As stated in my previous post, the threat of cyber-attacks on power and control systems is growing. One factor is the wider proliferation of attack tools and techniques. Aging power infrastructure also contributes as these systems are rarely updated once deployed. Combining those issues with the desire for money, political statements, and acts of terrorism leads to a greater chance that the power will go out and things will go dark.
We’re not all doomed. There are solutions and strategies that can minimize the problem. By concentrating on the three attack vectors it is possible to take steps to reduce vulnerabilities.
- Social engineering – or hacking humans
- Operations – or hacking systems
- Technology – or hacking devices (this one gets the most media attention)
Protecting against social engineering involves training. People should be educated on how to spot social engineering attempts, like phishing. Sending legitimate-looking communications in order to gain information or money has a long history. Versions of the technique go back hundreds of years.
Employees and others should be trained to spot cases where people pretend to be somebody else. For instance, someone could claim to be a vendor to enter a building in order to fix equipment. Once inside, they plant a virus or install a backdoor.
Beyond training employees, institute policies to prevent social engineering. Vendors who must use a computer or mobile device to service equipment may be prohibited from bringing one in from the outside (provide a computer for them to use instead). Or they may be required to prove their devices conform to your security policies.
The operations attack vector involves policies and procedures. For example, it’s not enough to ban simple passwords such as “1234” and “password1”. According to the Sans Institute, a password should be at least 12 alphanumeric characters long, a mix of upper and lower case characters, contain one digit and at least one special character. Policies should enforce these requirements. Likewise, policies should mandate that default credentials of all hardware and software systems are changed before being connected to the network.
Additional protection can be achieved with two-factor authentication. This mitigates an attack by having users prove identity using two methods: by entering a valid credential such as a password and by possessing a second form of identification (traditionally a cellphone or other item such as a USB key).
Policies and technology intersect in a number of mitigation solutions. For instance, a good policy is to have a guest Wi-Fi network that is isolated from the main corporate network and further isolated from the Industrial Control System (ICS) network. This defense-in-depth strategy should involve a succession of firewalls with the ICS network isolated by multiple layers from the outside world.
The selected technology must be designed to work with ICS networks and protocols. Traditional firewalls, such as those used on a corporate LAN, do not sufficiently understand the messages passed on an ICS network (such as Modbus). Ensure firewalls are capable of Deep Packet Inspection (DPI) for the protocols in use on the ICS network. Firewalls should also be capable of reporting to or interfacing with an Intrusion Detection System (IDS).
Also consider carefully how to defeat USB attacks. Group policies can prevent automatic execution of programs on a USB flash drive, however there are some attack tools to bypass these policies. It may be necessary to limit physical access to unused USB ports.
This post only mentions a few steps that can be taken. An overall solution involves minimizing the opportunity for each type of attack. For more steps to reduce vulnerabilities read our white paper “Securing Power Monitoring and Control Systems.”