Source: The Cipher Brief
The Cipher Brief’s Luke Penn-Hall spoke to Tom Parker, Chief Technology Officer for FusionX, at the annual Black Hat cybersecurity conference that took place in early August. Parker shared his view of the threat landscape to Supervisory Control and Data Acqusition (Industrial Control System) systems and other critical industrial infrastructure.
The Cipher Brief: What would you say are the greatest threats to Industrial Control System systems right now? How are these threats changing moving forward?
Tom Parker: We’ve seen a period of people doing a lot of reconnaissance of control systems. You see a lot of breaches of companies in the resources business – electric companies, oil and gas, chemical, and mining. That might sound alarming, but the breaches you are really seeing are not touching control systems at all. They are breaching enterprise environments. Like any other company, they have file servers, Sharepoint portals, you name it.
The interesting thing about this is that the attacks are targeting very specific information in many of those environments. They have schematics of the control systems. So while they may not be actually touching the control systems, they’re interested in them.
It makes you wonder why they’re interested. When we think about trends, and what we might see in the future, at some point that information is going to get used, and most businesses that use large critical infrastructure equipment don’t do a particularly good job of segmenting off the enterprise cloud that has malware. They don’t segment well between the enterprise environment and the environment that actually controls the equipment – called the process control environment.
TCB: Is there any way to quantify how prevalent the penetration within critical infrastructure might be from this kind of this threat?
TP: You’re definitely going to see isolated attacks against very specific environments. Doing something that is on more of a grandeur and broad scale is actually quite difficult.
One of the things that I teach during the Black Hat Industrial Control System training is: how you would build something that is actually going to take out a sophisticated large grid system, like the U.S. power grid? What you come to understand is that there is not one power grid. Anyone who tells you that they can hack the grid as if it’s one thing with an IP address is not really sure what they’re talking about. It’s actually lots of interconnections, and it’s a very heterogeneous environment. It’s not like the corporate IT world where you have typically a monoculture of systems, or it’s all Windows systems, so you can develop a technology that might create a worm to go through that. That doesn’t exist in the ICS world because it’s very different and custom-designed based on the process, such as whether you’re refining uranium or oil. It would take a very sophisticated adversary, and quite a bit of resources to actually do something that was more pervasive.
We’re obviously seeing isolated attacks against control systems. We saw something in the Ukraine fairly recently. We might see something in the future that’s more broad scale, but hopefully organizations can get caught up so that we at least detect something like that and are able to nip it in the bud.
TCB: Booz Allen Hamilton recently released a report about critical infrastructure, and it singled out the rise of Industrial Control System access as a service that’s being offered by cyber criminals to other cyber criminals as a rising threat. To what extent does that influence or change assessments of the risk facing the critical infrastructure industry?
TP: I would say that it’s the same criminals that are selling credit cards or anything that you see on the black market– you name it, and you can buy it. To me, that sounds like an opportunity for defenders as well, if we can infiltrate those forums to find out a list of things that have been breached. If you look at a lot of the dark web analysis services, they do just that. So I wouldn’t say it necessarily increases the risk to critical infrastructure.
TCB: For Industrial Control System operators, among the threats facing them, which would be greater: the cyber criminals or the state actors? Why?
TP: I would say long-term is state actors because cyber criminals typically are interested in the theft of intellectual property to sell it . Typical cyber criminals are also looking for breaching PII credit card information in order to sell it. Those are bad but they are not catastrophic. And we like to talk to our clients about the idea of catastrophic scenarios that could put them out of business tomorrow.
If you think about state-level capabilities and the motivations of a state, they’re not looking to sell things on the black market. In the Defense Department world there is a phrase called “preparing the battlefield,” and the idea is that state sponsors are getting into these networks. They may not be at war with us right now, but they are preparing and planting their wares so that the day that something does happen, they can trigger something to happen to the Industrial Control System environment. So in terms of long-term, highly catastrophic issues, state sponsored are definitely the most concern.
TCB: State sponsored attackers are obviously very adept, complex, and hard to deter or defend against. How can Industrial Control System operators and the people responsible for protecting critical infrastructure better protect themselves from those kinds of threats?
TP: Frankly, it’s a lot of the best practices that we’ve come to learn in the enterprise IT space. In the industrial control space, oil and gas in particular, the historical focus has always been around safety. We haven’t had a significant focus on confidentiality, because those companies don’t perceive themselves to have a lot of intellectual property, and in fact they do. For example, think about things like exploration data. If you explore a potential mine site in South America, you’re going to spend hundreds of millions of dollars getting the telemetry and figuring out how you’re going to get food and water to the site. You are going to do all kinds of geological surveys and rock sampling. It’s expensive stuff. There is actually a market for the theft of that.
The way we stop that is no different from the methods that we’ve used in the enterprise IT world to protect things. All we’re doing is stopping the attackers going one step deeper into the network and being able to access the control systems.
TCB: What should the government be doing to support Industrial Control System operators and the people in charge of protecting industrial control systems. What isn’t happening that needs to? How can the government help ensure that these systems remain protected?
TP: There are many who think industry should be self-regulating. Now in the energy sector, a lot of markets are regulated. In the cloud space, you can make a decision whether to use cloud provider x versus cloud provider y because cloud provider y might be more secure. Typically, you don’t have a choice over which energy company you use or which oil company you use.
In my personal opinion, there is a role to play, from a regulatory standpoint, to put more stringent regulations around operators of grid systems and petrochemical companies that we rely on to drive our cars, use water everyday, or turn the lights on.
TCB: There is a sentiment across many in the cyber field that when the government does try to legislate in areas relating to cyber, the process isn’t fast enough to keep up with how quickly things change. Is that not necessarily the case in critical infrastructure because it is so closely tied to physical processes, or do you think that the legislative system would be able to keep up with the pace of change that you’re seeing in the threat space?
TP: I don’t necessarily agree with that. The problem is that we can’t really legislate on anything at the moment. No substantial bills have really passed at all. So it’s not about whether we can create good legislation, it’s more about whether we can actually get that through or not.
Yes, the right legislation does exist. You can make it broad enough that you reference the need to stay tuned into threat intelligence and other things that are ultimately going to keep you up to date. We need to propose frameworks rather than actual individual rules, because if you have legislation that goes into the nitty gritty – for example you need to have at least a six character password – obviously those levels of standards evolve over time. So we need to propose frameworks, not actual controls.
TCB: Looking forward, how do you view the threat space and the responses from industry changing? How do you see this interplay between attacker and defender changing over the next few years?
TP: U.S. President Barack Obama released presidential directive, 441last week, which was really interesting, because this normally happens at the end of a term when certain things haven’t gone through. This presidential directive directs federal agencies on how to respond to a cyber breach.
If you read the details of that text, it actually includes private businesses as well. In other words, if you provide services or products to federal agencies, you are basically saying that the federal government can come in and do the response. It has to provide that response, or at least the White House has to oversee the response to the breach. So we’re definitely seeing movement in that regard. You’re going to see more of that.
Unfortunately, in this particular case, industry wasn’t consulted on the presidential directive, and it’s really important for industry group dialogue to occur so the public-private sectors can work together. A lot of the discussion in Washington has revolved around the public-private sector relationship, and we go do this without any conversation. We definitely need to do a better job and see how we can work together to protect our most critical infrastructures proactively and to work together to respond when a major breach occurs.
TCB: How can the relationship between the public and private sectors be improved?
TP: Threat intelligence sharing is a great way to go. The private sector has demonstrated a willingness to share its information. I haven’t necessarily seen the two-way street that would really help that process.
We have a job shortage in the federal government as well. We need to focus on training more of the right people to respond. It’s obvious that we can’t just use the private sector for response, because we are dealing with classified networks and very sensitive environments. We definitely need to focus on the skills shortage as well in the industry.
TCB: Any last thoughts?
TP: In addition to the companies that are using industrial control systems, there’s also a burden on the vendors as well. I would characterize the vendor community in the industrial control system world as probably a decade behind the Microsofts and the Adobes.
When I first started coming to Black Hat 14 years ago, I saw Microsoft making a significant effort to outreach to the cybersecurity and hacker community and figure out how to leverage this community to fix their products. They made significant positive leaps forward. I’d really like to see that in the industrial control space as well.