Securing critical information infrastructures
Singapore, December 15, 2016
In December 2015, an unprecedented attack on the energy grid in western Ukraine by hackers had put thousands of residents out of light and heat for as long as six hours. To make matters worse, the well-orchestrated attacks included denial of service attacks against local telephone networks to prevent affected customers from reporting the power outage.
Such brazen cyber attacks on power grids and other critical information infrastructures (CIIs) like water management systems and transportation networks are more than just news headlines. They can cause mayhem in societies, and erode confidence in a country’s economy and government.
In this month’s Q&A, we speak with Mr Freddy Tan, NCS’ Director and Enterprise Security Architect, to find out more about cyber attacks against CIIs, and what CII owners and operators can do to secure critical systems.
Q: In your view, what’s considered a CII?
A: A CII is any network or computer system that powers an economy’s key infrastructure assets such as power plants. Any breach in CIIs can disrupt an economy, such as the blackouts caused by the hack of Ukraine’s power grid. Other CII sectors that are prone to attacks include transportation. Imagine what would happen if hackers disrupted traffic light systems to cause mayhem on the roads. Or if air traffic control systems are hacked to cripple air travel. The consequences in both cases can be dire to any country.
Q: Was the Ukraine power grid hack more of an exception than the norm?
A: I don’t think an attack like the one on the Ukraine power grid was an exception. The Ukraine incident was something that was more evident and had a lot of media attention. But even before it happened, there were other attempts to disrupt CIIs. For example, there had been cases of people in the financial industry taking down power supplies to disrupt stock markets. Some disgruntled employees have also sabotaged sewage systems to reverse the direction of sewage pumps in an attempt to spill sewage onto the roads.
Q. What are the common threat actors and their motivations for targeting CIIs?
A: The first thing that comes to mind is state-sponsored actors, such as those who created a malicious worm to sabotage another state’s nuclear power programme. Other threat actors include cyber criminals who hold organisations to ransom. These criminals may threaten to shut down critical websites or ATM networks through distributed denial of service attacks (DDoS), if a ransom is not paid. Increasingly, DDoS attacks are being used to disable CIIs and networks. A recent attack against a hosting provider involved DDoS traffic that surged to nearly 1TB per second. If similar attacks were launched against rail control networks, the result would be angry commuters and a loss in confidence in public transportation services. Hacktivists are another threat actor group that have launched web defacement attacks to embarrass governments and large organisations. In 2013, we saw someone who claimed to be part of the Anonymous hacktivist group defacing government-related websites. These hacktivists can also target CIIs like energy grids to air their grievances against utility fee hikes, for example.
Q. Many CIIs are powered by industrial control systems that are typically offline. But increasingly, these systems are being connected to the Internet, increasing their risks of being compromised. What can be done to mitigate such risks?
A: Manufacturers of industrial control systems are increasingly leveraging Internet connectivity to control and maintain their systems. In Singapore, the lifts in public housing blocks are connected via a tele-monitoring system to town councils, which will be notified of faulty lifts. While improving service quality, such connectivity exposes lift control systems to cyber attacks. Other examples include building management systems, which are connected to the Internet to facilitate maintenance work. The companies behind those systems may receive status updates on the systems and troubleshoot issues if necessary. To mitigate the higher cybersecurity risks of CII connectivity, manufacturers should adopt a “security-by-design” approach, where security is built into CII equipment from the get-go rather than as an afterthought.
CII owners should also perform regular security assessments and penetration tests to make sure their equipment is always protected. They must ensure security patches are applied as soon as they are available, which is currently not in the culture of those operating industrial control systems. Promoting cyber security awareness among employees is also crucial to guard against the growing number of social engineering attacks that entice people to download seemingly legitimate e-mail attachments masquerading as malware.
Q: An incident response framework is key to mitigating the impact of CII breaches. What are the elements that should be present in such a framework?
A: The mindset of the cybersecurity community is that we can guard against all attacks, but we always tell our customers that given enough time and resources, hackers can overcome any security measure.
An incident response framework needs to be in place to mitigate the impact of CII breaches. It should include a set of instructions that an organisation must follow in the event of a cyber incident. It should not only comprise tasks to be performed, but also when. For example, the first thing that CIIs need to do could be to notify industry regulators and the police, as well as external organisations they have engaged to provide cybersecurity services, such as cyber forensics. CII owners will also need to identify who is responsible for which task.
There’s a misconception that it’s only the IT people who should respond to a cyber attack. But that’s not the case. The public relations team, for example, should be roped in to answer media queries about an incident, say, a telecoms network disruption caused by a DDoS attack. Customer service staff like call centre agents should also be prepared to answer public queries about service outages. All of them will need to be adequately trained to handle queries related to the incident. Otherwise, you could end up with very frustrated customers.
Q. The ability of a CII operator to mitigate the impact of a cyber attack successfully hinges upon its incident response capabilities. Under what circumstances should an operator consider outsourcing vs building its cybersecurity capabilities?
A: There are serious challenges for organisations that choose to run their own in-house cyber security services. First, they’ll need to get skilled cybersecurity professionals who are in high demand globally. It’ll be more common for organisations to outsource security services like they have done for business applications which are increasingly being run by cloud service providers.
Q. What’s the role of public-private partnerships in securing CIIs?
A: With more CIIs being owned and operated by private sector companies, which tend to prioritise commercial interests over others, cybersecurity may take a backseat as the cost of ensuring cybersecurity can be substantial.