When weighing up the risks to critical national infrastructure squirrels are often underestimated. According to CyberSquirrel, a non-profit set up to track such things, the critters have caused 755 national grid outages in the US in 5 years. A further 342 involved birds shorting transformers with their wings. One involved, possibly, a hacker in Russia.
CyberSquirrel’s data show that the relative risk of critical infrastructure getting hacked is small. Keeping a sense of proportion is important. Keeping an eye of how technology is changing that balance is equally important.
Lessons from the Past
In 2010 malware called Stuxnet infected the control systems in an uranium enrichment plant in Natanz in Iran. The result was catastrophic and destroyed much of the plant’s capability.
The attack on Natanz laid bare the vulnerability of Industrial Control Systems to malware. The plant relied on obscurity and physical safeguards to keep secure. Stuxnet showed the flaw in this thinking. If you network a system then it’s not obscure and can be found. Once found code can destroy it.
Manufacturers of Industrial Control Systems have been slow to learn these lessons. In the last 6 years the need to do so has become pressing for two reasons.
First there’s the Internet of Things. This describes the network of sensors and control systems embedded into machinery. The adoption of these devices is picking up pace. Often technologists talks give the example of fridges restocking themselves. But we now use IoT in far more critical roles. Control systems in power distribution, modern airliners, cars and pacemakers are all routinely networked.
The sophistication of these devices may be accelerating, but the technology used to secure them has not. Basic security measures are often missing or out of date in the software embedded in IoT devices. Engineers installing the machinery are not as familiar with the need to harden those systems against attack. The result is that control systems are often left wide open.
What of obscurity then, the second safeguard relied on to secure industrial control systems?
Never a good tactic to secure a system, keeping critical systems hidden has worked for a while. Unfortunately that will no longer work. Shodan, an online search engine, plans to index the lot. It already provides easy access to lists of vulnerable control systems around the world.
So if what worked 6 years ago no longer works what can we do? Well, for now, three things.
We learned the lessons of how to make a system secure twenty years ago when internet adoption took off. Those same lessons apply to IoT and industrial controls systems. Manufacturers no doubt know this, but must now consistently apply them to their products. Operators must then ‘harden’ those devices when they’re deployed.
The role of IT Security Governance also needs to be reassessed for industrial settings. IT Security and Health and Safety are on a par. When a line of code run from a phone anywhere in the world can destroy a gas turbine, they’re the same thing.
Finally there needs to be wider recognition that any connection to the cloud by IoT systems is a potential risk. Engineers must design and manage this appropriately; operators must choose suppliers with care. All clouds are not equal; secure local clouds are preferable to the distant nebulas sort.
The benefits of IoT can only realised through networks. Attaching national grids to telephone networks can bring efficiency through analytics and centralised control. This is worth the risk, if we do it well. In many respects it mirrors the adoption of the early internet. We’re now in a position to learn from that experience in building the Internet of Everything.
Scott Maxwell is the head of commercial for brightsolid.