Abstract
When industrial control systems are connected to the Internet, they can be vulnerable to cyber attacks. At risk are energy sources and electric grids, water and sewer systems, manufacturing, banks, transportation and communication networks, and other systems that may be targeted by hackers, terrorists, or enemy states seeking to wreak economic havoc. Despite a series of well-publicized cyber attacks in recent years, few companies have taken the steps necessary to isolate industrial control systems and sensitive information, and to limit the damage an attack can inflict. Security is not just a matter of dealing with technical issues, which are fairly straightforward and tactical. The strategic issue is governance: coordinating the efforts of various departments to ensure that information technology works together with physical security, legal counsel, human resources, and operations management.
Keywords
Thirteen years ago, a disgruntled sewer system operator in Maroochy Shire, Australia, filled his car with a laptop and radio equipment apparently stolen from his employer and drove around giving radio commands to the pumps and valves that controlled the local sewers. Pumping stations went haywire. Raw sewage poured into local waterways. Creek water turned black, fish died, and the stench was appalling (Brenner, 2011). This was an early warning of the danger inherent in connecting industrial control systems to the Internet, but Maroochy Shire was far away, and very few people were paying attention.
Nasty things that start on the other side of the world have a way of ending up on one’s own doorstep, however, and the vulnerability to electronic mayhem of control systems that run railway switches, air traffic control systems, manufacturing, financial systems, and electric grids is now an endemic condition. In Brazil, a cyber attack in 2007 plunged more than three million people into total darkness and knocked the world’s largest iron ore producer offline, costing that one company alone about $7 million (CBS News, 2009). 1
The world’s superpower is not invincible either. Today the North American electric grid is being attacked ferociously and often—sometimes by intruders so skillful that government help is needed to fend them off. Municipal water and sewer systems are also vulnerable. Even the US military recently warned that it can’t guarantee its own operations under a sophisticated cyber attack, and that US allies are in the same position. 2 And as Edward Snowden has demonstrated, a lone subcontractor can gain access to highly classified intelligence, which in turn could confirm that the United States has penetrated networks in other countries.
Although military and intelligence vulnerabilities are of obvious concern, frequent and intense cyber attacks are aimed at businesses. Attacks can originate with foreign rivals seeking proprietary information, hackers exacting revenge or looking for lucrative loopholes, or even terrorists hoping to wreak economic havoc. Few companies are willing to isolate industrial control systems from the Internet. Securing information is not just a matter of technical knowhow, but also of coordinating the efforts of various departments to ensure that information technology works hand in hand with physical security, legal counsel, and human resources.
Connecting everything
The roots of the Internet go back to the 1960s. It was created to enable collaboration among a small, trusted group of scientists in government and at a few geographically dispersed universities. But as its inventors ruefully admit, they built it with no security layer. They saw no need for it. In fact, until 1992, it was against the law in the United States to use the Internet for commercial purposes, and almost no one outside the United States was using it at all. When the US Congress removed that prohibition, it unleashed a productivity surge and a behavioral revolution that brought wealth and pleasure to hundreds of millions of people. Unnoticed by almost everyone, however, it also created extraordinary vulnerabilities.
The United States, and the rest of the world after it, took this porous communications network and turned it into the backbone of national and international financial institutions, personal finance, controls on critical infrastructure, virtually all communications including military command and control, and much else besides. Everything companies do runs on the Internet or is exposed to it. Governments run on it. Air traffic control and rail switches run on it. The heating and ventilation in workplaces run on it. Yet because the Internet was engineered with no security layer, it’s basically a masquerade ball. It is impossible to be certain of the identity of individuals communicating via the Internet, and it is beyond the capability of most people to discern whether a message that looks like mere content is in fact an executable instruction to perform malicious operations. The distinction between content and action has dissolved: Electrons do things, they don’t merely represent information.
Most industrial control systems still in use today have a life span of 10 to 20 years, sometimes longer, and were designed at least a generation ago, before ubiquitous connectivity became a fact of life. They were not networked and they were meant to be physically isolated, so these systems had no built-in electronic security features. The efficiencies gained by connecting devices to the Internet became quickly apparent, however. Once networked, they could be managed from afar, and dispersed systems could be managed together. They could also be penetrated.
Since about the year 2000, the public has become painfully aware that personal information, company secrets, and even government secrets can be stolen electronically with ease. An intruder who can penetrate an electronic system to steal information from it can also corrupt the information on that system, make it go haywire, or shut it down entirely. That’s what happened in Maroochy Shire. It also happened in Venezuela during the winter of 2002 to 2003, when strikers targeted systems that controlled the loading of tankers, disrupting harbor operations (Siemens Totally Integrated Automation, 2010). As this attack demonstrated, information security and operational security have converged, and both have become radically more fragile as a result.
Wake-up calls
Cyber network attackers know how to physically destroy equipment with nothing more than a keyboard and mouse. In 2007, in an experiment run by the Idaho National Laboratory, researchers blew up a diesel-electric generator by taking over its controls remotely, opening and closing breakers, and inducing rapid changes in the electricity cycles that powered the machine. Such attacks would be difficult to carry out, but they can be done. With an insider’s help, they may not be difficult at all.
The Idaho experiment was a wake-up call for owners and operators on the electric grid, but many of them hit the snooze button and went back to sleep. Large parts of the grid remain vulnerable to this kind of attack today because some managers just don’t want to hear the message (Brenner, 2011).
The alarms bells got much louder in 2010 in an operation known as Stuxnet, named after malware that was surreptitiously inserted into the Siemens control systems running the centrifuges in Iran’s uranium enrichment program. About 1,000 centrifuges spun out of control and were physically destroyed. Stuxnet was an extraordinarily sophisticated, multi-step attack that employed at least four separate, previously unknown vulnerabilities in Microsoft operating systems. It is widely believed to be the work of the US and Israeli intelligence services. But while inventing Stuxnet required exceptional skill and resources, copying it does not. Its methods have now been laid out cookbook-style for the edification of aspiring but less gifted operators the world over.
Another alarm bell rang in August 2012, when attackers invaded 30,000 computers at the Saudi Arabian oil company Saudi Aramco. Most US officials and well-placed but anonymous private sources in the Middle East attribute these attacks to front organizations operating under the control or direction of the Iranian government. The information on the computers was wiped clean, and the machines themselves turned into junk. The attack failed to disrupt oil production but was highly destructive.
Attackers launched a similar but less well publicized attack against RasGas, a company in Qatar that produces liquefied natural gas, during the same month (Reed, 2013; Reuters, 2012; Walker, 2012). The message is no longer deniable: Owners and operators of industrial control systems anywhere in the world must now realize they are vulnerable and face real threats. Attacks against such systems are not science fiction. They will continue to occur, probably with increasing frequency, and they can be undertaken by politically motivated vandals as well as terrorist groups and national states.
Since September 2012, US banks have been under intense distributed denial-of-service attacks that have disrupted services and have cost tens of millions of dollars to fend off. Anonymous forensic experts in the US government and private sector attribute these attacks to Iran. Denial-of-service attacks are nothing new, but they are now occurring with ferocious intensity, and the banks have not been oblivious to the destruction wreaked on Saudi Aramco and RasGas. If one or more major banks could be taken down, the consequences for the world financial system could be disastrous. Bank security officers have so far stayed ahead of the game, but they are nervous. So are the smarter security officers at major electricity-generating operations, who realize they are no match for attackers sponsored by a nation-state with first-rate capabilities.
Fortunately neither Russia nor China has any interest in launching such an attack, because the aftershocks from economic disaster in the United States could bring them to their knees. Nor do sophisticated state-sponsored criminals want to destroy an economic system they exploit. It is cold comfort, however, when a nation abandons its defense to the goodwill of adversary states and international criminals. And as the attacks on Saudi Aramco, RasGas, and US banks have shown—not to mention Al Qaeda’s attacks on New York and London—some of America’s adversaries would be happy to see its economy in a shambles. Iran, with its economy crippled by United Nations and Western sanctions, would probably return the favor if it could. Cyber attack capabilities are a matter of expertise rather than capital—and expertise, like water, finds its own level over time. When an attacker gets help from an insider, the time can be quite short.
Getting it right
The goals for any business today are to make itself harder to attack and to limit the damage an attack can inflict. Wherever possible, control systems should be isolated from the Internet. That accomplishes both goals at one stroke. If business executives can’t or won’t isolate control systems, they must think deeply about strategic defense and resilience. Undoubtedly, some of the challenges involve money and technology. To control risk, managers must know who is on their system, what hardware and software are running on the system, and what traffic is going through the system. It’s startling to see how many companies can’t do any of these things, and how few can do them all.
The prevailing view is that information security is a purely technical problem that the business people should not have to think about. This is a profound error—as if systems can operate securely without reference to how, when, and where they will be used, and by whom; as if information can be secure without regard to rules of access or operations. Breaches are nearly always enabled by multiple factors, and organizational failure and human carelessness are two of the most common.
With many companies, the technical issues are fairly straightforward, and they are utterly tactical. 3 The strategic issue is almost invariably governance. Cyber security involves legal issues, human resources practices and policies, operational configurations, and technical expertise. But none of the people overseeing these areas—the general counsel, the human resources director, the chief operating officer, or the information technology director—owns the problem. This makes cyber security a risk management and governance challenge that must be dealt with at the c-suite level, because unless these people attack the problem together, it cannot be managed effectively. Unfortunately, this rarely happens. Network governance is especially difficult for multinational corporations, which must operate under different legal regimes and must often cope with serious intramural rivalries.
In many cases, integration is a challenge even within the corporate security apparatus. Operational and physical security—guns, gates, and guards—are traditionally run by the corporate cops. Information security is traditionally run by the geeks in the wire closet. These two groups do not speak the same language, have different social and educational backgrounds, and do not usually get along. But bifurcating security is no longer intelligent. Doors, alarms, and other physical security measures are largely run out of that wire closet now. And when the CEO visits a dangerous place, his or her calendar is probably on Outlook, where it is exposed to potential kidnappers. Unless security is integrated throughout an organization, it’s hard to get it right.
In 99 cases out of 100, when the CEO reads an article like this and asks his chief information officer about it, the CIO says, “Don’t worry, boss. We’ve got this covered.” Verizon’s most recent annual data breach investigations report, however, says that 69 percent of breaches in 2012 were discovered by third parties (Verizon, 2013). My advice to the boss: You may want to figure this out yourself.
Footnotes
Funding
This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.