A colleague recently expressed some dismay over the lack of progress in ICS cybersecurity in the past 20 years. He has a point, but I had to respond. Below is a copy of my response and hope it will be taken as something “for the good of the Order”.
“Yeah I hear ya, but the cybergs must be recognized and dealt with.
I started by ICS journey in 2010 when the news of Stuxnet came out. For me this was a turning point for I realized the real work now was not in trying to protect the IT in the office, ministry, web site and email server. Instead it was in trying to protect where the electricity is coming from to run that IT stuff and where the water was coming from to fill the coffee machine in the lunch and break room. Things did not look good. The perpetrator after the dust settled was led to believe that this kind of activity was effective, cheap (for a state) and deniable. Others took note of this as well. Even hacker conferences started to offer courses such as “Attacking and Defending SCADA”. Later SHODAN appeared and the exploring and doorknob checking by the good defender and potential perpetrator started in earnest. Then national Cyber Commands started to appear, and the unsettling incidents alarmingly continued in this dangerous territory. Common characteristics were disabling safety systems, inhibiting or denying view and control, injecting false telemetry data, and achieving some physical change in the system or damage to property and environment.
Here is just a subjective summary of the events that were publicly reported and noted by the victims since the ICS watershed year of 2010.
- Nuclear enrichment 2010
- Steel mill 2014
- Power grids 2015/16
- Shipping/Transport 2017
- Petrochemical plant 2017
- Semiconductor plant 2018
- Extrusion manufacturing 2019
- Supply chain (SW/Orion) 2020
- Pipeline shutdown 2021
- Satellite terminals 2022
- PLC attack tools discovered 2022
- Steel mill 2022
The response by the security policy making community to these events associated with the activity of their member nations has been most disappointing. I often relate in my work that “the cyber diplomats have dropped the ball and the effort to defend these systems has been left to the engineers”.
The response by government policy makers has been poor. I recently wrote a critique (put my hand in the hornets’ nest again) of the just released USG National Cybersecurity Strategy where I pointed out the mention there of the need to protect “baby monitors” and “personal fitness devices” as an example of being a bad move. This policy maker mindset is truly transatlantic for the European Union is working on something similar (Cyber Resilience Act) that includes the need to protect “smart speakers” in people’s homes.
What have I learned in these past 13 years. Here is my take. All are welcome to share theirs:
- Attempts to disable industrial safety systems (SIS)
- Cyber-attacks that appear targeted, cause collateral damage.
- Little or no industrial cyber forensics available
- IT centric cybersecurity approaches are inadequate for CIP.
- In most cases victims are compliant with industry standards and best practices (i.e. segmentation, firewalls)
- Supply chain as attack vector
- Asset owners, cybersecurity solution providers and software firms are surprised when it happens.
- “Cyber diplomats” of states have dropped the ball on norms and have left the engineers to defend on their own.
- This activity continues to be effective, cheap (for a state) and deniable.
Ok, where is the bright side to all this as I started by saying I wanted to be optimistic today.
First, even though it is seldom noticed or reported in the press stories, the engineers are doing their job every day and keeping the services vital to the society, its economy, and its well-being in a good state. They are also aware and willing to listen and do something about it. For example, in the summer of 2021 (nearly 20 years after Bill Gates email about trustworthy computing) engineers got together and published the Top 20 PLC Secure Programming Practices (PLC means Programmable Logic Controllers). It was and is a great effort in the right direction (I was even allowed to participate in the process) which brought attention to the security of probably the most ubiquitous ICS device used in critical infrastructure (by C.I. I do not mean the IT in the office).
Other informed best practices are now available to aid the government policy maker and asset owner. Standards organizations like the International Society of Automation are currently updating the ISA/IEC 62443 Industrial Automation and Control System (IACS) cybersecurity standard. Standards organizations are conservative entities and things change slowly but the ISA has recently created a workgroup that in partnership with the US DoE is writing security profiles for substations. NATO which represents many developed countries in Europe and N. America has a strategic pipeline system. To their credit the operators of the 10 nations belonging to NATO pipeline system (NPS) commissioned a cyber risk study of the ICS used in the 4 Central Europe pipelines that supply aviation fuel and later, as a follow up, a Cybersecurity Guide to cover the entire NPS. Several members of this list (they know who they are and have been recognized offline) made key contributions to these works.
If one looks back one cannot deny that we are not in the same state the community was in 2010. We are no longer surprised, we know what is going on. The problem has been recognized and informed measures are being taken and best practices are being made available. The last bit of work left is to get the decision makers in the policy community to “get it”. They cannot do it with the IT computer science bias they tend to have. This gap can only be bridged if they start reaching out for help from the community (and vice versa). I am not thinking of ICS security solution providers. They are part of the community of course, but what is needed is for the engineering part to start leveraging their expertise about the physical process so we focus on things like protecting PLC’s and not baby monitors. As I often say “…It is worrying when the engineering community that is running the power grid, petrochemical plants, and water systems is not represented.”
Perhaps I have gone too far in this. The Good, Bad and Ugly undoubtedly exist in cyberspace. However good things are happening in the community to improve safety, reliability and resilience of critical infrastructure such as the SCADASEC List. Let us not stop now, let’s knock on the doors and introduce ourselves (donuts are cheaper if you buy them later in the day) , we are getting closer and should keep up the effort.