For some 3 years now the team at RIoT Solutions has been working with several clients across a number of industries that would be commonly referred to as “Critical Infrastructure“. Whether this be in the fields of transportation such as light rail and roads, utilities such as water and energy, smart cities or manufacturing, our model is simple. Apply our deep network and cyber security skills to the domains of Operational Technology (OT) and Information Technology (IT) including Industrial Control Systems (ICS) and the Industrial Internet of Things (IIoT). The RIoT difference is having capabilities, experience and most importantly the appreciation of the physical and digital worlds. This is hard to get, harder to keep and will be a challenge for us all in the future as these two once very separate worlds combine – sometimes kicking and screaming.
It’s a topical subject with much confusion over IoT, IIoT, OT/IT, Smart Cities and Digital Transformation which are just some of the buzz words that surrounds the hype, however as with all change it cannot and will not stop. A very common response is “Why would anyone want to Hack us..?” The answer is, because they can. And, other than being good corporate citizens and making an effort to protect critical infrastructure from all means of threats from cyclones to cyber, saying sorry after an event just will not cut it. The entire Industry needs to be better.
As the world becomes faster and demands more efficiency, automation, costs savings and even convenience, the requirement for safety will always rise to the top. And as the physical environment becomes more and more connected to IT networks, the invisible threat becomes greater due not only to a larger attack surface, but the opportunity for human error and insider malicious activity. Surprisingly (or maybe not), what we have observed and continue to find are similar across almost all industries. Our experience to date has encouraged us to change our language and our engagement method as generally we spend a lot of time educating and advising rather than attempting the “silver bullet” fix. This is important because we often see scare mongering tactics which to an audience that is purely engineering driven does not work. Seeing is believing and visibility and understanding is key. Once the connection between diligent maintenance of a physical asset such as a Dam wall, Road Tunnel or Rail line is aligned to similar strategies of the IT systems running and controlling this infrastructure, we see a cultural shift to understanding this mystical world of Cyber.
Common cyber security threats due to similar vulnerabilities have been found right across each sector. Below are just some of the tactics we encourage and develop with our clients to assist them in making those first steps towards security maturity in what is otherwise a fairly untouched and miss-understood environment:
- Developing KPI’s for cyber security to provide a framework to assist infrastructure service providers to comply with a minimum set of requirements to protect themselves from potential cyber security threats. Security is an ongoing process whereby organisations need to continuously monitor and retrofit standard security remediation’s into their critical infrastructure environment, in a way that best protects the business without losing operational availability and integrity.
- Whilst applying recommended remediation’s does not guarantee a completely secure ‘unbreakable’ environment, it will assist in reducing the organisations overall attack surface area. The likelihood of a threat adversary being able to exploit a vulnerability will be reduced, subsequently reducing the overall cyber security risk to a critical infrastructure facility.
- Key industry recommendations should be considered to reduce the overall available attack surface area. These recommendations include, but are not limited to the following items and should be aligned to internal organisational KPI’s.
1. Identify what is ‘Critical’
Securing everything isn’t possible. However, identifying the components that are most critical in ensuring smooth operations and taking appropriate steps in securing them is possible most of the time. Once identified, likely threats to these components can be documented and a strategy can be developed against a potential compromise.
2. ‘Know thy assets’
A key step towards a more secure ICS environment is to know what the environment consists of. This entails hardware, software and communication protocols that are in use on site. Understanding how information moves across the network, can provide an insight to where potential weaknesses exist.
3. Identify likely attack paths
Consider implementing a threat modelling solution for identified critical assets, to be able to churn out possible permutations and combinations of the type of attacks that could take place in a production environment. Simulating ‘what-if’ scenarios could reduce overall attack surface.
4. Mitigate against identified attack paths
Identified attack paths can and should be triaged through their elimination from the environment. What isn’t necessary for a smooth functioning should be removed from service immediately.
5. Manage facility ‘House Rules’
There are certain requirements that should be followed with diligence regardless of how large or small an organisation is or what the existing threat levels are. For example:
- Default password should be changed on all devices when first powered on
- USB devices or external media should be checked for malware in a ‘sandboxed’ environment, prior to being introduced in an ICS environment
- There should be no avenue for operators/field engineers to be able to use workstations to surf the Internet or check emails.
6. Leverage existing Threat intelligence
Staying informed about the latest threats including ICS specific malware campaigns and adversary groups feeds into the mitigating identified attack paths for the environment.
7. Eradicate OT & IT silos
With both teams having their respective strengths and weaknesses, it is important for management to ensure that they work together in harmony. Teams need to realise that a cyberattack on ICS environments not only affects the immediate personnel involved but has a crippling effect on the entire organisation. A downtime that leads to work stoppages can result in a decline in stock prices and interruption of critical services (e.g. water supply, traffic accidents, public safety). Members from both teams should be seconded to the other team for a ‘hands-on’ experience with the components that are in play and the associated risks of having them taken down.
RIoT Solutions often run a number of round tables, forums and events for OT and IT managers and C-level executives where we facilitate discussion on key topics relating to OT/IT and Cybersecurity. If you hold a position such as those mentioned and wish to be involved, please contact the team at https://www.riotsolutions.com.au/#contact and follow us at http://www.linkedin.com/company/riot-solutions
About RIoT Solutions
RIoT Solutions is a specialised integrator of robust and resilient IoT solutions within Australia. We provide the ‘Digital Plumbing’ for Operational Technology (OT) and Information Technology (IT) infrastructures, by delivering services that include network architecture, validation and verification, managed services, and cyber security testing. Our consultants have attained multiple levels of the highly respected ‘Offensive Security’ certifications (OSCE, OSCP and OSWP), the Certified SCADA Security Architect (CSSA) qualification, identified a number of key ‘0-day’ vulnerabilities in critical infrastructure systems and common IT networking products, and performed in-depth analysis and reporting on significant malware outbreaks.
The following list shows limited examples of our previous experience in cyber security assessments for organisations that operate and/or build critical infrastructure systems:
- Penetration testing of critical infrastructure assets (roads and rail transport), and Social Engineering assessments (Red Team) of OT operational processes for the Australian G20 summit
- Penetration testing and review of security operations, for Intelligent Traffic Systems (ITS).
- Penetration testing, vulnerability assessments and security architecture design of critical infrastructure (roads and rail transport) that was utilised for the Gold Coast 2018 Commonwealth Games
- Water supply and treatment plants’ SCADA networks security assessments, including attack simulation (Red Team) services, for several large regional city councils.