Had a very productive training and tabletop exercise during my Center’s organized week-long event in Kiev, Ukraine. For more info on what we did in Kiev see ( https://enseccoe.org/en/events/268/tabletop-exercise-coherent-resilience-2017-core-4/details ) (1)
I will share some of the “take-aways” from this week long event which included the participation of Ukrainian government, energy sector operators and private energy industry experts together with experts from other NATO countries and partners.
What really struck me as I thought about the week’s training and exercising is that Ukraine is definitely being used as a “laboratory” to test out the use of cyber to disrupt critical energy infrastructure. It reminds me a bit about the Spanish Civil War of 1936 where the two dictators (Hitler and Stalin) used the opportunity of a civil war to test out their military hardware before the start of WW II. Something similar is happening in Ukraine.(2) The cyber-attacks are on-going and the Ukrainians unfortunately can expect more. One can perhaps say that this is old-soviet era equipment that is being attacked. This is not true for much of the SCADA is being replaced with well-known western brands of equipment.
Another take away is that some of the operators still are not adequately aware of the cyber threats. Often heard comments when the implications of data breaches at web sites were discussed that “our systems [control networks] are kept separate from other networks”. This kind of “in denial” thinking is not limited to Ukraine but is found elsewhere in Europe.
As a matter of fact in yesterday’s workshop that was conducted here at our Center in Vilnius (see https://enseccoe.org/en/newsroom/expert-level-workshop-at-nato-ensec-coe/290 ) (3) I heard the same being said by a representative of a European power company. For example, “Our central SCADA is well protected and we have an information security program in place”. This sounded reassuring until I saw that the security program was based on business office IT security standards such as ISO 27000 and NIST 800.53. (4) I plan to send this presenter some information about standards that are more relevant to the security of the OT used in industrial control systems such as ISA/IEC 62443 (Security for IA and Control Systems) and IEC 61850 (substation communication standard).
I could not help but think that a surprise is waiting to happen in the future for this very confident European manager as was experienced by his Ukrainian counter parts. On the last day (October 20) of our training/exercise course in Ukraine this *Alert* on “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” was issued (see link below).
https://www.us-cert.gov/ncas/alerts/TA17-293A (5)
While awareness of the dynamic presence of advanced persistent threats to critical infrastructure is rising there still remains a bridge that needs to be built between the IT and OT spheres. This is very true for some of the “good guys” but unfortunately is no longer a problem to overcome for some of the “bad guys” out there.
Reference:
1. https://enseccoe.org/en/events/268/tabletop-exercise-coherent-resilience-2017-core-4/details
2. A good update on cyber attacks against ICS in Ukraine can be found here https://www.sentryo.net/wp-content/uploads/2017/09/EBOOK_CYBERATTACKS-AGAINST-UKRAINIAN-ICS.pdf
3. https://enseccoe.org/en/newsroom/expert-level-workshop-at-nato-ensec-coe/290
4. it may also be appropriate to mention IEC 62351 (cybersecurity for IEC power system communications standards, including 60870 and 61850) and NIST SP800-82 (the control-system specific version of SP800-53).
5. https://www.us-cert.gov/ncas/alerts/TA17-293A