Five years ago industrial cyber security expert Terrance Ingoldsby was speaking to a group of officials at a Canadian energy company when a senior executive excused himself and walked out.
“We’re locked up tight as a drum,” he explained, shrugging off any security concerns about industrial controls systems (ICS).
After the exec had gone, Ingoldsby recalls, the remaining staff looked at each other. “’Well, do we tell this guy?’” one said. “’We’ve been hacked three times in the last six months but the boss doesn’t want to know about it.’”
That exec’s attitude isn’t seen much in Canada any more in the critical infrastructure sector, says Ingoldsby.
As Public Safety Canada’s annual Industrial Control Systems Security Symposium starts today in Montreal, that’s the good news.
The bad news is even three years after the federal government implemented its first national cyber security strategy to help critical infrastructure shape up – and Ottawa was warning and assisting industry about possible problems for years before that – there’s still work to be done to better secure this sector. Critical infrastructure with industrial controls [including supervisory control and data acquisition (SCADA) devices] includes power grid suppliers, energy producers, rail and shipping companies, airports and telecommunications providers.
“Companies are working diligently to try and greatly improve the security of their systems,” says Ingoldsby, one of the conference speakers. “They’re not there yet – and I think they know they’re not there yet.
“If a major state-sponsored intelligence agency decide to do something nasty to the North American grid, could they do it? I suspect they could.”
”I honestly think they’re going too slow,” says Jeff Thomas, a Calgary-based risk consultant and partner at KPMG Canada’s advisory services. “I’m not sure they’re doing any wrong yet, but it’s early days. When I talk to [some] companies they don’t have an inventory of systems, they haven’t necessarily done an asset-based risk assessment and they haven’t had third parties look at these.”
In an interview this morning after the conference started, Craig Oldham, director general for critical infrastructure and strategic co-ordination at Public Safety Canada, said it isn’t his place to assess the readiness of each company to face cyber threats. But, he added, “I am not aware of a huge gap that we have at this point.”
”I think the cyber threat to industrial control systems is kind of a constantly changing thing, which is part of the reason why we do this (conference). It used to be that industrial control systems wee basically air-gapped, but now increasingly they are connected to the Internet, like everything. So I think the threat to industrial control systems and the cyber threat generally is evolving, and at a much more rapid pace than we could have forecast five years ago.”
There are two problems: First, many organizations are connecting operational networks to IT networks – which had been or are supposed to be segregated — to get metadata for better control, leaving them open to common Internet attacks (everything from spear phishing to SQL injection to employees plugging in USB sticks). Older ICS/SCADA switch or value control systems on operational networks may be secure, but some need security updates. However, their manufacturers either haven’t designed communications protocols for updating or they are out of business. Second, while newer ICS/SCADA systems – including many so-called Internet of Things (IoT) devices such as sensors – are capable of being updated, some manufacturers haven’t got the discipline to do it as fast as their IT device counterparts can.
Then there’s the problem of knowing there are ICS devices on the network. Robert Beggs, CEO of Toronto’s Digital Defence and a conference speaker, said a recent manufacturing customer didn’t realize the automated shipping system his firm has includes an industrial control element. (The person running the system knew, but was on vacation).
In fact, one problem is the number of companies that don’t realize – usually until they’ve suffered a cyber incident – that according to Public Safety Canada’s criteria they are critical infrastructure. They include the food and manufacturing sectors. (See here for full list)
This year’s symposium (which included an optional day-long technical workshop) will see presentations from a security researcher from the École Polytechnique de Montréal, Hydro Quebec, the Toronto airport authority and from a number of security vendors. There’s also “an hour with the Government of Canada.” No details, but last year an official from the Canadian Security Intelligence Service gave what one attendee calls “a very revealing talk.”
Exactly how broad attacks on ISC/SCADA systems are is hotly-debated. Security vendors and consultants for openers like to point out the 2010 Stuxnet attack (allegedly planned by U.S. and Israeli intelligence agencies) which disabled Iranian uranium centrifuges, and the 2015 and 2016 cyber attacks on Ukraine’s power grid.
Last month Symantec issued a report on a group it calls Dragonfly, which, after being quiet for two years, is now targeting PCs in energy companies in Europe and North America. And last fall there were news reports that a version of Shamoon, a virus that crippled tens of thousands of computers at Middle Eastern energy companies four years ago, was used in mid-November to attack computers in Saudi Arabia. These aren’t ICS attacks, but one goal of attackers may be to use the malware for reconnaissance.
Almost any news story involving a problem with a company that uses ICS systems raises the possibility its operational network was compromised or the real target.
Without doubt some threat actors are trying, or at least doing some reconnaissance. However, in a May, 2016 blog, Robert M. Lee, CEO of ICS security firm Dragos Inc., complained about media hype. “There have only been a handful of known cyber attacks against critical infrastructure,” he wrote. “The rest of the cases are often mislabeled as cyber attacks and are in the hundreds or thousands – not hundreds of thousands.”
In its latest annual report the U.S. ICS Computer Emergency Response Team said that in fiscal 2016 it opened tickets on 290 incidents, compared to 295 the year before. Roughly these were evenly divided between the manufacturing, energy and communications sectors. Spear phishing accounted for 26 percent of the incidents, the leading access vector. Network scanning and probing accounted for 12 per cent of incidents.
Some attacks are familiar to any infosec pro. In August, 2016 the agency learned a remote attacker had used a zero-day exploit against the U.S. maritime transportation sector. “The attacker exploited an SQL injection vulnerability in a web-based application used by multiple U.S. ports that provides real-time access to operational logistics information, resulting in a loss of valuable data,” the annual report says.
But the report also says in fiscal 2016 it responded to what it called the first known cyber attack to result in physical impact to a power grid. The report doesn’t detail where that attack took place. The ICS-CERT has gone to countries outside the U.S. to investigate incidents, including Ukraine.
Public Safety Canada said this morning incident reports from the private sector are confidential, so it doesn’t have equivalent public figures for release.
Last fall the the head of the United Nations nuclear watchdog mentioned in a speech that several years ago a nuclear facility in an unnamed country suffered a cyber attack. The plant didn’t have to shut down, but it did have to take “precautionary measures.”
Ingoldsby, president of Calgary’s Amenza Technologies, whose system modeling software has been used by a wide-range of companies for threat risk analysis, doesn’t downplay the potential risks to ICS networks if vulnerabilities aren’t dealt with.
But, he adds, “the problem from an attacker’s point of view is harder than it seems, because unlike attacking an ordinary computer system or a banking system or getting into a company and stealing all the credit card numbers, attacking a control system is both harder an easier. It’s harder because control systems control real world processes – electricity or water or natural gas or chemical pant and its controlling all of these processes. Valves are opening and shutting and switches are turning on and off. And, yes, in theory its possible to cause a catastrophe, [but] it usually requires a very good understanding of the underlying physical process. The adversary has to learn that to make the system go ‘kaboom’ I have to close this value and turn off this switch and do that over there all at the same time.
“So the challenge from the point of view of the attacker is not just get into the system and take control but to actually figure out what each of these controls do to manipulate to have the effect they want. So in that sense breaking a control system is more difficult than hacking into a conventional IT system.”
“What makes it easier is the fact that many of these control systems were built in an era before we worried about hacking, so they have relatively little intrinsic security in them. To some extent, if you can get on the control system network you can send commands and they will be obeyed.”
And network segregation for protection? “These control systems are supposed to be isolated,” he said. “Nothing is isolated (today). I don’t think there is a system left in the world that is isolated.”
“Companies are working diligently to try and greatly improve the security of their systems,” he added. They’re not there yet – and I think they know they’re not there yet. If a major state-sponsored intelligence agency decide to do something nasty to the North American grid, could they do it? I suspect they could.”
One problem, said Thomas, is the split in responsibility for operational and IT networks. “A lot of companies have struggled with building a joint team from the corporate and operational sides that works together and secure systems jointly. It is a difficult challenge, but mostly because people are new to this struggle so they haven’t figured out the best way.”
Another problem is some firms haven’t done the basics yet. “When I talk to companies they don’t have an inventory of systems, they haven’t necessarily done an asset-based risk assessment and they haven’t had third parties look at them.”
Eric Byres, a Nanaimo, B.C.-based ICS veteran who is CEO at Adolus.com and partner at consulting firm ICS Secure, describes the readiness of Canadian critical infrastructure companies as “better than average” compared to other countries, with the energy sector pulling up the numbers. “But in other sectors I’m stunned at how unsophisticated they are when it comes to the security of their control systems.”
Like others, he said the challenge CIOs/CISOs face is “the attackers are changing, the intent is changing, the defences and techniques are changing … Techniques that were not available two years ago are now starting to become avail to asset owners, and attackers have found their own new bag of tricks.”
Organizations that have legacy ICS/SCADA devices have a tricky problem, he admits: It can be too expensive to replace such systems. In that case they must have a mitigation strategy.
In fact, he adds, every organization deemed to be in the critical infrastructure sector must have an ICS security strategy, he maintains. “That is the difference between the sophisticated companies and the beginners.” They must follow a framework (the International Electrotechnical Commission’s standard for industrial automation and control systems (IEC-624443) or, for energy companies the North America Electrical Reliability Council’s Critical Infrastructure Protection (NERC-CIP) standard. , which will prompt the creation of proper security teams and a command and control structure for who makes decisions. “If you follow a decent strategy,” Byres said, “you won’t connect control systems to a business network.”
In the last 12 months alone more is known about the two attacks on power utilities in Ukraine, he said, there’s been a re-write of the International Electrotechnical Commission’s standard for industrial automation and control systems (IEC-624443) and an update to the North America Electrical Reliability Council’s Critical Infrastructure Protection (NERC-CIP) standard.
Because the threat landscape is constantly changing Byres said Public Safety’s annual conference is valuable: It’s a chance not only to learn new techniques but also for executives to network. (“This is why we’re spending on this, you should too).”
But he wishes the government’s intelligence agencies would share more information. “The more they can educate the senior executives– that could be very closed, confidential security briefings – the better, because that will drive intelligent decision-making.”
However Public Safety Craig Oldham noted there are a number of information-sharing mechanisms including the Canadian Cyber Incident Response Centre, multi-sector networks Public Safety runs, and a national cross-sector forum. “I think there is good and increasing information sharing.”
(This story has been updated from the original to add comments from Craig Oldham)