Pacific Northwest National Laboratory (PNNL) teamed with security provider McAfee to produce a report titled “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control, Integrity Control” which examines the increase in threats against systems controlling critical infrastructure.
The report identifies existing and emerging threats and discusses the challenges administrators face in what is described as an "advanced persistent threat environment".
Security solutions have traditionally been layered on to these systems after the networks were operational, as many were not necessarily designed with cybersecurity in mind prior to the advent of the Internet.
“When early critical infrastructure systems were created, neither security nor misuse of the interconnected network was considered," said PNNL's Philip A. Craig Jr.
“Today, we are still focused on enhancing the security of control systems. Outdated security methods that use a maze of disparate, multi-vendor, and stacked security tools will only delay a cyber attack, providing numerous opportunities for a more advanced and modern cyber adversary to attack cyber security postures throughout critical infrastructure.”
In the report, PNNL researchers and the DOE highlight specific vulnerabilities to industrial control systems including:
Increased Exposure: Communication networks linking smart grid devices and systems will create many more access points to these devices, resulting in an increased exposure to potential attacks.
Interconnectivity: Communication networks will be more interconnected, further exposing the system to possible failures and attacks.
Complexity: The electric system will become significantly more complex as more subsystems are linked together.
Common Computing Technologies: Smart grid systems will increasingly use common, commercially available computing technologies and will be subject to their weaknesses.
- Increased Automation: Communication networks will generate, gather, and use data in new and innovative ways as smart grid technologies will automate many functions. Improper use of this data presents new risks to national security and our economy.
Also of concern is the apparent escalation in the types and frequency of attacks, including the development of sophisticated malware like Stuxnet which were designed to specifically target industrial control systems.
“Infrastructures that control systems affecting our everyday lives, such as smart grids, are rising in adoption yet still lack the proper security needed to prevent sophisticated cyber attacks," said McAfee's Chief Technology Officer Dr. Phyllis Scheck, who recommends "baking-in" security at the design stage.
“Achieving security by design is essential in securing critical infrastructure. Cybersecurity must be embedded into the systems and networks at the very beginning of the design process so that it becomes an integral part of the systems functioning.”
The report also examines issues with security in the emerging smartgrid, which also has vulnerabilities due to a lack of security focus in its design and implementation, a fact that many critics have lambasted the Department of Energy for. Nonetheless, the DOE maintains that security is the a primary concern for the agency.
"The Department of Energy’s key objective to secure the critical infrastructure and key resources includes our Nation’s electric generation, transmission, distribution resources, as well as key oil and natural gas assets. The Pacific Northwest National Laboratory seeks to continue to improve the value of security technologies as they are implemented in these critical infrastructure and key resources areas," a press release for the report states.
The report includes recommendations for bolstering control systems security and mitigating active threats, including:
Dynamic Whitelisting –Provides the ability to deny unauthorized applications and code on servers, corporate desktops, and fixed-function devices.
Memory Protection – Unauthorized execution is denied and vulnerabilities are blocked and reported.
File Integrity Monitoring – Any file change, addition, deletion, renaming, attribute changes, ACL modification, and owner modification is reported. This includes network shares.
Write Protection – Writing to hard disks are only authorized to the operating system, application configuration, and log files. All others are denied.
- Read Protection – Read are only authorized for specified files, directories, volumes and scripts. All others are denied.
A copy of the report can be obtained here: http://www.mcafee.com/us/resources/reports/rp-energy-sector-industrial-control.pdf.