principle.
2. Identify all SCADA networks and establish different security levels (zones) in the network architecture. Use security controls such as firewalls to separate them.
3. Evaluate and strengthen existing controls and establish strong controls over backdoor access into the SCADA network.
4. Replace default log-in credentials. If a SCADA device doesn’t allow you to change the default password, notify the vendor or look for a device elsewhere with better security. If you have to install a device with default login credentials which you cannot change, ensure that defense-in-depth based security controls are in place to secure the device.
5. Avoid exposing SCADA devices to the Internet, since every connection can be a possible attack path. Run security scans to discover Internet-exposed SCADA devices and investigate if/why those connections are needed. If a field engineer or the device manufacturer needs remote login access, implement a secure connection with a strong two-factor authentication mechanism.
6. Conduct regular security assessments, penetration testing and address common findings such as missing security patches, insecure legacy protocols, insecure connections, SCADA traffic in corporate networks, default accounts, failed login attempts, and missing ongoing risk management process, etc.
7. Work with device vendors to routinely solve device security issues such as update firmware and security patches. Ensure you are on their email list to get notifications for available security patches.
8. Establish system backups and disaster recovery plans.
9. Perform real-time security monitoring of IoT and SCADA devices on a 24/7 basis, along with the implementation of an intrusion detection system to identify unexpected security events, changed behaviors and network anomalies.
10. Finally, if you don’t have security policies for both your corporate and SCADA network currently, take the lead, be a champion and work with your management to develop an effective cybersecurity program.
11. Stay informed about security in the utility industry. Events such as DistribuTECH, where Fujitsu will be exhibiting, offer plenty of opportunities to learn more about this critical topic.

If you operate a generation and transmission cooperative, be advised that you are obligated to comply with North American Electric Reliability Corporation (NERC) rules, and failure to do so can result in huge penalties. Identifying your compliance obligations is a critical task, especially since NERC rules are created to secure your network.

For some utilities, particularly small rural electric cooperatives, the idea of a serious security threat to their essential infrastructure may sound far-fetched, like the plot to an action movie. However, it’s important to note that the biggest security risk is not necessarily a targeted attempt to physically destroy your equipment. A random malware attack is much more likely than a cyberterrorist, but this can devastate your critical infrastructure systems all the same, potentially causing significant damage and harming the public.