By Craig Searle, BAE Systems Applied Intelligence head of cyber security Asia Pacific
Energy companies are benefiting from greater productivity and streamlined operations
that have been made possible by increased connectivity between industrial control systems (ICS), operational technology (OT) and corporate IT. Yet, the greater connectedness also creates opportunities for cyber criminals to sabotage operations.
ICS and OT were previously separated from corporate IT and were not connected to the internet, keeping them safe from attack. As a result, these systems were not traditionally protected. Now they are connected, they present a potential weak point in an organisation’s security.
It is therefore critical to implement comprehensive security measures to secure ICS and OT. Traditional IT security technologies, such as firewalls, anti-virus, anti-malware and intrusion detection and prevention systems do not provide adequate protection for these specialised systems.
Understanding the threat
As cyber criminals have become better funded and more sophisticated, the threat has become more significant. Sometimes sponsored by nation states, attackers are now looking to sabotage operations, rather than simply stealing information.
In 2010 the Stuxnet computer work reportedly attacked the industrial programmable logic controllers (PLCs) of a nuclear facility in Iran, causing the centrifuges to fail and disrupting production of nuclear power. Similar attacks on energy creation and distribution networks in Australia are possible.
There is also the ongoing risk of an ‘insider’ attack, where individuals use their skills to manipulate systems or cause process or numerical errors to propagate through the system, causing damage.
This combination of human involvement and technological vulnerability means energy organisations must improve their threat intelligence and protection through both industry-leading technologies and processes.
The evolving nature of protection
The traditional approach of identifying, blocking or remediating cyber risks before damage is incurred doesn’t take into account the increasing sophistication of cyber criminals’ approach. A series of apparently innocuous and unrelated events may be deliberately spaced out over a long period of time to avoid raising suspicion. Faced with that scenario, being able to identify and stop viruses and malware is not enough.
A more effective approach is to place multiple layers of security throughout the network. Each layer is independent, so organisations are protected against a variety of different attacks at different levels. This approach gives organisations more time to detect and respond to intrusions and, combined with advanced monitoring capable of identifying these seemingly-unrelated events, can provide intelligent protection.
BAE Systems Applied Intelligence developed IndustrialProtect to help energy organisations overcome these challenges. The military-grade solution is designed to protect ICS. It works by verifying the identity of the individual or system sending information, that the information is received as it was sent, and also that the content is intended and appropriate for the receiving system.
To enhance the effectiveness of security products, organisations can deploy a variety of layered solutions. This could include externalised cloud web browsers, data diodes and firewalls. All of this must be underpinned by consistent, reliable data monitoring.
• Externalised cloud web browsers: Using externalised web browsing, web connectivity is provided via an externally hosted, virtualised, secure browser. This means web-based threats can no longer infiltrate the enterprise network. Any attacks would be constrained to the cloud-based web sandbox, which would be rapidly repaired by reverting to clean virtual machines. This protection works both ways. Malware installed into the network via email or USB sticks would be unable to communicate via the web to its controllers, rendering it practically useless.
• Data diodes: A data diode is a hardware solution that only lets information pass through one way. As hardware solutions they cannot be compromised by software attacks. Data diodes are simple and relatively low-cost but a unidirectional data flow is not always appropriate, particularly in cases where remote access and configuration management is required.
• Firewalls: Firewalls work by setting network traffic rules either based on metadata or, in more advanced systems, by checking the contents of each data packet against a set of known bad signatures. They are relatively inexpensive but they can only prevent known, identified attacks.
Regardless of the technologies used, organisations must ensure monitoring is in place. This includes the enterprise LAN as well as the supervisory networks, OT and industrial processes. Looking for malware is not enough; organisations must also seek behaviours, data or indicators that could mean there is malicious intent present.
As the threat landscape continues to change, energy organisations must ensure their cyber defences evolve even more quickly. An enterprise approach to these challenges supported by technology, process and co-operation across the organisation will help improve threat intelligence and let energy companies stay one step ahead of cyber criminals.