Electricity, water systems and traffic lights targeted by hackers – Security challenges of industrial internet

Imagine what would happen if somebody switched off all the traffic lights in New York in the middle of the afternoon rush hour. This scenario was one of the topics at the conference on security of smart cities, held last month in Las Vegas. People of Belgrade wouldn't find it hard to imagine such a scenario, as traffic lights often malfunction here whenever the rain start falling even slightly harder. Nevertheless, despite their being used to having to be ready for any situation, it's important to take care of the security of such systems, which have become increasingly exposed to numerous sophisticated technological threats with the development of smart society and modern technologies.

Although we all rely on industrial infrastructure – power plants, transport networks, oil and gas industry – as long as it works, we're not likely to think about how secure and malfunction-resistant it is. During the past few years, the cyber security of infrastructure has failed to keep up with an increasing number of threats, which has made these facilities, with their modern computers and networks, very vulnerable to attacks.

Nowadays, a single person can cause consequences in any corner of the world through the internet. Research shows that hackers find it very easy to penetrate the system and, say, set up a “green wave” or switch off the electricity in an entire neighborhood. Certain hackers have also managed to expose the vulnerability of hospital equipment or trains.

– These days, critical infrastructure everywhere in the world is a potential target. Cyber attacks on critical and industrial environments are on the rise and Kaspersky Lab analyzes and detects incidents in every corner of the world - Stuxnet, Citadel, Energetic Bear/Havex, Miancha, BlackEnergy, Irongate, PLC Blaster, and the list is growing rapidly – says Matvey Voytov, Solution Business Lead, Critical Infrastructure Protection Business Development at Kaspersky Lab, in his interview for eKapija.

He cites that the Stuxnet targeted attack (initiated by inserting malware into the reactor cooling control system) may have started as a weapon focused only on Iran, putting nearly 20% of Iranian nuclear power plants out of order, but that its impact has been global and that industrial settings all over the world, including facilities in the USA, have been infected by it.

Numerous industrial-specific attacks make use of corporate and industrial networks to launch and propagate. During the BlackEnergy attack on the Ukrainian power grid in December 2015, which caused a severe energy shutdown, hackers used several techniques.

These two attacks have showed that a single infected USB device or a fishing e-mail is enough for attackers to bypass the protection and sneak into the network. Traditional security measures are no longer sufficient for protecting industrial environments.

Law on Information Security as the first step towards protection

Due to its underdeveloped infrastructure, Serbia is still, for better or worse, somewhat protected from similar attacks. Nevertheless, the available data show that, in late 2015, several thousand attacks on state institution websites were detected within a single month.

As Zoran Zivkovic, president of the Serbian Cyber Security Society, pointed out in his recent statement to the media, people in our region are more exposed to attacks aiming to misuse personal data, whereas institutions and companies are facing theft of sensitive data, espionage attacks and attacks causing breaks in providing services increasingly more often.

It seems that the competent authorities have recognized the threat. The National Assembly of the Republic of Serbia passed the Law on Information Security on January 26, 2016, which came into effect on February 5, and which systematically regulates this area. The law prescribes measures of protection from security risks in ICT systems, responsibility of legal entities in managing and using ICT and authorizes the competent institutions to enact measures of protection, coordinate the protection factors and monitor the proper implementation of prescribed protection measures.

It also defines ICT systems of special significance in the Republic of Serbia, whose operators will be obliged to take appropriate technical and organizational measures of protection. These are ICT systems of public administration authorities, ICT systems which process highly sensitive personal data and ICT systems used in activities of public interest (energy, traffic, healthcare, information society services...)

High stakes of attacks on infrastructure

While there is some overlap in the cyber threats faced by both regular business environments and critical ones, the difference in security requirements is significant. For companies, security strategies typically focus on data protection, relying on the concept of “C-I-A” (confidentiality, integrity, availability). For industrial environments, where continuity is prized above all else, protection isn't data focused, it's the reverse order of the business strategy: process availability, integrity and confidentiality.

– This is what distinguishes critical infrastructure cyber security needs, where even the highest quality security solution is effectively useless if it puts the continuity of technological process at risk – explains Matvey Voytov and adds that, in most cases, everyday security techniques can't be used efficiently within industrial environments.

According to him, the key difference between traditional information security and industrial cyber security is the high stakes: a successful breach on critical infrastructure can have an impact far beyond information or financial damages, it can cost lives or result in environmental destruction.

It's hard to tell which areas are the most vulnerable, but the well-known cases show that the three top sectors are certainly energy and utility, oil and gas, and transport. The good news is that many infrastructure providers have already realized that they operate in a precarious environment and are actively working on protecting themselves.

Joining forces necessary

An effective, holistic security strategy should be based on readiness for every possible stage of attack – from the prediction phase, when it’s possible to forecast and proactively reduce the attack surface, to specialized prevention technologies for cutting off most threats. It also requires high-end detection capabilities and the capacity to stop sophisticated, advanced attacks in their tracks. Finally, it’s important for critical infrastructure organizations to be able to mitigate and remediate the negative after-effects of an attack.

– Also I should mention the importance of two-side cooperation between governments and private sector to fight against such threats. At Kaspersky Lab, we already contribute and consult in this process with authorities in many countries globally. For cooperation to be truly effective, geographical disputes and concerns should take a back seat to cross-regional consultation – Voytov emphasizes.

He believes that the era of embedded security is coming. As more and more industrial components become available online due to Industry 4.0 trends and Industrial Internet of Things in particular, the most efficient way of protection for such architectures will be embedded security. General Electric's concept of Industrial Internet is in line with this. The company emphasizes that the main challenge nowadays is not how to improve performances and equipment reliability in a physical sense, through mechanical upgrades, but how to make the equipment “smart”.

Many companies are already actively preparing for the new protection concept, and one of the most important aspects of increasing infrastructure safety is certainly education and raising awareness of potential attacks.

Serbia waiting for CERTs

The Serbian Law on Information Security prescribes the establishment of the National Center for the Prevention of Security Risks in ICT Systems (CERT) as an important prerequisite for an efficient information security system. The center will coordinate the prevention of and the protection from security risks in ICT systems in the Republic of Serbia on a national level, and the establishment of specialized CERTs has also been planned. The National CERT will be put in charge of the Regulatory Agency for Electronic Communications and Postal Services.

The law is meant to contribute to raising awareness of the importance of information security, and, by establishing the National CERT, to a more efficient prevention of attacks on ICT systems as well. Still, only the Ministry of Internal Affairs has its CERT for now, established in November 2015.

Information security in the region

In Bosnia and Herzegovina, a state-level CERT doesn't exist, nor is there one on the level of the Federation of B&H. In Republika Srpska, the CERT within the Agency for Information Society of Republika Srpska has been operating since June 2015. Its task is prevention of and protection from information security incidents. Croatia established its national CERT in 2009, in line with the Law on Information Security. This center is in charge of protecting public information systems. The Croatian and the Slovenian CERTs have contributed to the establishment of a similar national team in Montenegro and supported its membership in the FIRST (Forum of Incident Response and Security Teams), the world association of accredited CERTS, as well as in the association of European CERTs.

Marko Andrejic

DIBS Beograd

Narodna skupština Republike Srbije

Kaspersky

General Electric Company SAD

General Electric International Beograd

Ministarstvo unutrašnjih poslova Republike Srbije

RATEL Beograd

smart cities

smart society

infrastructure

Internet of Things

IoT

industrial internet

cyber security

hackers

Stuxnet

Citadel

Energetic Bear Havex

Miancha

BlackEnergy

Irongate

PLC Blaster

Matvey Voytov

Kaspersky Lab

Law on Information Security

Zoran Zivkovic

information and communications systems

ICT systems

Industry 4 0

National Center for the Prevention of Security Risks in ICT Systems

CERT