Smart factories, smart buildings, smart grids, smart cars, make things run better, more productively, more sustainably, more accurately, more safely, and unfortunately, more vulnerable to attack. The more things are automated and interconnected, the more attention has to be given to protecting these systems from outside interference.
Cybersecurity for the Internet of Things (IoT) is important, especially in business and banking, where it is used to integrate data flows. Infiltration of these systems have resulted in massive data breaches. But the kinds of damage that can by caused by an attack on the Industrial Internet of Things (IIoT) can cause major infrastructure damage that might not be easy to repair. It can bring a factory to a halt or crash the electric utility or water supply systems.
There has been a trend in recent years to interconnect enterprise and factory networks. This gives organization real-time insights into factory operations for making well-informed business decisions. There are lots of advantages to this integration but there are some downsides for cybersecurity. In the past, industrial control systems, or as they are now usually called, Operational Technology (OT) to distinguish them from enterprise networks’ IT have been isolated from the outside world, making them more difficult to hack into. But the convergence of these systems opens more possible entry points for malevolent actors.
An additional challenge is that IT fixes can be made relatively easily and the systems generally have a lifespan of less than five years, while OT systems, because they involve complicated physical infrastructure, are usually designed for lifespans of decades. And while it’s relatively easy to find openings to patch problems with IT, fixes in a factory for OT involve shutting down production.
Fighting Back
The Cybercore Integration Center at Idaho National Laboratory (INL) was established to “lead efforts to secure OT by bringing together teams of accomplished control systems cybersecurity analysts, seasoned control systems engineers, and experts in cyber research.”
An important part of the Center’s work, funded by DHS’ Cybersecurity Infrastructure Security Agency, is an intensive multilevel training program in cybersecurity for industrial control systems. “We have 13 different courses starting with learning a little bit about what an industrial control system is, how it communicates, and the different protocols that are used,” said Jeff Hahn, who leads the program “Risk, understanding how to identify risk, is a big part of it. That includes the various vulnerabilities. But just because you have a vulnerability doesn’t mean it’s necessarily exploitable — you need to understand the specifics.” Hahn is a Certified Information Systems Security Professional with over 35 years of experience in both the private and public sectors.
The courses, with increasing levels of difficulty, are designed to give professionals the tools for understanding and dealing with cyberattacks on industrial control systems. “You have to thoroughly understand the structure of the OT system you need to protect,” said Hahn. “And then place yourself in the mind of an attacker — what are the openings they could seize upon to get into the system and what might they want to do once inside? Then, of course, how would you go about defending against the attacks?”
The initial course is “ICS Cybersecurity Training Online” and is 15-18 hours long. It starts with an overview of ICS, including techniques for mapping the behavior of a particular network, using tools like Wireshark and Nmap. That is followed by demonstrations of attacks and defenses with actual hands-on exercises.
After completing the online class, you can attend a four-day in-person course at INL in Idaho Falls — that’s where the real action takes place. After the initial classwork, students work in ICS Cyber Escape Rooms, which are fully equipped to provide real-life experience with attacking and defending ICS systems. They get to “hunt” for wireless access points that are potential ways in for an attacker, for example.
One of the escape rooms is called Black Start. The setup is that there’s a town called Barnesville, which has had a cyberattack, where a hacker gets access to the control system for the two local power substations. The hacker modifies the firewall logs and shuts down the power. And so, there’s no grid power to help the power stations come back online.
The students in the escape room finds ways to get online access, find the firewalls and fix the changes that the hacker made. Once in the network, they get into the power stations and start them back up. An additional challenge is that the two substations have to be synchronized before they connect back to the grid.
“And there are other logical, physical puzzles like in a normal escape room but with the cyber component. It makes it a fun way to learn and experience the techniques,” said Hahn.
Another component of the training is the red-blue exercise, where the class is separated into two teams, with the red team attacking the blue team. Within the environment, there are four different control systems. The attackers can get into the electrical system and turn power off; they can get into the control system and modify the PLC ladder logic. There’s also a connected IT component so that it looks like an actual company with lots of data flow. If the attackers can get into the database, they can interfere with the company’s ability to sell their products.
Then the blue team has to manage it all. They look at firewall logs, the different servers, and the process control system. They try to keep the systems operational while the red team is trying to sow chaos.
Another four-day in-person class offered at INL is “Detect the Attacker.” This course challenges participants to finding the attacks within a network. “If you’re looking in the right place, you can find what they’re doing. But if you’re not looking, you’ll never see it,” said Hahn. The course is designed to teach people to understand how to use the information that’s available to them to identify attacks.
But first you have to realize that an attack actually exists before you can go after it. “Too often we find out after the fact,” said Hahn. It’s important to understand that nothing happens instantaneously, it’s always a process. The attacker comes in to learn your environment because your environment may be unique in some respects. While that’s going on, you need to find them before bad stuff happens and then you can get them out.
Another course funded by Department of Energy is Cyber Strike – Lights Out. This course is about the two Ukraine power attacks in 2015 and 2016. On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War and is attributed to a Russian advanced persistent threat group known as Sandworm. “Even though it’s a decade old, the lessons that can be learned from looking at how these attacks were accomplished and what they did is really helpful,” said Hahn.
There are also challenges specific to analyzing ongoing OT operations. There are automated tools that flag an ongoing attack by looking for things that shouldn’t be happening. A globally accessible knowledge base of adversary tactics and techniques based on real-world observations, ATT&CK, was developed by the MITRE organization to help with this task. To use it, however, requires access to the whole range of data sources in a control system.
Hahn described an issue that arose when he was working with multiple utilities on a research program at INL. He asked them whether they captured specific data fields in order to identify an attack technique. They replied that they capture only those data fields that they need for operations. According to Hahn, that meant they could be blind to an attack going on.
That was the genesis of the previously mentioned course “Detect the Attacker.” There was an obvious need for people in industry to start looking for incoming attacks, “learning how to identify specific techniques where the attacker is trying to be really stealthy, very quiet, not planning to do anything until the moment they launch their attack,” said Hahn.
Organizing the Counterattacks
The training center at the INL Cybercore Integration Center is playing a vital role in helping organizations all over the world to boost cybersecurity. It was established in recognition of the need for organized approaches to detecting and defending against the massive number of ongoing cyberattacks, rather than piecemeal patches.
For more information, visit here .
