Mark Weatherford will likely not forget the week of July 12, 2010. He'd just started his job as vice president...
and chief security officer at the North American Electric Reliability Corporation (NERC) that week. And as chance would have it, security researchers had recently announced the discovery of Stuxnet, one of the most advanced worms on record and widely believed to be targeting Iranian nuclear facilities. With NERC's mission being to ensure the reliability of the North American bulk power system, it was a leap right into the fire for Weatherford.
The Windows-based worm, which contained a programmable logic controller (PLC) root kit, is the first known worm that can reprogram industrial systems, and was crafted to breach Supervisory Control And Data Acquisition (SCADA) systems. SCADA systems are often used to control and monitor industrial processes, including those that help to manage power grids.
Immediately, Weatherford put into place a "Malware Tiger Team" that could be leveraged to help NERC ensure that the information about Stuxnet that was shared among facilities was accurate and useful. The team was comprised of malware experts and representatives from a number of federal agencies. Once the initial commotion over Stuxnet subsided, the team's role faded, but not its ability to reconvene quickly should another threat against the power generation and distribution system materialize.
While the hope is that such a need never arises, the probabilities point to someday in the future when the Tiger Team is called back to work. The extremely sophisticated Stuxnet worm highlighted the vulnerability of the critical infrastructure the world relies on, andsecurity experts worry it could be a harbinger of future attacks. That's especially true as nation-states increasingly invest in their offensive cyber-attack capabilities. Just as concerning as the threat, experts say, is that efforts to secure the SCADA systems used to manage many of the critical systems for controlling electricity, water delivery and other essential services have been lax. The federal government and industry groups are taking steps to secure the grid and the SCADA systems that support it, but many worry time is running out before a significant attack hits.
There's no question that concern over critical infrastructure security is growing. Consider the findings in a report released last year by the Center for Strategic and International Studies (CSIS), and funded by security firm McAfee, In the Crossfire: Critical Infrastructure in the Age of Cyberwar. Based on a survey of 600 IT security managers from critical infrastructure organizations, the report found that 37 percent believed the vulnerability of the sector they worked increased over the year prior, and two-fifths expect a significant security incident in their sector in the next year. Only one-fifth of respondents to the survey believe their sector to be safe from serious cyber-attack in the next five years.
While there was no devastating attack that hit the IT systems that support the North American critical infrastructure, 2010 will nonetheless go down as a decisive year for malware and digital attacks. Cybercriminals (who themselves edged-out the hacker-hobbyist years ago) took a backseat to the state-sponsored attacker. These attackers are well trained, well-funded, and professional. They pose perhaps the greatest threat we've yet to see face the critical infrastructure. In fact, the CSIS survey found 60 percent of those surveyed believe foreign governments have been involved in past infrastructure infiltrations.
Researchers at Moscow, Russia-based Kaspersky Lab, where two of the four zero-day vulnerabilities the Stuxnet worm exploited were identified, reported that Stuxnet's mission was to infiltrate a specific industrial control system that both monitors and controls industrial, infrastructure, and many on-site processes. It certainly wasn't considered an amateur job. "The inside knowledge of SCADA technology, the sophistication of the multi-layered attack, the use of multiple zero-day vulnerabilities and legitimate certificates bring us to an understanding that Stuxnet was created by a team of extremely skilled professionals who possessed vast resources and financial support," the company said in a bulletin.
"I view Stuxnet as a weapons delivery system, like the B-2 bomber," says Michael Assante, president and CEO at the National Board of Information Security Examiners, and former vice president and chief security officer at NERC and critical infrastructure protection strategist at Idaho National Lab. "The code was designed to be very modular, so that its attack payload could be changed to be able to attack different systems. It's clear to me that the resources available to the authors of the worm were substantial. They designed it with high confidence that the warhead would do exactly what it was designed to do," Assante says. "That takes skill and resources." .
That combination of well-heeled attackers and sophisticated malware means the stakes are much higher today than a few years ago when it comes to securing the critical infrastructure. This rise in the capabilities of cyber adversaries should be of concern to everyone. Civilization is dependent on the critical systems that control electricity, finances, communications, water delivery, food distribution, and manufacturing. And the management of many those systems themselves are largely dependent on SCADA systems. Years ago, however, when these SCADA systems were first developed, they weren't designed to be resilient to today's security threats or heavy reliance on common and commercially available software applications, operating systems or for communications over public networks such as the Internet.
IGNORING THE RISKS
As SCADA systems have become increasingly networked, many believe that the industry and the federal government have not taken strong enough steps to ensure these systems are secure. "The industries that ignored cyber security, regardless of what the government said, are still doing just that," says Alan Paller, director of research at the SANS Institute. "It's a fundamental market failure. The industry said it would take care of things, and it didn't do the job it said it would do," Paller contends.
Others agree. "As long as there have not been any attacks [on their critical systems], it's hard for [insiders] to argue to make something more secure," says Richard Stiennon, chief research analyst at IT Harvest and author of Surviving Cyberwar. ( "There were no attacks last year, and there probably won't be attacks next year. So we're not spending on security because you say we should," is the typical response security professionals hear from their management, Stiennon says.
"Following Stuxnet, one would think that there would had of been a surge of activity to protect the grid, but there wasn't," Paller says.
That apathy extends to the developers of industrial control systems, others say. "There is this climate where everyone understands the potential for mischief, but no one is talking openly about it. And the people who are finding vulnerabilities in SCADA systems and report them to the vendors find themselves in an adversarial situation," says Shawn Moyer, principal consultant at FishNet Security who co-presented a session on "Wardriving the Smart Grid" at BlackHat 2010. "What is going on in this industry today seems a lot like what was going on in the IT industry in the late 1990s when most software companies simply ignored security"
"When it comes to SCADA vendors, we are really early in the maturity curve," agrees Assante. For instance, he says, while security administrators at critical infrastructure organizations would like to know how to best harden those systems, the vendors don't always provide the necessary documentation that explains how to do so.
"The vendors understand that security matters, and they're starting to work security into their development processes. Generally, however, their security engineers probably aren't part of the developments teams," he says. "Security is not built into their processes. Over the next couple years, critical infrastructure vendors are going to have to more tightly integrate security into their design and product support initiatives," he says.
REGULATIONS IN THE WORKS
The federal government and industry groups aren't standing still when it comes to securing the grid and SCADA dependent systems. And they're helping guide the way to more secure and sustainable power systems. Last June, the Department of Homeland Security (DHS) released its Catalog of Control Systems Security Recommendations for Standards Developers that aims to help facilitate the creation of security standards for SCADA, process control, distributed control, and other critical infrastructure systems. The standards help to detail everything from how such industries can screen personnel to establishing physical security and setting secure configuration management guidelines. NERC, for its part, maintains security standards and guidance to roughly 2,000 public and private firms involved in electricity production and distribution in North America.
NERC's Critical Infrastructure Protection (CIP) regulations were designed to help ensure the reliability of bulk power generation and delivery. NERC CIP regulations comprise eight mandatory requirements that establish the minimum acceptable level of risk, and include security log collection and analysis, access control, reporting, intrusion detection/prevention system, among others. "The standards have only been auditable for a couple of years, and we are light years improved from where we were a few years ago," says Weatherford. "Are we where we need to be? No. But neither was PCI DSS when it first came out. Today, PCI DSS is a fairly good standard."
Weatherford has a number of areas where he'd like to see improvement. For instance, he would like the CIP standards to move more rapidly and possibly be augmented with more agile ways for covered organizations to manage their risk. "It takes years for these standards to be agreed upon. That's way too long for cyber security," he says. Additionally, Weatherford says that a more dynamic risk management framework that can be used in conjunction with the CIP standards would help facilities more intelligently manage risk. "Just as all systems are not equally critical, the risk postures of different plants are not the same and can't be managed the same way," he says. "We've just began work on developing a more agile way for organizations to leverage the CIP standards."
Assante also agrees that critical infrastructure regulations should be risk based and more agile to help better prepare critical infrastructures and the security teams that protect them. "Legislation should include the need for more sharply defined federal authority to address specific and imminent cyber security threats to critical infrastructures in the form of emergency measures," Assante said in a hearing before the senate committee on homeland security and government affairs in November.
|Powering Up Security|
Utility company implements network encryptors to protect SCADA data and meet NERC requirements
With a huge power plant built back in the 1940s that covers a lot of square footage, the North American Energy Alliance faced a compliance challenge. North American Electric Reliability (NERC) standards require that wiring between physical security perimeters be enclosed in conduit or the data must be encrypted. For the NAEA, that would have meant a lot of conduit so it opted to encrypt, says Dominick Birolin, network engineer at NAEA.
The company, which is based in Iselin, N.J., and owns a portfolio of 1,755 megawatts of electricity producing power stations in the Northeast, looked at a variety of encryption options, including point-to-point IPSec tunnels. But it determined that IPSec tunnels would result in latency problems, Birolin says.
NAEA ultimately chose network encryptors from CipherOptics for securing its SCADA information. CipherEngine Enforcement Points from CipherOptics are FIPS 140-2 Level 2 validated encryption appliances.
"With CipherOptics, the latency was in microseconds as opposed to milliseconds. That was a big advantage, especially for SCADA systems," Birolin says.
The technology helps NAEA meet its compliance obligations, but data encryption is an overall good practice, he says.
IMPROVING SECURITY OPERATIONS
When it comes to critical infrastructure protection, information sharing and collaboration has been called upon for years. Last year was the first year the industry has seen real information sharing begin to coalesce. In November, the Department of Homeland Security (DHS) launched a cyber security information sharing center designed to more efficiently share information about cyber threats to the critical infrastructure. Dubbed the Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Operations Center, it's a 24-hour live watchdog that will, hopefully, provide state and local government officials the same details as those in the federal government.
According to DHS, tThe National Cybersecurity and Communications Integration Center (NCCIC) will head information sharing to the MS-ISAC Operations Center. States are expected to use the MS-ISAC Operations Center to cooperate to enhance IT security defense and response. The move is just one in a recent flurry of moves by the DHS to help bolster information sharing and incident response.
DHS also announced that the Information Technology Information Sharing and Analysis Center (IT-ISAC) will embed a full-time analyst and liaison to DHS at the NCCIC. The IT-ISAC consists of information technology representatives from the private sector and facilitates cooperation among members to identify sector-specific vulnerabilities and risk mitigation strategies.
Also, this past fall, to test the nation's ability to withstand an advanced cyber attack, DHS and a number of international security and intelligence agencies engaged in a cyberwar game involving 1,500 security events designed to see how well federal agencies and more than 60 private sector companies in critical infrastructure responded to a cyber attack. Cyber Storm III was used to test the newly-developed National Cyber Incident Response Plan (NCIRP), which is the government's current cyber security incident response playbook. A report detailing the results of the exercise is expected soon.
"Government and industry aren't standing still, but the question is are they doing enough, quickly enough," says IT Harvest's Richard Stiennon.
In the future, it may not be budget, technological, or regulatory hurdles that prove the most challenging when securing the critical infrastructure: It could be finding enough skilled security professionals. "It's not that there's a problem finding security superstars, there's a lack of people with basic security skills and knowledge," says Vincent Liu, managing partner at the application security firm Stach and Liu.
In its report, A Human Capital Crisis in Cybersecurity, the CSIS found that there are roughly 1,000 security professionals in the U.S. who have the specialized cyber security skills needed to protect the critical infrastructure. The report estimates the nation could need up to 30,000 similarly skilled people to get the job done. "There's no doubt that we need to invest more in the security workforce. We need better training, and regular reassessments of their skill level," Assante says.
NERC's Weatherford agrees. "There are not many qualified, technical, cyber security experts that have experience in the power industry," he says. Weatherford says it's part of a troubling macro trend affecting the IT industry. "We've been talking about the retirement bubble for a couple years now. We studied the issue when I was CISO at the state of California, and we found so many technical staff eligible for retirement within next few years that it became obvious that if we didn't train and recruit enough people, we were really going to have a problem."
Having the IT staff needed to keep operations running smooth is one thing, having enough professionals trained in the still obscure IT security profession is another -- and experts warn we are running out of time. "These aren't always highly-skilled attackers or sophisticated malware that manage to get through. I've seen traditional worms like Conficker on hardened controllers," says Assante. "My greatest fear is that we are running out of time to learn our lessons. Stuxnet, although difficult to hijack or modify by others, may very well serve as a blueprint for similar but new attacks on control system technology," he adds.
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota. Send comments on this article to firstname.lastname@example.org.