The critical-infrastructure networks that help run and administer water utilities, power plants and manufacturing are susceptible to a different set of threats than most information-technology systems, making them harder to attack when correctly configured, but also harder to defend against certain types of attacks, according to a group of security experts.
While information security managers worry about malware and breaches by external attackers, operational-technology (OT) security managers have to worry more about physical break-ins, rogue employees and unsanctioned information technology set up inside a security perimeter, said Michael Phillips, corporate information security director at CenterPoint Energy, during a presentation at the RSA Security Conference in San Francisco.
Most critical-infrastructure networks attempt to separate the IT side and OT side of their operations, he said.
“Physical access still remains the bigger risk for us,” Phillips said. “In a typical OT system, the insider that turns rogue on you is the bigger risk, or someone who physically breaks in.”
The security of critical infrastructure has become a major issue for the United States and other countries. With the use of the Stuxnet worm against Iran’s nuclear processing capabilities, cyber-criminals and hackers across the globe got a demonstration of the power of attacks on industrial control systems (ICS).
Since then, security researchers have increasingly focused on finding vulnerabilities in technology that uses a popular monitoring and control protocol, known as supervisory control and data acquisition, or SCADA. In 2013, for example, more than two dozen SCADA flaws were found and reported to Hewlett-Packard’s Zero Day Initiative bounty program, double the number from the previous year.
While the representatives of the utilities worried about physical access, a consultant from Knowledge Consulting Group, which tests the security of its clients’ offices and networks, argued that the company’s consultants had little trouble remotely accessing operational systems by compromising information technology.
Phishing emails, for example, had an 18 percent success rate within critical-infrastructure firms, and on average gaining access to the critical domain controllers on the IT network took only 2 to 4 hours, said Andrew Whitaker, director of the firm’s cyber-attack penetration division.
“Once we get in, we target the SCADA engineers, spending the entire day monitoring that engineer, to see how they get into” the operational network, Whitaker said. Only once did the firm fail to get into an operation network, when the targeted firm used a floppy disk to transfer data from the corporate network to the operational side, he said.
While the RSA Conference was packed with security vendors hawking the latest defensive technology, most of these products are not designed to work in an operational environment, Scott Saunders, information security officer for the Sacramento Municipal Utility District, told attendees. Walking the RSA floor to shop for defensive technology would likely be a fool’s errand, as most security products are designed for information networks, not operational networks, he said.
“They seem great, but my environment isn’t connected to a traditional environment where you have traditional malware,” Saunders said. “We can do traditional malware detection … and it would never find anything in our environment.”