During a recent audit of IT security at a large German power plant, an operator answered ‘yes’ to both questions when asked whether his IT system had anti-virus protection and whether or not he had ever had to respond to an attempted security intrusion.
Once, the operator explained, a warning message had flashed upon his screen.
Most telling was how he responded and why.
“I had no idea what to do, so I just hit ‘no’,” the operator explained.
We don’t know how harmful this could have been, but the fact that an operator of a major power plant was not briefed about how to respond to security threats is cause for alarm. The situation also underscored the point that effective cyber strategies are not only about products but also about people, planning and processes. Having the best software protection in the world is of limited use if those on the front line are not aware about how to respond when potential attacks occur.
Throughout the world, concerns about cyber security have been underscored by a growing number of incidents. Earlier this year, the WannaCry ransomware attack impacted organisations ranging from health services in the United Kingdom to universities in China. During the Russia Ukrainian conflict in 2015, Russian hackers took down around 60 Ukrainian power stations and cut power to around 230,000 people. The famous Sony Pictures hack in 2014 saw a hacker group release streams of confidential data before using malware to erase the company’s computer infrastructure as it was about to release a controversial film involving an assassination attempt upon North Korean leader Kim Jong Un.
In Australia, we have not been immune. Back in 2000 on the Sunshine Coast, one million litres of untreated sewerage was released into a stormwater drain from where it flowed into waterways over a three-month period following hacking activity by disgruntled Maroochy Water Services contractor Vitek Bowden.
The overall impact upon critical infrastructure cannot be underestimated. In a 2015 survey of industrial automation and control system operators conducted by management consultancy Booze Allen Hamilton, 34 percent indicated that their systems were breached more than twice in the past twelve months. Of these, 44 percent were unable to identify incident source.
Attacks can come from various sources ranging from those hacking as an intellectual challenge or social status right through to cyber criminals; competitors; disgruntled parties with whom the organisation has a relationship; social or political actors or hostile states. Motivations range from undertaking intellectual challenge or growing prestige through to cyber espionage, extortion, causing embarrassment or reputational damage, interfering with physical infrastructure (e.g. shutting down power plants) terrorism or conducting acts which are hostile either to the organisation or the state/country in which it is located.
For engineers, understanding cyber security is important for two reasons. First, they need to understand how to prevent and respond to attacks which target themselves or their own organisations. Second, attacks may impact the buildings, infrastructure or industrial environments for which they are involved in the design. Regard needs to be had, therefore, not only about the physical but also the IT related security of those assets.
At the outset, it must be acknowledged that cyber security has become more complex over the past decade. Courtesy of staff making greater use of personal devices in remote locations; the IT systems of companies increasingly being integrated with their customers, suppliers and IT service providers and an array of gadgets now being linked via the internet of things, the potential range of attack vectors has spread beyond servers and desktops and now includes laptops, tablets, mobiles, external systems and an array of devices. In this environment, ‘fortress’ like approaches of building defences around a company’s own server and desktops are becoming less effective.
When looking at cyber security, Mailguard chief technology officer Bill Rue says it is important to understand how attacks occur. Speaking at the recent Digitize 2017 conference organised by Siemens in Sydney, Rue says nine out of ten attacks originate via an email notwithstanding the growing popularity of other mechanisms. Whilst staff will generally delete messages which are not credible, Rue says 97 percent of people fail to recognise emails as being malicious where they are well crafted and sufficiently believable.
Because of this, hackers are employing smarter tactics. Along with the well-known technique of sending messages which purport to be from legitimate companies (e.g. Telstra, major banks), others use a more sophisticated technique known as social engineering. This involves the attacker learning about the organisation and using this information to make the message appear to come from someone the person knows. For instance, they might pose as someone’s boss (they would know his or her name) and make certain requests such as transferring money to a specified account. As this is something an employer might reasonably ask of their workers, the worker may well do this under a mistaken belief that the instruction is genuinely coming from his or her boss.
When thinking security, one issue is how to go about it. In this regard, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology outlines five concepts.
First, it is important to identify risk areas and develop an organisational understanding about the management of cybersecurity risk to systems, assets, data and organisational capabilities. Essentially, this is about identifying where the organisation might be vulnerable and what the consequences of any possible attack could be. Doing this will assist organisations to prioritise their IT security efforts.
Next, it is important to put in place appropriate safeguards to protect assets and to contain or limit the impact of any potential attack. This could be achieved through strategies such as access control, staff awareness and training, data security, information protection and procedures and maintenance and protective technology.
Third, strategies are needed to detect and identify any cyber-attack which does occur.
Fourth, it is important to respond to any security event which does occur. The above example of the German power plant operator who simply hit ‘no’ shows what not to do in this area. When something like this does occur, staff need to be aware of who to alert and what processes to follow.
Finally, strategies must be in place to recover from any attack and restore capabilities or services which have been impaired. This could include for example, having data backups (see below) or for critical infrastructure even having backup systems ready to go.
As well as protection of critical assets, it is also important to think about data protection and recovering from data loss. Loss in this area could result from either data falling into the wrong hands (e.g. competitors or activists) or simply organisations losing data which is critical for their operations such as customer account balances or employee records.
A problem in this area, Jerry Vochteloo, chief executive officer -Data Protection Solutions at Dell MC says, is the growing popularity of ransomware, which enables cyber criminals to operate under a risk-free business model by scrambling their victim’s data, demanding payment for retrieval and (maybe) releasing it back. Speaking at the Siemens conference referred to above, Vochteloo said criminal rackets have become increasingly sophisticated and are have set up helpdesks to assist their victims with payment along with HR departments to recruit their own staff.
Cyber criminals were also targeting not just the systems themselves but also backups. In the Sony hack, he said the attackers first went for the backups and made it near impossible for the company to recover the data.
Vochteloo breaks attacks down into several categories. First, ‘basic’ threats including typical viruses, ransomware such as WannaCry and other malicious programs are targeted broadly and randomly at anyone who will fall for them. For this, he says, you need basic levels of protection for viruses and malware along with reliable backups – from which you can recover your data even if the original copy does become encrypted.
Beyond that, there are more targeted attacks whereby criminals identify specific parts your organisation to target. By learning where your backups lie and targeting them, for instance, Vochteloo says they attackers can impact your ability to recover and therefore make you more likely to pay the ransom.
In a limited number of cases, attackers will attempt to identify small and specific parts of your organisation with a particular objective of hurting your organisation or doing it harm (e.g. by shutting down infrastructure). These could potentially be state-sponsored actors or actors with a specific social or political agenda. The Sony case was a critical example of this.
In respect of these types of threats, Vochteloo says advanced protection of the backups themselves is necessary. This can entail measures such as hardening your backup services, replicating backups and having additional copies of them. For critical datasets, Vochteloo says you want to ensure that you have a safety copy. This, he says, involves use of an ‘air-gap’ – a network security measure which is employed on one or more computers to ensure that a network is physically separated from other networks such as the public internet or an unsecured network.
According to Vochteloo, core concepts in data protection revolve around several areas.
First, physical separation is critical. Backups which sit in the same place as the primary data set are useful for operational recovery where data is accidently deleted but useless in the event of disc failure or other threats.
Next, backups should not be controlled by the same piece of software which controls the original data. Home backups are a possible solution.
As well as having backups, it was important to test the these periodically and validate that the data on them is correct.
Beyond that, there are advanced controls such as locking your backup so that it can’t be deleted even if you are the backup administrator and someone hacks your backup.
Replication of backups and having copies which are independent of original backups about which your original backup is unaware is crucial, Vochteloo said. For core data which is essential for your organisation to function, Vochteloo says air-gaped defences are worth considering.
Finally, Vochteloo says there is a need to look at protection for ‘end-points’, including mobile devices such as laptops and cell phones.
Whether it be their own firm or one for whom they design, engineers throughout Australia need to be aware about cyber security.
With a few simple strategies, risks associated with cyber-attacks can be managed.