Cyber Attacks on Operational Technology – What is the real cost of a solution?
Hacking and Defending
The City of Dawson Creek, the City of Cranbrook, the Municipality of Whistler, the District of Summerland, the City of Campbell River, the District of West Vancouver, the BC government… These are a few of the BC organizations that have made the news over the last couple of years by being victims of cyber-attacks or “hacking”. And the list goes on, and the cyber-attacks continue.
Hacking is easy. In the same way that a photographer can download and install “plugins” for Photoshop software, hackers can download and install “exploit modules” for Metasploit software. These free exploit modules or “exploit plugins” take advantage of well-known vulnerabilities in the software that you use in your home, your office, and your plant. They could allow unskilled hackers to gain access to your computers, your data, and your plant operations. But as demonstrated by the recent Florida Water Treatment system hack, it can be even easier than that.
Defending against hackers isn’t quite as easy as hacking. Ideally your systems will be “secure by design”, but today that’s not common with Industrial Automation Control Systems (IACS). Most IACS have been in place for some time and were not designed to be secure. But whether your systems are legacy, or you’ve modernized them, it’s a never-ending job: you need to keep your guard up constantly and you need to continuously review and revise your defenses. And while it’s true that you get what you pay for, cybersecurity defenses cost no more than you’re willing to spend. And in some cases, the cost of significant improvements might surprise you.
The Florida Water Treatment System Hack
One news story that everyone has surely heard of by now took place in a water treatment system in Oldsmar, Florida, a small town of about 14,000 residents. A hacker took control of the sodium hydroxide level, adjusting it to more than 100 times the normal level. Whether the hacker made this adjustment randomly, for their amusement, or whether they intended to do harm, it’s hard to know. But clearly, it was (and is) a cause for concern.
The operator noticed the intrusion the second time it happened, and so the facility was able to stop the attack, and prevent any harm to health, safety, and environment. It turned out that the intruder had accessed the system through TeamViewer software, a common method of providing remote access for support and operations personnel. But the plant’s use of the TeamViewer software had been discontinued several months prior to the event, but the software was not removed from the system as it should have been.
In terms of a “hack”, this intrusion barely fits the definition. There may have been no vulnerability exploited at all, other than a leaked password. The skill level required by the attacker may have been ridiculously low. The attack succeeded because the level of defense was also ridiculously low.
Most of the cybersecurity incidents that make the news involve the use of remote access services to gain unauthorized access to the plant systems. So why not just get rid of remote access? We need it, of course: to respond to alarms without having to get in the truck; to get assistance from remote technicians and engineers; to keep us assured that everything is okay.
Remote access and modern networking technologies are here to stay. If the risks that they present you are higher than you can afford, it’s because they’ve been implemented without regard to your risk tolerance, without an assessment of the risk they present to your plant and without an overall “secure by design” approach to engineering and securing your critical infrastructure.
Remote access can be implemented securely. International standards such as the ISA/IEC 62443 series of industrial cybersecurity standards clearly define requirements, potential mitigation, and processes for designing and implementing a remote access system that is safe and secure. Ask your integrator or control systems vendor about these international cybersecurity standards, how they meet them, and how they can help you meet them.
The Cyber-Physical Nature of Operational Technology
Operational Technology (OT) is different from Information Technology (IT). We’ve all heard that before, and if you work in a plant, you know the difference first-hand. No-one became ill after credit card information was stolen from Target. There was no environmental damage resulting from malware inserted into the SolarWinds network management software.
But when hackers start changing the lye dosing level of a water treatment centre, and when they start attempting to disable safety systems, stop Ultraviolet (UV) and chlorination processes, we have a different problem. Health, safety, and environmental concerns are the domain of OT, and they are our most important concerns. Hackers have already started to focus on industrial systems – check the web site “shodan.io”, which lists sites exposed to the internet. Click the “explore” tab and see the top featured category: “Industrial Control Systems”. You should be concerned about the health, safety, and environment of any system listed on this site. What will happen when a nation state takes offence to a political move by Canada? A real solution is needed.
The Real Cost of the Real Solution
Asking “How much does it cost to implement an effective Cyber Security Management System (CSMS)?” is like asking “How long is a piece of string?”. If you knew the string was going to be used as a shoelace for your running shoe, you could give you a good estimate. If you knew the Cybersecurity Requirements Specifications for your plant, along with inventories, drawings, and related documents, you could get a good estimate for the CSMS implementation too.
So how do you determine the real solution, and the real cost of defending your plant? The genuine answer to that question would come from an industrial cybersecurity risk assessment. The risk assessment process prescribed by the ISA/IEC 62443 standard delivers a risk-focused plan to ensure that the risks that you face are tolerable by your own measures.
The result of such an assessment will provide you with an actionable plan that will ensure your plant is as secure as you need it to be, or at least as secure as you would afford it to be. The assessment would recommend a plan to implement a Cyber Security Management System (CSMS) as well. The CSMS would provide a framework for cybersecurity education, assessment reviews, monitoring and management of the overall processes needed to ensure you stay secure.
This risk-focused approach works well for your modernization initiatives as well. A “Risk-Based Modernization” strategy looks not at modernizing the most outdated equipment in your plant, but instead at those areas that are of highest risk, in engineering terms, and which would benefit the most from modernization efforts and funds.
How to Improve Your Cybersecurity Posture on a Budget
Here are some things that Florida plant operations and management team could have done, at little or no cost, to prevent that attack from being successful, or from even occurring in the first place:
- Remove the unused TeamViewer software from the computer
- Do a better job of managing passwords – use complex passwords, use a password manager, use passphrases instead of passwords
- Use two-factor authentication
- Disable remote access except when required for support or maintenance
If you want to immediately improve on your plant’s cybersecurity posture, my recommendation always is to start with an ISA/IEC industrial cybersecurity risk assessment. But on a limited budget, you would be well served to address these four areas first:
- Ensure that all passwords on all IACS equipment (PLCs, SCADA systems, network equipment) is set to a complex password or passphrase and is NOT the manufacturer’s default password.
- Establish an accurate inventory of all the IACS equipment (you can’t protect what you don’t know you own).
- Review firmware levels of all equipment and update firmware for any equipment that has not been updated in the last 6 months (ideally you would check for vulnerabilities in published databases, but these recommendations are about a limited budget).
- Examine your remote access solution and seek guidance from a cybersecurity expert to assess the solution and to minimize your chances of being the next cybersecurity news story.
- Rob Wilson, ISA 62443 Industrial Cybersecurity Expert