In acknowledgment of National Cyber Security Awareness Month (NCSAM) 2020, the U.S. Department of Energy (DOE) declared that “cyber security is national security.” DOE went on to frame advancing cybersecurity within energy systems as a “top national priority.” Such an objective demands “a shared responsibility of the public and private sectors,” DOE clarified.
This pronouncement by DOE raises an important question: in what way is cyber security synonymous with national security? The answer has to do with critical national infrastructure.
Critical National Infrastructure – An Overview
Public Safety Canada defines Critical Infrastructure (CI) as “processes, systems, facilities, technologies, networks, assets and services essential to… health, safety, security or economic well-being… and the effective functioning of government.” CI might take the form of a standalone system, or it could consist of interdependent infrastructure that extends across territories or even national borders.
Either way, CI assets generally appear in one of the 16 critical infrastructure sectors identified in the U.S. Presidential Policy Directive 21 (PPD-21). These sectors are as follows:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services Security
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
Critical national infrastructure organizations commonly own and operate what are known as industrial control systems (ICS). Comprised of Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC), ICS units were at one point separated from the Internet, but that’s changing as critical infrastructure organizations undergo digital transformations. In particular, they’re bringing their ICS and other Operational Technology (OT) assets together with Information Technology (IT) as a way of optimizing their industrial processes in an increasingly digital world.
Let’s look at an example. A water treatment facility could decide to connect its ICS to smart sensors over the Internet. These sensors can detect water pressure and flow. In deploying these assets, engineers can use real-time data to detect issues that might otherwise cause a disruption and to respond more quickly. They can also use that information to perform preventative maintenance before a problem capable of producing a disruption materializes.
Understanding the Security Risks Associated with ICS
Notwithstanding its potential benefits, such internet connectivity of ICS assets introduces new risks that, among other things, threaten national security. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) frames the risks in this way:
Unlike business enterprise systems, which manage information, ICS manage physical operational processes. Therefore, cyberattacks could result in significant physical consequences, including loss of life, property damage, and disruption of the essential services and critical functions upon which society relies. The use of cyberattacks to cause physical consequences make ICS attractive targets for malicious actors seeking to cause the United States harm.
Malicious actors aren’t just interested in using a computer network attack to cause consequences in the real world, however. The United Kingdom’s Centre for the Protection of National Infrastructure (CPNI) notes that attackers are also using vulnerabilities within organizations’ ICS to conduct digital espionage. Through this activity, malicious actors steal information remotely and exfiltrate it outside of the industrial network. They then pass that information on to a competing company, hostile government, or other entity that can use that data to conduct secondary attacks against the host country’s CI, thereby undermining its national security.
Simultaneously, the technology is changing. OT is increasingly becoming commoditized, finding its way into smaller applications and migrating into new sectors (such as automobiles) that are beginning to automate and connect to the web. These developments could help to explain why attacks targeting organizations’ ICS and OT assets are on the rise. Indeed, IBM X-Force found that the number of attacks targeting organizations’ industrial systems had increased by more than 2,000% between 2018 and 2019.
Why ICS Cybersecurity Is a Challenge
Cybersecurity might be straightforward with IT, but it’s much more challenging with ICS. The reality is that organizations cannot secure their industrial processes without the risk of causing a disruption to their industrial environments. Most organizations’ ICS are designed for availability, after all. Not cybersecurity.
Not only that, but many organizations also have less experience with ICS security than they do IT security as it’s relatively newer. The (CS)2AI-KPMG Control System Cyber Security Annual Report 2020 found that insufficient ICS security expertise was the most significant source of difficulty for more than half (58.1%) of respondents. This was followed by insufficient personnel at 48.4% of individuals who participated in the study.
How to Address These Challenges
Critical infrastructure organizations need to implement security measures in a way that doesn’t impede their ability to deliver their essential services. That’s where ORIGNIX can help.
Our cyber Process Risk Assessment (cyberPRA) methodology identifies potential gaps, hazards, vulnerabilities, and independent protection layers associated with engineered industrial processes at plant facilities. Our cyber HAZOP (cyberHAZOP) study helps clients systematically identify and qualify the risks on their cyber-physical systems’ (CPS) availability and reliability. Additionally, our cyberORM system framework can help you fast-track and achieve your CPS’s desired functional and strategic risk tolerance levels.
For more information, click here.