From critical infrastructure industrial company’s perspective, cyber security issues pose formidable challenges.
An industrial company takes the help of an engineering consulting firm to design the control system and enters into a contract with the control system vendor for maintenance. Thereby, it manages its automation infrastructure with minimal workforce that primarily addresses the core operational needs, such as routine operations, troubleshooting, calibration of filed instruments, and such others.
Only few among the workforce may possess information technology skills. Therefore, a typical industrial company is not likely to have the necessary human resources to effectively deal with the cyber security challenges. Ensuring the protection of control systems from cyber threats is a full-time task and it is an evolving need. Meeting this emerging demand would call for developing a new management framework and realigning relationships among various divisions within the enterprise and between the enterprise and its external.
An industrial company takes the investment decision regarding the control systems during the project conceptualization and implementation stages with the presumption that it would work over a long period with marginal budget support during operations. The present cyber threat outlook has changed all that. The threats are real and there are no quick or easy answers.
All critical infrastructure industries such as communications, oil & gas, power and water utilities, transportation, and similar others extensively use industrial control systems, which at one level are applications built on the information technology foundation.
Cyberspace comprises IT networks, computer resources, and all the fixed and mobile devices connected to the global Internet. A nation’s cyberspace is part of the global cyberspace; it cannot be isolated to define its boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike the physical world that is limited by geographical boundaries in space—land, sea, river waters, and air—cyberspace can and is continuing to expand. Increased Internet penetration is leading to growth of cyberspace, since its size is proportional to the activities that are carried through it.
Nations are investing heavily in their ICT infrastructures with a view to providing higher bandwidths, integrate national economies with the global marketplace, and to enable citizens or “netizens” to access more and more e-services.
Given the security problems, there is increased emphasis on, and investment in, the security of cyber infrastructure. Core Internet protocols are insecure, and an explosion of mobile devices continues to be based on the same insecure systems. This is adding up to increased usage of the Internet in more vulnerable cyberspace.
Protection of critical infrastructure operations has emerged as a major challenge. This is because trillions of dollars move through the networks every day involving a broad range of activities, including e-commerce, e-governance, travel, hospitality, health care, and general communications. Electricity distribution, water distribution, and several other utility services are based on ICT infrastructures. The defense sector relies heavily on electronic systems.
Critical infrastructure is largely owned and operated by the private sector. But is security only the private sector’s responsibility? Does this mean that government has a lesser role? These are some of the important cybersecurity issues that nations are grappling with. At an organizational level, too, cybersecurity is not merely a technology issue, but a management issue. This is grounded in enterprise risk management, which calls for an understanding of the human, process, legal, network, and ICT security aspects.
It is obvious that multiple agencies are involved in securing ICT infrastructure. These include private operators for their respective pieces of the infrastructure. Their efforts need to be firmly coordinated through an integrated command-and-control entity, which should serve as a unifying structure that is accountable for cybersecurity.
Roles and responsibilities of each of the parties need to be clearly defined. At the same time, governments need to establish the appropriate policy and legal structures. Nations, such as the United States, have advocated for a market-based, voluntary approach to industry cybersecurity as part of the National Strategy to Secure Cyberspace. But this has not worked entirely, because security investments made by industry, as per their corporate needs, are not found to be commensurate with the broader national interest. How will the additional private investments be generated? Is there a case for government incentives, as part of an incentive program to bridge the gap between those security investments already made and those additional ones that are needed to secure critical infrastructure?
Several security surveys point to this need. They reveal a lack of adequate knowledge among executives about security policy and incidents, the latest technological solutions, data leakage, financial loss, and the training that is needed for their employees.
Since cyberspace is relatively new, legal concepts for “standards of care” do not exist. Is there a case for governments to offer incentives to generate collective action? For example, they could provide reduced liability or tax incentives as a trade off for improved security, new regulatory requirements, and compliance mechanisms.12 Governments need to provide incentives for industry to invest in security at a level that is not justified by corporate business plans.
Operation of critical infrastructure industries without control systems, such as distributed control systems (DCS), programmable logic controllers (PLC), and / or supervisory control and data acquisition systems (SCADA) is inconceivable. While control systems are fundamentally built to ensure safe operation of the plant in complying with health and environmental requirements, information technology solutions are built to leverage its awesome power to gather, store, and retrieve data, analyze and convert them into information, and initiate actions in a collaborative and user friendly manner.
While secure operation is only a desirable feature, functionality and ease of use are the corner stones on which information technology solutions rest. On the other hand, in the case control systems, safety and availability are the overriding requirements and only secure systems can ensure them.
As the news about malwares such as Stuxnet and Flame triggered alarm bells among critical infrastructure companies, the advisories and notifications NIST, NERC, Homeland Securities and such others have contributed to heightening their awareness about the vulnerability of industrial control systems to cyber-attacks. Despite all these and the spate of other recent happenings in the cyber world, industrial companies are yet to come to terms with the new reality. The moot question is; do they have the necessary wherewithal to grapple with the cyber challenges and effectively implement corrective measures? Probably, the answer is ‘no.’
According to the ICS-CERT Advisory released recently, some of the Siemens Industrial Products that may be working in critical infrastructure sectors are vulnerable to OpenSSLHeartbleed. Siemens in its Security Advisory ‘SSA-635659: Heartbleed Vulnerability in Siemens Industrial Products’ says, the ‘Heartbleed’ vulnerability could affect several Siemens industrial products. The company’s suggestion on the mitigation includes steps such as disabling the web server or limiting web server access to trusted networks only, disabling FTPS, and such others. End users’ challenges in handling such situations and in implementing mitigation measures recommended by the supplier of industrial products are significant.
According to the Microsoft’s notification on the withdrawal of technical support or security patches and updates for the Windows XP operating system, systems running Windows XP after April 8, 2014 could result in increasing the cyber security risks, as no new security patches for vulnerabilities would be available. The implied meaning is, either upgrade to a newer operating system or buy a new computer; if you want to get some additional time then Microsoft would do you a favor but at additional cost – not a small sum as the UK government signed the deal that cost almost £5.6 million.
However, implementing some of the suggestions contained in the above-mentioned advisories and notifications pose challenges to many of the asset owners who essentially are users of industrial control products, which are an integral part of much larger complex plant and enterprise automation system-architecture. Compared to enterprise applications where potential disruptions are manageable, the implementing the mitigating measures are more serious in Industrial control applications, which demand low downtime and may involve customization. In the case of enterprise applications, it is possible to take a backup, shut down the system, and apply patches or updates and then restart. However, in the case of real time control systems in critical infrastructure industries, which require 24×7 availability, shutdown has to be a scheduled operation with adequate planning. Often applying updates and such other measures may call for redeveloping control applications involving additional efforts, interoperability testing to ensure that the software update works and is compatible with legacy subsystems, and unbudgeted expenses. Additional hardware upgrade required, if existing hardware does not meet system requirements, and the need to monitor and evaluate the stream of patches and updates that flood almost on continuous basis are the other caveats.
Companies must now fend off ever-present cyberattacks—the threat of cybercriminals or even disgruntled employees releasing sensitive information, taking intellectual property to competitors, or engaging in online fraud. While sophisticated companies have recently endured highly public breaches to their technology environments, many incidents go unreported. Indeed, businesses are not eager to advertise that they have had to “pay ransom” to cybercriminals or to describe the vulnerabilities that the attack exposed.
Given the increasing pace and complexity of the threats, corporations must adopt approaches to cybersecurity that will require much more engagement from the CEO and other senior executives to protect critical business information without constraining innovation and growth.