One of the recurring themes we have explored is the importance of securing critical assets from a malicious attacks – be it for financial gain, to obtain privileged information or to create disruption. It is the latter that probably best fits when we speak about Critical Infrastructure – this is something that usually encompasses assets that if compromised, don’t just impact individuals or organisation, but populations of whole countries. These can include those things that we take for granted everyday such as power and water. It is the disruption of these services and assets that, if attacked, wouldn’t just bring inconvenience but potentially devastating consequences too.
Many of these type of facilities are traditionally SCADA (supervisory control and data acquisition) controlled. In essence, these SCADA systems were built in a very proprietary way and with a number of manual controls that pre date the internet. As such they were not designed to be networked, nor did they rely on connected technology to run successfully. However, fast forward to today, and many traditional SCADA systems may have elements that are now connected to a network to take advantage of efficiency gains via automation. Even those relatively small connected touch-points could have a catastrophic impact if compromised. One highly published example of such an attack was Stuxnet, a malicious piece of code or “worm” that disrupted Iran’s uranium facility in 2010.
The point is that, whilst connected technology can be a great enabler, the potential consequences of compromise also need to be understood and protected accordingly. Even if only a small part of SCADA systems are connected, or indeed the wider systems that support SCADA systems (such as monitoring and diagnostics) are connected to a network, it is vital that they are wrapped into a comprehensive cybersecurity strategy to protect from malicious attack. A comprehensive approach must also have the ability to quickly detect any malicious activity, have a robust response to minimise impact, and build in processes that enable a swift recovery from a cyber attack. Unless the systems we rely on to provide our critical infrastructure are adequately protected, they will be vulnerable to attack – the results of which may be felt far and wide.
Ten Steps to Improving Security Controls
1. Understand your risk – conduct an annual risk assessment exercise to understand your current risk exposure.
2. Engage with a specialist partner with a track record of conducting similar technical risk assessments.
3. Secure configuration – keep hardware and software protection up to date
4. Aim for real-time detection – continuously monitor all log data generated by your IT systems in order to baseline ‘normal’ activity.
5. Educate and train your employees – ensure they really know your policies and incident response processes.
6. Check passwords on connected devices – many connected devices are using weak or factory-settings passwords that leave the front door wide open
7. Incident response – establish, produce and routinely test incident management plans to ensure that there is business continuity and to prevent a cascading effect
8. Secure network – manage the network perimeter and filter out unauthorised access
9. Malware protection – establish anti-malware defences and continuously scan for malware
10. Patching schedules – ensure that SCADA systems are up to date with patching schedules and are not using default passwords.
The protection of critical infrastructure against advanced cyber threats in an increasingly interconnected and borderless digital world is one of the most pressing challenges that energy companies face today. Cybersecurity doesn’t inhibit developments in the digital world; rather, it helps make the digital world fully operational and sustainable. And a tailored and risk-centric approach to cybersecurity will adjust the balance of the digital world back toward sustainability and safety.