Cybersecurity: Not Just for Information

Although much of what makes headlines or crosses the desk of cybersecurity experts today tends to be related to the stealing of information, operational cybersecurity is a crucial part of the equation. Disaster Resource eGUIDE takes a look at two recent stories about areas that may be overlooked: operational cybersecurity in the chemical and power grid industries.

In an article for Chemistry World called “Security experts warn chemical plants are vulnerable to cyber-attacks”, Andrew Ginter, vice president of industrial security at US-based technology supplier Waterfall Security, warned against firewall vulnerabilities. Allowing access to the system for suppliers or maintenance contractors remotely also poses a risk, Eric Cosman, chemistry industry cybersecurity advisor told Chemistry World. Cybersecurity risks in these cases can leak more than data: equipment failure or damage can also occur, according to the article.

The chemical industry itself can present a challenge to cybersecurity. “For those who design cyber-defences, industrial facilities such as chemical plants pose particular challenges. Some of the strategies which are effective for traditional IT systems can’t be used by industry,” said the article. “The systems that are built to control plant equipment may be designed and built to last decades, which makes them difficult to update regularly in response to constantly evolving threats. And in many cases they need to run 24 hours a day, so cannot be taken down to install security updates.”

Pulling the plug can also be catastrophic in industrial settings. “Even the ultimate safety response of ‘shut everything down’ that is commonplace in IT systems can be problematic in an industrial setting, as shutting down a reaction vessel mid-process could leave an unholy mess to clean up,” said the article. Ginter recommends unidirectional gateways for hardware and limiting access to software.

The United Kingdom’s government announced a £2.5 million investment to research cyber threats to the UK’s industrial control systems, including power stations, national rail infrastructure and manufacturing plants.

An article by Michael McElfresh, adjunct professor of electrical engineering at Santa Clara University, also addresses the danger of cybersecurity threats to plants, in this case, power grid operations.

McElfresh references the infamous 2010 Stuxnet attack, which reprogrammed uranium enhancing centrifuges in Iran, destroying equipment through malware affecting the plant’s programmable logic controllers. He explains that the traditional cure for a cyberattack was useless against a targeted threat.

“The oft-cited solution of an air-gap between critical systems, or physically isolating a secure network from the internet, was precisely what the Stuxnet worm was designed to defeat,” wrote McElfresh. “The worm was specifically created to hunt for predetermined network pathways, such as someone using a thumb drive, which would allow the malware to move from an internet-connected system to the critical system on the other side of the air-gap.” He also cited growing use of smart grids and interconnecting computers and communications to the grid computer systems as increasing access points and vulnerabilities.

McElfresh sees the sharing of information as key to protecting the power grid. “Defending the power grid as a whole is challenging from an organizational point of view,” he wrote. “There are about 3,200 utilities, all of which operate a portion of the electricity grid, but most of these individual networks are interconnected. The U.S. government has set up numerous efforts to help protect the United States from cyberattacks. With regard to the grid specifically, there is the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) programs in which utilities voluntarily share information that allows patterns and methods of potential attackers to be identified and securely shared.”