Achieving cyber resilient industrial control systems22 November 2017
Atkins cyber security consultant Campbell Hayden asks how civil nuclear organisations can remain resilient against an evolving cyber security threat
Across a wide range of critical industrial sectors there is increasing convergence between information technology (IT) and operational technology (OT), and the civil nuclear industry is no exception. Operational technology is the infrastructure that underpins the automation of industrial control systems (ICS). And while previously many control systems were separate, or ‘air-gapped’, from other environments, there is now an increasing trend to connect to new systems, to:
- optimise production and integrate operations,
- support secure remote access,
- deliver patches and anti-malware updates remotely.
The benefits of this improved connectivity are finely balanced against the increased risk it brings. The vulnerability, and ‘attack surface’ available, to malicious code or a hacker rises when systems are connected, particularly connections with the enterprise IT environment and third-party support organisations.
The move to traditional IP-based and commercial off-the-shelf technology means it is easier to understand what is required to attack a nuclear facility than it was; the “security-by-obscurity” view is no longer valid or acceptable.
Vulnerabilities in ICS are regularly published (notably by ICS-CERT), so potential hackers with knowledge of a nuclear facility have time to craft an attack before the vulnerability has been addressed. The risk is increased because the tools to assist an attacker are readily available and often free to use. It is very unlikely that an attacker would try to inflict a loss of containment, but business disruption can be a target.
Given the hazards that exist at nuclear facilities, there is no doubt that some of the most critical systems should remain as isolated as possible. In addition, robust physical security should work with policies to ensure that systems are not maliciously or unintentionally affected locally. For example, removable media, like USBs, should be banned. Some operational areas of nuclear facilities should simply avoid digital technology entirely, in favour of electromechanical devices.
But how do we secure those digital ICS that are increasingly connected to non-ICS? There are five steps.
1. Establish effective governance
Governance should start in the boardroom. There should be board-level accountability for IT and OT cyber security risk and it should be championed at the same level. Effective governance should ensure that all parties within an organisation including IT, OT and physical security collaborate to ensure a defence-in-depth approach to cyber security. If in doubt, seek subject matter expertise – there is a growing industry of ICS and OT cyber security experts.
2. Mount an active defence
Perimeter defences should be built into network architectures. In this way critical systems are zoned, and communication with another zone is secured. Static security defences such as firewalls, demilitarised zones (DMZs) and anti-malware should be augmented with real-time detection capabilities to identify and respond quickly to a cyber security incident. A central security operations centre can be used to monitor OT, providing the risks introduced by connecting previously disparate ICS to a central hub are managed. In order to identify an anomaly when it occurs, the personnel manning the centre should have the experience to know what normal operations look like.
3. Focus on your key asset
The technical measures are necessary but ultimately people are both the best defence from, and the most likely cause of, a cyber incident. A key threat is still an unintended cyber breach arising from someone with privileged access to an ICS. Organisations must focus on the training and awareness of all staff and third parties who interact with their ICS.
4. Focus on the supply chain
The oil and gas industry has a well- established supply chain of automation vendors, many of which are now building cyber security into their products and services. Nuclear organisations have many more niche suppliers that build and support their customers’ ICS. How many of these suppliers include cyber security in their products and procedures when dealing with remote or local support of an operational site? When a supplier connects remotely to perform routine maintenance or support operations, does the nuclear facility have complete control over that remote access connection? How many nuclear operators have the right to audit these suppliers on their cyber security policies and procedures, and ensure that appropriate background checks are performed on personnel involved in the delivery and support of critical industrial control systems?
Contracts should be reviewed and updated to include cyber security. Operators of nuclear facilities should work with their peers to see that cyber security is built into the products and services they receive from common suppliers.
5. Institutionalise cyber security
Cyber security should be treated in the same way as safety and a cyberattack must be considered in the same way as any other nuclear safety event.
Many cyberattacks, including malware such as Sasser, Wannacry and NotPetya, have had consequences that the perpetrators did not intend. The widespread outages experienced at the NHS in the UK made headline news but they were not necessarily the aim of the Wannacry malware. Maersk also suffered an estimated business loss of $300M after being affected by the NotPetya outbreak. The worry here is that we will have to wait for a series of incidents before the industry assigns cyber security the same level of importance as safety.
Increased government focus
In the UK, the Department for Business, Energy & Industrial Strategy (DBEIS) is the first government department to launch a five-year sector cyber security strategy. The Civil Nuclear Cyber Security Strategy (CNCSS) sets expectations for industry, government and regulators in light of increasing cyber threats and significant technological change. It specifies how risks will be addressed, by whom, when and how success is to be measured. It is transformational and has substantial implications for the nuclear sector, particularly in the supply chain. The CNCSS establishes stretch goals, in consultation with industry, to address the risks to the safe and secure operation of new civil nuclear facilities and the management of legacy and nuclear waste facilities.
Success will be demonstrated:
- strategically in transforming industry’s approach to cyber security – the ability to deter and protect against a cyberattack and ensure cyber resilience, the ability to detect, contain and mitigate the effects and recover from a cyberattack,
- operationally with the continued safe and secure operation of legacy and future nuclear facilities in the face of growing cyber threats,
- tactically with the increasing capability, capacity and agility of stakeholders to deal with all aspects of the cyber security challenges faced by the UK’s civil nuclear sector.
The civil nuclear industry must be resilient against the threats created by increasing connectivity and the consequent expansion of the attack surface. This requires the identification of critical assets and proportional risk mitigation, including the ability to identify and respond to a cyberattack.
Security and safety have to have equal emphasis to address risks. IT, OT and physical security must collaborate to achieve resilience. Governments are rightly looking to raise awareness across industry, ensuring executives have the information they require to develop cyber security programmes with the necessary leadership, governance and resources to succeed.
About the author: Cyber Security Consultant Campbell Hayden works in Atkins’ ICS Cyber Security Team. He has spent over eight years helping Critical National Infrastructure organisations in the civil nuclear, oil and gas, electricity generation, water, and transport sectors manage the cyber security risks to their ICS environments.