2018 was significant in the United States for cyber attacks on critical infrastructure. Three events stand out: the shutdown of operations of the city of Atlanta; the shut down and subsequent reattack of the Colorado Department of Transportation (CDOT), and the take down of a dedicated Safety Instrumented System (SIS) overseeing an industrial control system that required sophisticated reverse engineering of proprietary components. The cost for and duration of the restoration of service in the former two incidents ran into millions of dollars and months for each. The potential for damage from the latter attack could be catastrophic in certain industrial applications.
Cyber-Physical systems that automate control of networked components and platforms are increasing rapidly. This activity is driven by three technological enablers: embedded computing, network pervasiveness, and advanced distributed control methods. For 2019, the introduction of 5G will lead to “game changing” advances in network access for cyber-physical systems, with a resultant increase in cyber risk. The cyber attack surface for Critical Infrastructure will increase, and we need a corresponding increase in appreciation of the emerging threat.
Background Definitions: Three types of cyber-physical systems
- Operational Technology (OT)– OT is “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.” OT is also referred to as Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS). OT systems control critical services in manufacturing, facilities, energy, water, transportation and telecommunications, and historically have consisted of proprietary industrial programmable logic controllers, monitoring sensors, and actuators in limited access, non-TCP-IP networks. See IIOT below. Learn more by browsing CSIAC’s resources on Operational Technology (OT).
- Platform Information Technology (PIT)– PIT in a military context refers to “computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. PIT does not include general purpose systems.” (DON, 2007) In the civilian sector PIT includes control systems in automotive, maritime and aviation domains. PIT also applies to self-driving cars and aircraft. Learn more by browsing CSIAC’s resources on Platform Information Technology (PIT).
- Internet-of-Things (IoT)– Internet of things loosely refers to TCP-IP network-based devices that interact with their physical environment, using the wider internet for their command and control access. “The IoT allows objects to be sensed or controlled remotely across existing network (e.g. TCP-IP) infrastructure” (Harvard Business Review, 2014). The move to integrate industrial cyber-physical control systems with enterprise IT networks has led to a hybrid system type labeled Industrial Internet of things, or IIOT.
CSIAC has many resources on IoT, learn more.
Cyber-physical systems and Critical Infrastructure
Cyber-physical systems are susceptible to many of the same problems as traditional enterprise information technology (IT) with the below added issues:
- Systems are directly related to affecting the physical environment (Power, safety controls, etc.).
- Cyber-physical systems generally have components that are limited in processing power and bandwidth, use local non-TCP/IP communications channels, such as Modbus, and traditionally rely on physical security (e.g. controlled access) to ensure resistance to cyber attack.
- Cyber-physical systems often have much longer technological refresh cycles, as long as 15-20 years, which limits technology upgrades that engineer out vulnerabilities.
- Cyber-physical systems invert the traditional ITSEC order of priority from “Confidentiality, Integrity and Availability” to “Availability, Integrity and Confidentiality”.
Highlights from 2018 Critical Infrastructure Attacks: CDOT and HATMAN
CDOT: There is good news in the Colorado Division of Homeland Security and Emergency Management CDOT Cyber Incident After Action Report. The SamSam ransomware attack was isolated to the CDOT enterprise systems and not the traffic operations systems due to an effective firewall implementation; the recently instituted “Backup Colorado” data protection plans made restoration simpler; the CDOT Continuity of Operations Plan (COOP) was successful, and a coalition of State, Colorado Army National Guard (COARNG), Federal and civilian actors was organized and worked together successfully. The COARNG was mobilized by the Governor and their technical SME’s provided significant resources for incident response, threat ID, and analysis.
The bad news was that the attack was successfully carried out on server zero in a cloud services environment via remote access only two days after it was brought online for the first time. The attack ultimately took down 150 servers and 2000 workstations. Effective response also required a significant learning curve for the consolidated Emergency Response Team since the State Emergency Operations Plan and the Colorado Office of Information Technology (OIT) Cyber Incident Response Plan were not integrated nor operationally tested in an Incident Command System previously. Soon after during the Idaho National Laboratory Resilience Week conference “Transforming the Resilience of Cognitive, Cyber-physical Systems”, one of the recurring themes was the recent ransomware attack on the Colorado Department of Transportation. CDOT operations took four weeks to restore at a cost of $1.5M. This topic was addressed at the conference panel Owners and Operators Addressing Infrastructure Risk and Resilience, which included representatives of Xcel Energy, AT&T Disaster Recovery, the Colorado Springs Utilities, and Denver Water. When asked at the end of their panel, what was their most serious challenge around emergency response and recovery, three of four said “cyber attack”, and recommended the full integration of cybersecurity SME’s on Federal and State Emergency Response Teams.
DoD CYBER Defense Support for Civil Authorities (Cyber DSCA) was also a topic brought up at Resilience Week with respect to the CDOT attack. 2018 has seen Congress direct DoD to provide a Cyber DSCA exercise with DHS and the National Guard. See NDAA 19 Sec. 1648 below. However, a recent DOE National Renewable Energy Laboratory (NREL) study entitled “States of Cybersecurity: Electricity Distribution System Discussions” indicates that the lessons learned in a single exercise in one state with one utility and one emergency response team may not apply to other States. For example, only one-third of the energy distribution utilities participating in the survey reported having a security plan that addressed both physical and cyber aspects, in accordance with the North American Electric Reliability Corporation (NERC) cybersecurity maturity framework. In fact, only one of the participating utilities reported having a security plan that identified critical cyber assets. Hence, as in the CDOT incident, the learning curve may be steep for a cyber emergency response team that has never worked together before.
HATMAN: The good news is that the simultaneous compromise of an OT distributed control system and its dedicated Schneider supervisory Safety Instrumented System (SIS) did not lead to destructive operation of an industrial site. The bad news is that it could have. The compromise of both the control system and its safety system is a direct attack on hardened defense in depth approaches in the ICS domain. The sophistication of the exploit, which required significant reverse engineering of a Triconex safety Programmable Logic Controller (PLC) and the geographic location of the attack points to the involvement of a nation-state.
The Future: Recent (2018) government developments in Critical Infrastructure Cyber Security
The 2018 National Cyber Security Strategy lists several critical infrastructure specific actions:
- The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.
- The Federal Government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure.
The National Security Council, in early 2018, convened a working group (WG) of control systems’ cybersecurity experts to identify how the Federal government could improve cybersecurity and resilience of multiple critical infrastructure sectors through improving control systems security. The working group concluded that more engagement between senior-level government and control system vendors and integrators could drive toward more security and resilience in control systems. A workshop with vendors and integrators in August identified potential strategic joint priorities for a strategic partnership and the WG is now developing discrete and measurable actions, which public and private sector executives could consider, agree to accomplish, and track to completion in the next several months. This effort aligns with the “Enabling Cybersecurity through Information and Communications Technology Providers” action-area in the draft National Cyber Strategy. If you would like to suggest “discrete and measurable actions” to assist”, please contact CSIAC.
The National Cyber Range operated by the Test Resource Management Center (TRMC), is now to provide a capability for vendors to test their HW/SW in an HVAC environment. The National Cyber Range is accredited by the Defense Intelligence Agency (DIA), and provides a cybersecurity test infrastructure that can operate at levels up to Top Secret/Sensitive Compartmented Information. In addition, an Approved Products List (APL) capability has been initiated.
- SEC. 1639 “MEASUREMENT OF COMPLIANCE WITH CYBERSECURITY REQUIREMENTS FOR INDUSTRIAL CONTROL SYSTEMS”
This required the addition of Industrial Control Systems to the Department of Defense Cybersecurity Discipline Implementation Plan and the Secretary of Defense Cybersecurity Scorecard. DoD cyber threat remediation metrics now will include supervisory control and data acquisition (SCADA) systems, distributed control systems, programmable logic controllers, and platform information technology. The implementation of ICS into the Scorecard is expected by the end of CY18.
The National Defense Authorization Act for FY19 included:
- SEC. 1643. DESIGNATION OF OFFICIAL FOR MATTERS RELATING TO INTEGRATING CYBERSECURITY AND INDUSTRIAL CONTROL SYSTEMS WITHIN THE DEPARTMENT OF DEFENSE.
The Secretary of Defense is tasked to designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems for the Department of Defense. This official shall be responsible for integration of cybersecurity and ICS at all levels of command to include facilities operated on behalf of the DoD, and will have responsibility for development of NIST RMF-based certification standards for DoD ICS.
- SEC. 1648. TIER 1 EXERCISE OF SUPPORT TO CIVIL AUTHORITIES FOR A CYBER INCIDENT
The Commander of the United States Cyber Command, and the Commander of United States Northern Command need to conduct a tier 1 exercise of a Cyber Defense Support to Civil Authorities (DSCA) incident, considering Government Accountability Office report GAO–16–574 “DOD Needs to Identify National Guard’s Cyber Capabilities and Address Challenges in Its Exercises. Coordination with the Department of Homeland Security, the Federal Bureau of Investigation, and elements across Federal and State governments and the private sector is required.
- SEC. 1649. PILOT PROGRAM ON MODELING AND SIMULATION IN SUPPORT OF MILITARY HOMELAND DEFENSE OPERATIONS IN CONNECTION WITH CYBER ATTACKS ON CRITICAL INFRASTRUCTURE.
This Pilot Program is to model cyber attacks on critical infrastructure to identify and develop means of improving Department of Defense responses to requests for defense support to civil authorities for such attacks.
- SEC. 1650. PILOT PROGRAM AUTHORITY TO ENHANCE CYBERSECURITY AND RESILIENCY OF CRITICAL INFRASTRUCTURE
This authorizes the Secretary of Defense, in coordination with the Secretary of Homeland Security, to assign DoD technical personnel to the Department of Homeland Security, to include the National Cybersecurity and Communications Integration Center (NCCIC), to enhance cybersecurity cooperation, collaboration, and unity of Government efforts.
Deputy Assistant Secretary of Defense (Emerging Capability & Prototyping): A new Joint Capability Technology Demonstration (JCTD) titled “More Situational Awareness for Industrial Control Systems (MOSAICS) was selected for funding by the Assistant Secretary of Defense for Research and Engineering in 2018. MOSAICS will build an architecture and toolset to monitor and report the cybersecurity status of a DoD ICS system in real time, with enhanced automated response and remediation in accordance with the 2017 revision of US CYBERCOM’s Advanced Industrial Control Systems Tactics Techniques and Procedures (AICS-TTP) for DoD ICS. The JCTD is jointly managed by US INDOPACOM and NORAD-NORTHCOM. The main participants include: DOE’s Cyber Partnership for Advancing Resilient Control (CyberPARC), which is composed of Sandia National Laboratories, Idaho National Laboratory and Pacific Northwest National Laboratory; SPAWARSYSCEN ATLANTIC; Navy Facilities Engineering Command; and Johns Hopkins University Applied Physics Laboratory.
DOE and CESER: In February of 2018 the Department of Energy opened a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) with a $96M budget. The office mission includes “continuous monitoring tools and capabilities for information systems and control networks and identifying best practices” to support CESER’s Cybersecurity Risk Information Sharing Program (CRISP).
DHS: The National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security has integrated into the NCCIC the Industrial Control Systems Cyber Emergency Response Team (ICSCERT), bringing ICS SME personnel onto the NCCIC watchfloor. As mentioned above, the FY 19 NDAA now authorizes DoD watchstanders in the NCICC as well.
2018 has brought increased awareness, national policy prioritization, significant funding and increased multiagency cooperation with respect to Critical Infrastructure Cybersecurity. Understanding the definitions, issues, and intended solutions is critical to our success on the way ahead to protect the nation against attacks of significant consequence. Take a deeper look into Critical Infrastructure Protection (CIP) with this video podcast:
Footnotes and References:
- CDOT Cyber Incident After Action Report, Colorado Division of Homeland Security and Emergency Management, 17 July 2018. Releasable to the public, available on request to CSIAC.
- Ibid, p7.
- For a discussion on integration of cyber into Incident Command Systems see https://www.drj.com/articles/online-exclusive/integrating-cybersecurity-into-the-incident-command-system-in-an-evolving-emergency-environment.html
- Ivonne Pena, Michael Ingram, and Maurice Martin, “States of Cybersecurity: Electricity Distribution System Discussions” Technical Report NREL/TP-5C00-67198 March 2017 https://www.nrel.gov/docs/fy17osti/67198.pdf
- Ibid, p 4
- CSIAC will forward suggestions to OSD Energy, Installations, and Environment.
- Personal communication from Mr. Daryl Haegley, Control Systems Cybersecurity ODASD(E)