In 2013, the Bowman Avenue Dam in New York In December 2015, three utility companies in Ukraine became victims of BlackEnergy malware which targeted the firms’ supervisory control and data acquisition (SCADA) systems.
By the programmable logic controllers (PLC) The Stuxnet computer virus disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material.
The United States Presidential Decision Directive 62 (issued in 1998) stated that “Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.”
Trending in ICS security
Tim Conway, a certified instructor and technical director for ICS and SCADA programs at the SANS Institute says globally there are common trends across multiple geographies and critical infrastructure sectors with asset owners and operators pursuing increased interconnectedness across systems, increased remote access, and increased pursuit of cloud integration.
“In addition, with this movement toward connecting and operating systems in ways they never were previously designed for, there is a corresponding increase in concern, which is driving regulation and framework adoption to ensure appropriate levels of cybersecurity detection and defence capabilities.”Tim Conway
What are the current and emerging ICS vulnerabilities in critical infrastructure (in Asia)? What is the industry doing to address these?
Tim Conway: This is truly a global issue, while some sectors may be of higher risk in certain geographies than other parts of the world, we all face similar challenges across common ICS devices, and protocols that are used in various industries.
In general, we are seeing a rise in ICS-targeted malware which is concerning for all vendors and the associated industries that rely on those vendor products and solutions.
Modular malware frameworks that allow adversaries to add capabilities or customise an attack approach have been discovered and they truly provide a force multiplier capability that could enable an increased frequency of attacks across a broader scope of targets potentially.
With the increasing adoption of IIoT, to what extent are ICS vulnerabilities expanding beyond operational technology (OT)?
Tim Conway: There will continue to be a feverish pursuit of connectivity and automation to everything everywhere, our challenge is in understanding where all those trusted communication paths are, how they could be misused and what impactful effects could be achieved.
Understanding these attack vectors, and vulnerabilities will allow organisations and individuals to make risk-informed decisions about what technologies should be pursued and where. The phrase, “Just because you can, does not mean you should” applies well here.
Singapore is probably one of the best examples to look at regarding guidance and thoughtful discussions on the development of a common balanced approach to pursuing innovating technologies and interconnectedness with a healthy dose of concern about how those technologies should be implemented and maintained.
Can you share common pitfalls and challenges in ICS security that impact/endanger critical infrastructure security in Asia?
Tim Conway: Every process has unique considerations and nuanced discussions around appropriate cyber-informed engineering concepts that need to be pursued. There needs to be a focused investment in the workforce around the areas of operations, engineering, safety, and cybersecurity to begin addressing the issues truly.
What lessons can Asia learn from recent compromises and attacks in industrial companies around the world – to protect the community and national security?
Tim Conway: As a region, I would recommend any country to look to activities being pursued around the world to run national exercises throughout their critical infrastructure sectors and examine the regulation or guidelines that have been implemented elsewhere to determine if there are areas within their own country that could benefit.
From an attack perspective, each sector should look to impactful attacks around the world and ask the questions of their teams – how that attack could occur in our organisation, would it have been worse, how would we detect and prevent it, what can we do to improve our abilities to operate through a similar attack, and then establish exercises to practice and prepare.
What are the key ICS cybersecurity critical controls that governments and organisations should deploy to adapt, to best fit their environment and risks? How has ICS cyber security evolved in recent years?
Tim Conway: ICS cyber security has greatly expanded from the perspective of solutions and guidance.
We have recently released a whitepaper on “The Five ICS Cybersecurity Critical Controls” and we feel this will significantly help organisations establish focused capital and O&M projects and programs to address the areas of greatest risk.