Need for an operational cyber capacity before promptly and effectively acting on threat intelligence

“The pump don’t work cause the vandals took the handles[1]

– Bob Dylan, Subterranean Homesick Blues.

“Threat intel” and the vendors who are eagerly trying to offer it are very much in our cybersecurity information space.  It sounds like a good idea.  One gets a tip that something is about to target your operations next week and you thank them and immediately take steps to mitigate.  It is unfortunate that in operations taking place in critical energy infrastructure it is not that simple.  In an industrial operation this advance warning has come too late.  Even if a vulnerability in the asset owners operation is identified it can take, according to some experts, up to two years to mitigate[2]. For a timely and effective response a capacity must already be present.  The attack can materialize in minutes and if there is no on-site capability that is monitoring the processes, knows the operations as well as the senior plant engineer and has the training to investigate and respond the outcome is likely to be tragic.

In the 1960’s Sci-Fi TV show “Lost in Space” the robot tried to convey his threat intel that the crew was in imminent danger, but as often happened the warning did not help much and it took a whole episode to return things back to normal.

One part of a cybersecurity capacity, in addition to establishing security policies covered elsewhere in this report, is establishing an active monitoring and response capability on-site. Not a capability that exists outside of the organizations and has to be called in and paid for in order to clean up the mess after an attack has occurred.[3] Instead it is locally manned and an integrated part of the industrial operation.  Below is a set of tasks for an Industrial Cybersecurity Operations Center (ICOC)

Tasks of the Industrial Cybersecurity Operations Center (ICOC)

  • Monitor and check on anomalous Process Flows, Equipment Performance, and Data Flows with a goal of detecting a cybersecurity breach within 24 hours.[4]Identification and recording of all the component pieces and versions in a control system
  • Review available patches and updates of OT devices found closer to the industrial process such as PLC’s[5] and other intelligent industrial electronic devices (IIED)
  • According to configuration, change management and safety procedures test and apply selected patches and updates
  • Responsibility for monitoring control and safety system cybersecurity vulnerabilities
  • Monitoring the current patch levels, malware notifications, and newly discovered vulnerabilities as announced by cybersecurity institutions and by vendors
  • Take part in regular training and education on ICS cybersecurity including attendance at organized ICS security conferences and trainings such as S4, DEFCON, and Black Hat
  • Participation (sending at least one staff person or more per year) in NATO, EU and other tabletop[6] and “Live Fire” exercises such as “Locked Shields”[7] where cyber-attacks on control systems are included in the scenarios.
  • Implementing the recommendations in this report that are beyond the means of current staff capabilities and resources
  • Operation of network management system, Intrusion Detection, or Security Information and Event Management (SIEM) system
  • Use of internal operating system health tools that can be used in both an investigative and in a forensic capacity to identify source of a problem
  • Organize and control use of A/V scanning based solution according to established policies and procedures.
  • Conducts and/or organizes (in keeping with established industrial safety requirements) with help of vendors with Certified Ethical Hackers full offline black box[8] and white box[9] penetration testing against the switches, routers, firewalls, controllers and instruments that the operations/control room personnel uses.
  • Use of available tools, such as Metasploit[10], where one can use benign attack scripts to prove the existence of a device vulnerability in an automated fashion. This way one can demonstrate a conceptual attack on a test bench without damaging anything
  • Operation of a security test lab. This should be used to validate patches before deployment, to test security exploits on existing equipment and firmware, and to find and diagnose other bugs and test code before downloading it to the field
  • Ensure user log-ons to the system and IED’s (including PLC’s) configuration changes are documented, updated and made available on-site for operations/control room personnel.

Let us get this right and avoid putting the cart before the horse when it comes to protecting critical infrastructure from threats emanating from cyberspace


[1] https://www.azlyrics.com/lyrics/bobdylan/subterraneanhomesickblues.html

[2] See Dale Peterson’s podcast interview with the man who told us about Stuxnet, Ralph Langner, comments on the threat intel issue at the 20:30 to 21:00 minute mark at https://www.linkedin.com/video/live/urn:li:ugcPost:6729798176917876736/

[3] As was done by the owners of a large petrochemical plant in Saudi Arabia after safety systems initiated a second unplanned shutdown of the plant. See: “Triton – A Report From The Trenches”, first responder Julian Gutmanis’s account of the aftermath cyber-attacks on safety instrumented systems of a petrochemical plant in 2017 https://www.youtube.com/watch?v=XwSJ8hloGvY

[4] After 24 hours the chances of discovering an intruder who is actively seeking to establish a stealth presence and cover tracks will drop considerably.

[5] Kovacs, E., Flaw in Schneider PLC Allows Significant Disruption to ICS, Security Week, September 06, 2018

https://www.securityweek.com/flaw-schneider-plc-allows-significant-disruption-ics

[6] https://enseccoe.org/en/newsroom/nato-ensec-coe-conducts-its-largest-tabletop-exercise-coherent-resilience-2018/381 ,  https://enseccoe.org/en/events/268/tabletop-exercise-coherent-resilience-19-natural-18/details

[7] https://ccdcoe.org/exercises/locked-shields/

[8]          Black box penetration is where the attacker has no idea what the device is or what it does.

[9]          White Box penetration is where the device is completely known to the attacker.

[10] https://www.metasploit.com/

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 28 years. Mr. Butrimas has participated in several cybersecurity exercises, contributed to various international reports and trade journals, and has published numerous articles on cybersecurity and policy issues.