In today’s world, the Internet plays a significant role in enabling communications, monitoring, operations and business systems fundamental to much of any country’s critical infrastructures.
There can be little doubt that cyber-attacks are increasing in frequency and that consequent impacts are becoming more extreme. Hackers are continually becoming more organised, better funded, while attempts to break into networks, applications and databases are increasingly becoming more determined. The confidential information, intellectual property (IP), and employee/customer data contained herein can be extremely lucrative and hence is attractive to those with criminal intent. Hackers’ points of entry also continue to expand as the traditional network perimeter dissolves with more applications and data moving to the cloud. Furthermore, multinational entities must deal with the complexities of diverse (or nonexistent) regulatory requirements that exist in many countries worldwide.
Thus, in a constantly evolving technological environment, coordinated cybersecurity research and development (R&D) is essential to enhance situational awareness and provide much needed technical assistance. The consequent development and adoption of best practices in terms of technologies, tools and techniques can only serve to reduce, or perhaps even negate, risks posed by cyber-attacks. Although no cyber-attack to date has had a national impact on critical infrastructure, previous attacks have certainly demonstrated that extensive vulnerabilities exist in current information systems and networks; hence, the potential to cause serious damage remains a distinct probability.
Utilities, considering their national and reginal footprints, unfortunately constitute an attractive target for any would be saboteur, especially those linked to radical political and/or religious extremist groups. The potential to wreak havoc through the disruption of real time systems poses a serious risk and thus it is crucial that these systems remain adequately protected. Cybersecurity R&D is most certainly a key aspect to ensure that all operational and business systems remain fully functional 24/7. However, since it is highly unlikely that any utility would implement a cybersecurity R&D programme of its own, it is imperative that emphasis be placed upon suppliers and government institutions to ensure that built in protection provided continues to evolve to effectively guard against new potential threats.
R&D areas for information infrastructure protection
The Institute for Information Infrastructure Protection (I3P) – a consortium comprising 18 academic research centres, five national laboratories, and three non-profit research organisations based in the US – is a key player in the field of cybersecurity research and development. The I3P has identified the following topics where additional or new R&D is required.
Enterprise security management (ESM). Although each part of information infrastructure may be owned by organisations and individuals, these remain interconnected. Thus, the ESM challenge is to integrate diverse security mechanisms into a coherent capability, which can manage access and utilisation of enterprise resources, monitor behaviour and detect and respond to suspicious or unacceptable behaviour.
Trust among distributed autonomous parties. Entities, individuals, organisations, software and devices need to establish relationships dynamically and without recourse to a central authority or previously determined trusted third party. Existing research, particularly in terms of the techniques entities use to establish trust in the security of other entities, is expected to address many of the needs articulated by enterprise users.
Discovery and analysis of security properties and vulnerabilities. Products and systems commonly include vulnerabilities and inadequately understood security properties. Moreover, the security properties of a system or subsystem cannot be derived or deduced from those of its components, and emergent properties of large-scale systems are difficult to describe, much less predict. Considerable effort has been applied to the problem of ensuring the presence of desired security properties and preventing (or determining the presence of) vulnerabilities. The need is acute for ways to determine, throughout a product or system’s life cycle (development, integration, update and maintenance, decommissioning or replacement of components), whether exploitable defects have been introduced or unanticipated security properties have emerged or escalated. Research is needed into techniques, embodied in tools to ensure their utility, to analyse code, devices and systems in dynamic and large-scale environments.
Secure system and network response and recovery. The proliferation of numbers and types of computing devices has resulted in the increasing size and complexity of the information infrastructure. Response to and recovery from attacks against such multifaceted systems are hindered by this inherent complexity. The potential for survivability from attacks and in making intrusion detection systems more proactive has driven research into secure response and recovery. Current research; however, does not adequately address the issues of scale, coordination across different administrative and policy domains, or coordination across the highly diverse systems that are the hallmarks of information infrastructure protection. Research needs thus remain in the areas of prediction or pre-incident detection, as well as recovery and reconstitution for systems of systems.
Traceback, identification and forensics. During and after an attack organisations should have access to reliable information to determine and implement an appropriate response. Research is needed into capabilities that enable responders to trace back, or identify the source location of the attack; to identify the individual, group, or organization originating the attack; and to determine the actual nature of the attack.
Wireless security. Wireless technologies are increasingly being deployed across enterprise systems and critical infrastructure sectors. This is not only pertinent to telecommunications networks, but is becoming more prevalent amongst an increasingly diverse set of end devices such as sensors, process controllers and information appliances for home and business applications.
Metrics and models. Decision makers need a clear and defensible basis for making investment decisions that can be related to organisational missions and strategies. That basis should be founded on rigorous and generally accepted models and metrics for cybersecurity. Research is needed to provide a foundation of data regarding current investment and risk levels and is also needed to define metrics that express the costs, benefits and impacts of security controls.
Law, policy and economic issues. Decisions that impact on the security posture of information systems cannot be made in a poorly understood context of economic factors, laws, regulations and government policies. Research into the structure of the market, and to determine how changes in laws, policy and economic conditions, as well as technology, affect one another is thus needed.
Similarly, the INFOSEC research council (an informal organisation of US government programme managers who sponsor information security research within the US government) has identified 11 topics as the hardest and most critical challenges that need to be addressed to protect information systems and networks into the future. These ‘hard problems’ are listed below.
1. Scalable trustworthy systems (including system architectures and requisite development methodology)
2. Enterprise-level metrics (including measures of overall system trustworthiness)
3. System evaluation life cycle (including approaches for sufficient assurance)
4. Combating insider threats
5. Combating malware and botnets
6. Global-scale identity management
7. Survivability of time-critical systems
8. Situational understanding and attack attribution
9. Provenance (relating to information, systems, and hardware)
10. Privacy-aware security
11. Usable security
The INFOSEC cyber research roadmap, published in 2009, identifies critical needs, gaps in research and research agenda appropriate for near, medium and long-term attention relating to these topics.
Three core challenging areas
Cybersecurity challenges facing corporates and critical infrastructure providers (including electricity, water and gas utilities) are highlighted in a I3P forum report published in 2009. This report targets three discrete areas viz. economics, physical infrastructure and human behaviour, which are discussed below. Even though some common threads are evident, risks relating to each area can be considered independently.
Economics. Businesses, supply chains and financial institutions all are heavily dependent upon Information Technology (IT) systems. Unfortunately, these are mostly neither entirely reliable nor fully secure. The lack of security in the US (and worldwide) is significant and thus economic losses attributed to IT attacks are reaching a magnitude that could affect US economic security. Globalisation has also had an impact upon security – multinational companies are continually thwarted by conflicting or non-existing regulations, cultural differences and varying degrees of technological maturity. A research and development agenda that would address market and regulatory impediments ensure that security is built into products and processes, and develop national and international doctrines for information security has been identified.
Physical infrastructure. Computerbased control systems run much of a nation’s physical infrastructure, including critical operations such as electricity delivery, telecommunications networks, oil and gas production and distribution, and water purification and distribution. Since these systems are increasingly becoming connected to the Internet, vulnerability to cyber disruption is a very real concern. However, it should be noted that a utility should at all costs try to avoid the connection of its Industrial Control Systems (ICS) to the Internet. Remote access to ICS, if any, should be implemented via an authenticated entry point on the enterprise side, and thereafter employ a tightly controlled traversal to ICS via firewalls, DMZs, etc. This becomes a critical issue as utilities increasingly use data-driven decisions, made on the enterprise IT network, to alter the operation of OT devices. The appropriate R&D objectives here should thus be directed at the effective isolation of control networks.
Although data confidentiality remains a crucial aspect for government and corporate entities, this is not typically applicable to the real-time control systems operated by utilities as it is not a requirement to achieve operational objectives. Real-time data from process control systems should first and foremost always be available; thereafter data integrity can be preserved. Hence, encryption in control networks is primarily utilized to maintain integrity. “The lights stay on and nobody dies” premise must surely remain the paramount security objective of every utility.
Human behaviour. Human behaviour is regarded as perhaps the most challenging and vulnerable of the three areas considered. The most effective security technology measures implemented can effectively be thwarted by employees, business partners, customers and others using information systems and networks. Thus, people very often constitute the weakest link in the security chain. Security technologies and policies may be difficult to use or understand and hence are very likely to be considered a hindrance. In addition, the company workplace also normally involves a social environment where people are influenced by peers and online social media networking. Considering these and other factors, the following research and development priorities have been identified:
• Apply well known social-science protocols to the development of an effective security culture,
• support the creation and implementation of motivation-based strategies for the prevention and remediation of human-induced error,
• design security technologies based on the principles of good human computer interaction to maximise user compliance, and • design curricula and outreach programs that will ensure the workforce of the future is equipped with an awareness of (and respect for) cybersecurity.
Areas of growing concern
Cybersecurity is an ever-evolving environment and the current areas of growing concern include the following:
• Insider threats: This is perhaps the most difficult category, since the perpetrators are already inside the organisation and can take advantage of access to corporate information.
• Persistent targeted threats: These are sophisticated threats targeting proprietary or sensitive information, often through subtle means such as faked email messages or the exploitation of a series of individually innocuous vulnerabilities.
• Supply chain threats: In addition to the vulnerability of supply chains to direct IT security attacks, the danger of counterfeit or tampered computer hardware and software provided by vendors and suppliers, often based overseas, has already made headlines.
• Attacks against data: While great emphasis has been placed on securing data in transit, defending that data against unauthorised editing is often overlooked.
• IT security arms race: The attacker can focus time and money on attacks while target organisations are constrained by budgetary considerations where spending on cybersecurity must compete with other, often more pressing, business and operational requirements.
• Unpunished attacks: Foreign based adversaries are protected by the difficulty of prosecution across national boundaries.
Cybersecurity for the electricity grid
Energy delivery systems constitute the backbone of the energy sector and typically comprise a network of processes that generate, transfer and distribute energy. These systems also include a vast array of interconnected electronic and communication devices required to monitor and control processes. Reliable real time process control is a crucial function to enable efficient delivery of electricity nationwide. An overview of electricity delivery and associated control systems is shown in Figure 2.
Considering the interconnectivity associated with modern power grids in conjunction with the ever-evolving cyber threat, it is unrealistic to assume that energy delivery systems are isolated or immune from compromise due to cyber-attacks. Cybersecurity solutions, primarily derived from R&D related to next-generation cyber resilient systems and components, for the power grid are thus imperative to ensure ongoing reliable delivery of electricity.
Moreover, IT is increasingly being adapted to support OT in utilities [refer ESI 1/17 page 14 – Ed]; hence, operating systems, computer platforms, and networks commonly used in IT are now found in many OT architectures. This increased use of IT in OT architectures underscores the essential requirement to ensure the protection of these systems against malware specifically developed to attack utility networks.
However, cybersecurity for the electricity grid needs to be carefully engineered so as not to interfere with day-to-day service functions. In addition, legacy systems with limited computational resources and communications bandwidth required to support cybersecurity applications, are still widely deployed and thus must be considered when defence mechanisms are implemented.
Evolution of energy delivery systems
Many energy delivery systems in operation today were designed and implemented at a time when cybersecurity was unheard of, or was at the very most a low priority. These systems operated in an isolated environment and typically relied upon physical security and proprietary software, hardware and telecommunications technologies for control and monitoring. Infiltration thus required specific knowledge and physical access to equipment.
Today, new technologies have redefined energy infrastructure – and while these have certainly improved reliability, sophistication and communication at both operational and business levels, the integration of shared telecommunications technologies has resulted in increased levels of interconnectivity amongst corporate networks, energy delivery systems, other asset owners and the outside world in general. Furthermore, asset owners and operators have extended connectivity to improve communication and efficiency and have increasingly adopted commercial off the shelf technologies such as Windows and Unix to provide higher levels of interoperability.
Expansion, deregulation, and increased market competition has also had an impact upon the energy delivery system architecture. Continued expansion has frequently resulted in a proliferation of new and often remote facilities, which in turn has increased dependence upon public networks and the Internet.
Unfortunately, each auxiliary connection to a public network and/ or Internet provides a new point of entry for cyber-attacks and increases the need for asset owners to manage the increasingly complex paths of incoming and outgoing information. The resultant raised system accessibility exposes network assets to potential cyber infiltration and subsequent manipulation of sensitive operations in the energy sector.
Escalating threats and new vulnerabilities
Electricity utilities are faced with an increasingly sophisticated and aggressive threat environment. Intelligence reports show that cyber adversaries are becoming more persistent and better financed. Furthermore, it is highly likely that their ability to launch new attack tools could outstrip the ability to implement effective countermeasures.
In addition to ever-evolving threat conditions, the migration toward a cleaner, more efficient energy economy creates new vulnerabilities by significantly increasing the number and availability of digital access points to energy telecommunications networks. For instance, smart grid technologies, such as automated metering and control systems, need to be designed with adequate built in security to defend against cyber-attacks.
It is thus abundantly clear that both the cyber and energy environments are continually changing. New threats, business practices, market trends, regulations and technologies will certainly reshape the energy delivery systems security landscape, as illustrated in Figure 3.
In more general terms, the socalled Internet of Things continues to grow. This will fuel the requirement for Internet Protocol Version 6 (IPv6), which will in turn add billions of new IP addresses to the Internet. From an electrical utility perspective, smart metering deployments, beginning almost a decade ago, have dictated the deployment of IPv6. And although not all ICS have as yet migrated to IPv6, most large utilities already have IPv6 in house. Thus, the increasingly resultant sheer volume of interconnected things certainly brings with it many new security challenges.
Also, as cloud computing capabilities and shared resources continue to proliferate, organisations and individuals no longer necessarily control all the infrastructure they are using. Securing assets outside of one’s control will increasingly become a more pressing issue in the very near future.
Furthermore, new IT capabilities are continually being deployed, quantum systems are being built, optical systems developed and more. Clearly old systems will struggle to secure new and continually evolving technologies.
To address these and other concerns, experts in the field of cybersecurity have recommended that leaders in this field convene at the national level to define an approach that encompasses the need to identify national cyber priorities, existing R&D resources, and gaps in the nation’s R&D base.
Strategic framework for utilities
Strategies that can be pursued by the utility to achieve an effective cybersecurity approach should include the following:
• Build a culture of security: When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness.
• Assess and monitor risk: This enables utilities to gain a thorough understanding of current security measures; thereby facilitating the ability to continually assess evolving cyber threats and vulnerabilities, including appropriate responses.
• Develop and implement new protective measures to reduce risk: This strategy will ensure that appropriate security solutions are built into both legacy and next-generation energy delivery systems. Nextgeneration energy delivery system architectures provide ‘defence in depth’ and employ components that are interoperable, extensible and able to continue operating in a degraded condition during a cyber-incident.
• Manage incidents: Any system can become vulnerable to emerging threats and since absolute security will probably never be possible, managing incidents is a critical strategy. When installed protective measures fail to prevent a cyberincident, detection, remediation, recovery, and restoration capability will minimise the impact of a cybersecurity incident. In addition, post-incident analysis and forensics enable energy sector stakeholders to learn from the incident. Key elements for effective incident management are illustrated in Figure 4 (elements shown in red are typically carried out under severe time constraints and high visibility).
• Sustain security improvements: Maintaining a secure energy supply system is a long-term goal. This requires a strong and enduring commitment of resources, clear incentives, and close collaboration amongst all stakeholders.
In conclusion, critical information systems are at the very heart of almost every aspect of modern life. These systems control and manage electrical power generation, transmission and distribution, water distribution and purification, provide data to government and law enforcement agencies, run hospital operations and banking transactions and are furthermore fundamental to the day-to-day running of corporates and small business throughout any modern economy.
Although mostly reliable and efficient, the pervasive nature of information technology demands that the serious risks posed by vulnerabilities to malicious attacks must be addressed as a matter of national security. Thus, the importance of doing so cannot be overstated. However, a migration toward a more secure information technology infrastructure will certainly demand a concerted and committed effort on multiple fronts, with the government playing a major role in creating and managing an effective national research and development roadmap.
To facilitate the process going forward several research and development priorities have been identified for the next 5-10 years. These will, at the very least, include the following:
• A coordinated and collaborative approach,
• development of metrics for security,
• the creation of an effective legal and policy framework, and
• addressing the human dimension of security. ESI
Article written and made available to ESI Africa for publication courtesy of African Utilities Technology
Council (AUTC), a non-profit trade association owned by utilities. Their mission, led by AUTC director, Corrie
Vermeulen (firstname.lastname@example.org), is to shape the future of utility mission critical technologies by
driving innovation, fostering collaboration, and influencing public policy. www.utc.org/africa
Cyber Security Research and Development Agenda – I3P
A Roadmap for Cybersecurity Research – INFOSEC Research Council
Roadmap to Achieve Energy Delivery Systems Cybersecurity – Energy Sector Control Systems Working
Homepage image source: Cyber Secure Asia