Cybercriminals have already figured out how to hack into enterprise infrastructure, and the critical infrastructure that controls our nation's supply of water, gas, oil and electricity just might be next.
With so many connections and shared vulnerabilities between the two infrastructures, the inevitability of this is unsettling. If the critical infrastructure is successfully penetrated, electrical grids could be shut down, water supplies could be turned off, telecommunications channels could be severed, and transportation systems could come to a halt. Take the electrical grid offline and massive numbers of power-reliant entities could grind to a halt, including everything from banks to hospitals.
Each day brings media attention to yet another breach, but it seems we are unable to make headway on the security front. It's certainly not from a lack of resources; we have plenty of technology, standards, and regulations to draw upon.
It seems to boil down to the fact that we continue to do stupid things. We still write insecure code. We still don't patch our systems. We still don't control user rights properly. We still use the same usernames and passwords across multiple accounts throughout both our personal and business worlds. And, you guessed it -- these passwords we use aren't even managed well. It's no wonder corporations continue to get hacked.
But what we should be most concerned about is that our two infrastructures -- the private/commercial/enterprise infrastructure and the critical/industrial/utility infrastructure -- are interconnected in many ways, and security weaknesses within either therefore put both at risk.
Approximately 85% of the nation's critical infrastructure is owned by the private sector, according to the U.S. Government Accountability Office. And, with pressure to increase profits and reduce expenses, many utilities have combined their control system networks with their commercial business networks, according to Arjen Zwaag of Cisco speaking at a Pipeline Technology Conference.
By operating over a shared network, not only do the two environments now share the same vulnerabilities, but a hacker also now has a clear, direct and trusted path to get from one environment to the other.
Adding to this, these same business networks are also connected to other private and commercial networks designed to provide end-to-end business functions, including services such as telecommunications, research and development, IT help desk and support, and many more.
For hackers, this means even more shortcuts to the critical infrastructure. Many sophisticated and targeted attacks known as advanced persistent threats (APTs) don't go directly for the pot of gold; instead they tend to find more easily accessible initial points of entry within less secure systems, and then once they're in, strategically and unobtrusively work their way through chains of connected systems and networks to reach their end-targets.
APTs are unavoidable by nature, and a compromise within the private/commercial infrastructure that extends to a compromise within the critical infrastructure could lead to unfathomable amounts of damage. With the public utilities facing well-organized and sophisticated attacks on a daily basis, one must wonder if hackers are already taking this approach of attacking commercial enterprises first as a means to make their way into the critical infrastructure. It is inevitable that these cyber adversaries will someday attack the oil industry, the transportation sector, and the electric grid via the commercial enterprise.
"You don't know who is fingerprinting the critical infrastructure," said Francis Cianfrocca, CEO of Bayshore Networks, during an interview at the 2012 RSA Security Conference in San Francisco. Hackers "have found their way in -- you know they are in there -- you just don't know how they got in, where they are residing, and what they are doing there."
To better understand the national security implications, we have to take a look at how the industrial control systems can be manipulated. As they first started to appear in wide use, they were originally connected together via serial lines with no connection to the Internet, and therefore physical security substituted logical security in most cases. However, in the mid-'90s, the control gear began to ship with Internet connectivity built in, thereby opening up these devices to all the risks associated with being connected to the Internet and other networked systems.
We can look to the supervisory control and data acquisition (SCADA) system vulnerabilities highlighted at last year's Black Hat conference in Las Vegas to illustrate the possible consequences of an attack on the critical infrastructure. A hacker could feasibly leverage one of the SCADA system's numerous inherent vulnerabilities, such as a well-known hard-coded password on a power grid control system, in order to gain access to the system. [Also see: "Researchers expose flaws in popular industrial control systems"]
Then the attacker could, for example, capture "stop" commands from one self-controlled programmable logic controller (PLC) and play them back to another remote-controlled PLC via HTTP and telnet with the goal of shutting it down. The attacker could then further sabotage the environment by using the PLC to initiate other malicious commands. Such commands could cause pipeline valves to open or close or centrifuge motor speeds to increase or decrease, any of which could cause damage to the individual components of the supply chain or even force the entire connected environment to completely collapse, even physically explode.
Another plausible scenario is one in which we could see a great deal of localized damage that affects many peoples' lives. For example, by taking a power plant offline the attacker could leave scores of people in the dark, cause the water system pumps to go offline, force hospitals to function without critical equipment, and disable ATMs, fuel stations, and traffic signaling systems.
Consider the 2003 case in which a power grid failure affected roughly 55 million people in the U.S. and Canada, and showed how fragility within any of the nation's three electric regions -- East, West and Texas -- can lead to extended trouble. As the balance between supply and demand of electricity is extremely close, any significant stress to the system could take it offline (by design), and the damage could be experienced on a wide regional scale.
All that is required to wreak some havoc is for a hacker to cause a generating station to go offline. The transmission grid is quite fragile with respect to localized disruptions; the grids are designed to shut themselves down automatically if they suspect a failure pending. Therefore, an attacker would not need to do much to trigger such an event; a simple instruction telling the generating station that it is about to fail is all it would take. If the attacker is able to do this to a few stations, widespread impact could be experienced.
Even though there are flow regulators and switches located within the oil and gas supply chain which make it vulnerable to similar attacks, there are a lot more points within this sector that would need to be attacked as well to cause much damage; thus the environment is somewhat limited to localized failure. That said, the oil and gas industry is no stranger to attack. ABC News recently reported that the "Iranian oil ministry's computer network came under attack from hackers and a computer virus, prompting the Islamic Republic to disconnect the country's main oil export terminal from the Internet."
Somewhere between the oil and gas sector and the electrical grid lies the water sector. While the damage would be limited to a specific locality such as a large city or multi-city district, it could become a serious public health issue, or at least a public nuisance, if a water treatment plant or pumping station were taken offline.
"The oil and gas sectors are thinking more organically than the others," Cianfrocca says. "The rest are pretty much wide open to compromise as they aren't being forced to implement nor prove they have the right security in place, plus they simply don't have the budget to invest in all of the security layers required."
With all of this in mind, let's look at some of the security weakness that continue to enable hackers to break into the enterprise infrastructure which may ultimately lead them to critical infrastructure:
* Application code vulnerabilities: With an average of 10% of code containing vulnerabilities, this is by far one of the more prevalent weaknesses that can be leveraged. The vulnerable systems don't have to be public-facing in order for an attacker to take over; access to an "internal" system could be gained using SQL injection, a cross-site script, or even a remote file include. A hacker that arrives within a trusted partner network could, from that system, scan and probe any connected critical infrastructure systems and networks for other known application vulnerabilities.
* Weak and recycled account passwords: In 2011, according to Tim Brown, CTO of CSID, the team at CSID collected more than 10 million records containing compromised identity information exposed by data breaches, which is now in the wild and available for sale or trade on the black market. More than eight million of these records contain email addresses with passwords, and many of these compromised accounts are directly related to corporate accounts. Gartner analyst John Pescatore says that "a lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems. What I think we are seeing is really what I like to call 'the curse of the reusable password.'" Using an account list extracted from a compromised enterprise coupled with a black-market purchase of account, email, and login information, a hacker could match these two sets of data together and attempt logins to critical infrastructure systems which are now discoverable via the trusted connected network that was compromised.
* Improperly managed account rights: Admin-level account privileges are often granted to commercial organizations' employees and partners to allow them to do their jobs without having to involve the IT help desk. Viewfinity CEO Leonid Shtilman warns that "most organizations are victims of 'privilege creep,' the situation where privileges are locked down initially by IT and are then increased little by little over time." Coupled with weak and/or recycled account passwords, hackers could gain access to sensitive or critical systems, applications and data within the critical infrastructure via an account that shouldn't have been accessible in the first place, or via an account that possesses too many user rights. This enables the hackers to do as they wish with these now-compromised resources with little probability of being detected.
* Bring your own device (BYOD) trends: As more and more mobile technologies emerge, an increasing number of people within the commercial enterprise are bringing their own devices into the workplace. The security of these personal devices is often unregulated, therefore jeopardizing the security of an organization's entire network, plus that of any other networks that are connected to it.
To properly combat cross-infrastructure attacks, the following things need to occur:
* Interconnected network security and assessment: Communications and network channels between the enterprise and the critical infrastructures need to be routinely assessed to ensure the proper security mechanisms are in place and functioning properly. "The community is realizing that monitoring may not go far enough and that continuous risk assessment -- actually proving what is exploitable before your hackers do -- is a longstanding practice found in many government cybersecurity programs that can and should be extended to the critical infrastructure and the commercial enterprises that support them," says Seema Sheth-Voss, director of solutions marketing at CORE Security.
* Employ integrated security management: Security management solutions need to become more than just antivirus protection and log-management mechanisms. Security systems also need to address the applications themselves, leveraging Layer 5 firewalls. The security systems must employ constant monitoring of vulnerabilities and patches, understand and respond to anomalies in system, application, and user behaviors within and across the connected networks, and engage in big data security analytics across multiple sectors to develop industrywide threat intelligence. "Security leaders really need to take a step back and reconsider the option of security consolidation where threat information from multiple vectors can provide deeper end-to-end threat intelligence," Sheth-Voss adds. [Also see: "Fast-forwarding firewall faceoff"]
* Develop regulations with accountability: Regulations and best practices need to be defined, created, mandated, applied and enforced such that they cross over both the enterprise and the critical infrastructure entities. The Department of Homeland Security, the Department of Defense (DOD) and the Department of Energy (DOE) need to be at the forefront of fostering best practices and standards. The appropriate government entities should consider making funds for such purposes available to institutions farther down the chain beyond the capital goods vendors -- such as the local/state entities that put the industrial control systems in place. In the end, the value of security must be described and demonstrated. "The North American Electric Reliability Corporation (NERC) CIP5 set of cybersecurity standards, as one example, is being defined to focus on security as opposed to just compliance, but it will be a few years before we can see it in action," Cianfrocca says.
* Manage identities as humans: Security must focus on human behavior. Human-centric security is about recognizing that a digital identity is actually a human being; humans have patterns and behaviors that can be modeled and risk can be adjusted based on a number of factors. "Humans tend to make more mistakes on Mondays and when they work more than 12 hours," says Brown. "Humans are more vulnerable to coercion when they have recently been divorced or have money issues; this can't be ignored." Of course, the human factor is present in the critical infrastructure and many safeguards are in place to manage the physical aspects of humans. These same human-oriented safeguards need to be extended to the enterprise infrastructure as well.
* Establish cross-sector communications: Critical infrastructure entities, government institutions and the private sectors that enable them need to share threat intelligence, working together as a common force to track down these would-be attackers. U.S. Secretary of Homeland Security Janet Napolitano recently told the Senate Homeland Security and Governmental Affairs Committee that "we need the information-sharing, and it needs to be real-time. It makes commons sense." Organizations and government agencies need to get over their hangups on sharing information, no longer treating existing and emerging threats as information that requires clearance levels above top secret. It needs to be done in a way that doesn't tip off the bad guys, so maybe some legislative work coupled with a neutral third-party entity could help to build and share this cross-entity threat intelligence.
* Identify new technologies: One example of critical infrastructure protection is to utilize technologies that reduce (if not eliminate) vulnerabilities altogether. One such example is use of BAE's STOP OS -- built especially for the DOD -- which does not require patches, thereby eliminating the need for staff and security experts to patch the infrastructure systems. Another option for secure virtual operating systems is Joyent's GuardTime-enabled SmartMachine, which prevents independently verified operating system modules and third-party applications from executing if they have been compromised in any way.
We must also remember that at the core of the critical infrastructure lies the platform; systems developed by industrial goods vendors such as GE, Emerson and Siemens. These companies need to be incented and/or required to build in and provide better security technologies as part of their devices, systems and services so they are not only more robust, but also not subject to the risks faced by enterprise infrastructure.
One thing is for sure, policy, regulations, penalties and fines are not enough; this is the nation's critical infrastructure we are talking about. It's time we stop ignoring the risk that our profit-driven private sector enterprises pose to the critical infrastructure.
Sean Martin is a CISSP and the founder of imsmartin consulting. Contact him at [email protected]
Read more about wide area network in Network World's Wide Area Network section.