“Whenever you do a thing, act as if all the world were watching”[1] – Thomas Jefferson
Jake Brodsky shared an article about another water utility incident and went on to write a blog about it ( https://scadamag.infracritical.com/index.php/2021/06/17/yet-another-water-plant-at-risk/ ). Both of these got me thinking. Assuming there is a desire for achieving excellence is there something an asset owner and/or senior plant engineer can do to avoid these embarrassing incidents? Besides the good practical engineering based advice given in Jake’s article I will add some more from the point of view of someone who has worked in the defense area.
The most important piece of advice I can give to an asset owner who has read Jake’s article is in addition to employing Jake’s recommendations to consider your operations as a target. You must remember that if you operation is considered critical infrastructure, it can be an attractive target for an adversary. Hurting your operations will also hurt your community and country in terms of people’s lives, damaged property and harm to the environment.
Besides the things that just can go wrong on their own unintentionally, you have three kinds of adversaries to worry about. One is someone I will call a “hacker” who has various levels of skills but may be coming to peak through your windows with the help of an advanced tool such as Shodan. When Shodan became widely available, I was quite concerned about the potential for abuse and misuse. For a long time in my presentations I used a slide called “You even can be “blindfolded” and use SHODAN to find C.I. on the Internet”. I presented an example of a user posting on Twitter his success at reaching control systems with the help of Shodan. Left is the question of what actually would happen if he would have pressed one of the control buttons on the screen. In case of Oldsmar the intruder did press or click on one of the controls.
A wise defender should consider the possibility that their systems are visible on SHODAN and if so what can the “visitor” do with that kind of access. There are several mitigations that can be performed to avoid this threat if there is a will and interest in doing so.
The other threat that currently is taking up a lot of the media’s attention is cybercriminal use of ransomware to disrupt operations. The term “disruptionware” has appeared to describe how a ransomware attack on the Office IT systems of an operator of critical infrastructure can result in shutting down a physical process. This should not be allowed to happen. No problem on the Office IT side should spill over and affect what is going on where the physical process is. Addressing this will not be easy as it will have to manage all the new connectivity being established in the enterprise. Nor will it be cheap for it concerns issues of design and choice of system architecture in the framework of a corporate cybersecurity program.
The third and in my opinion the most dangerous in terms of potential for causing loss of life, damage to property and environment comes from the state cyber actor or APT. I will say right away that if this crew gets an order to get you they will get you. What defensive measures you are able to employ on your own to protect yourself against this threat may be overcome by an adversary that is patient and has available a variety of high-level skills and resources to draw upon to find a way around the defense. In this case, you may need help from the outside such as from your government and your colleagues in the industry. By yourself, you will simply be outmatched by this threat actor but there are things that can be done to make the work of attacking harder and if successful, limit the damage and speed recovery.
Ok so you are convinced you have to do something but are worried that it will cost a lot of money and you may not get the support you need from the CFO and members of the board. It may also be hard to find where to start. Here are some quick wins that can make your operations harder to target but cost very little other than in spending some time and paying attention.
- Look beyond the perimeter to see what is going on in cyberspace. We need to see what incidents are occurring and what capabilities (if intentional) are being demonstrated before thinking about how to address them.
- Have someone do some research and report on incidents. One good place to look is at http://search.infracritical.com/
- Learn about STUXNET, Notpetya, Industroyer and Triton. (Internet and Youtube are you friends)
- Start a conversation about cybersecurity with your vendors. Meet for coffee and seek a common understanding on the importance of applying security measures in a safe way that does not reduce safety and reliability.
- If you do not want to use Two Factor Authentication make an effort to change (implement) your password policy. Require every operator to have their own password (no sharing) and change it once a month
- If you have to use remote access than actively manage it in real time. Set the time for remote access, know who is coming in (call and coordinate ahead) and know when they are leaving and then close the window. Treat this like the way a visitor is treated when they are granted entry to your grounds. Under supervision at all times.
- USB memory stick policy. Use of these on the operation’s side should be either not allowed or rigidly controlled – issued by you on a need for work basis and checked often.
- If you cannot or just don’t want to run AV software on your operations side than at least check and control the laptop used by your chief engineer to configure devices. If a scan shows a problem on this notebook than like finding the “dead canary in the coalmine,” you know you have a problem and need to call in help.
- Best practice and lessons learned are available. There are too many to list here but in terms of securing your PLC’s some good news came out recently. Check out the PLC Top 20 Secure Coding Practices. If you farm out this work to the vendor require your vendor to use them. They are available at no cost: https://www.plc-security.com/index.html
These are some quick wins to reduce some anxiety by doing something. It is no substitute, however for working under an approved corporate or facility cybersecurity program. A topic for a future blog.
At the end of the day if you really want to avoid the surprise and embarrassment of a breach you need to take a good look at the way you operate and how it may look to an adversary rather than wait for it all to come out after the post breach investigation.
[1] https://www.brainyquote.com/quotes/thomas_jefferson_141477