Today’s “Digital World” gives us a great many benefits like instantaneous communication, the ability to gather vast amounts of information, and fantastic entertainment. Unfortunately, the down side to the digital revolution is that new threats to our electronic lifestyles arise daily.
One area of crucial importance and vulnerability is threats to the critical infrastructure of our public utilities. The recent increase in cyberattacks on utilities is a growing concern for governments around the world. Vulnerabilities can be as simple as default configurations or as complex as the notorious Flame malware. Such cyberattacks are also increasing in frequency, particularly in the energy sector — the lifeline of global economies.
A recent study by the global consulting firm PwC showed that there were almost 43 million reported cyber security incidents in 2014. That’s a 66 percent increase over 2013. In the United States alone, 40 percent of all cyberattacks were against energy sector companies.
Types of attacks
Attacks on public utilities are of two types based on their impact:
One attack is a simple data breach where hackers penetrate a system in order to steal customer data without causing havoc on the system. An example of this is a hack on customer records for an electrical utility where hackers break in, grab the data, and get out without damaging the system. Often times the target entity is unaware that they were even hacked.
The other type of hack is even more serious, and its results can be catastrophic. Hackers can break in and take control of a utility’s power distribution leaving cities or whole regions in the dark and at risk of lives being lost. An example of this is the BlackEnergy Trojan attack on the Ukrainian power grid in 2015 — an attack that left 1.4 million people without electricity in December.
Why public utilities
Sadly, it is relatively easy to attack major public utilities. Too often it all comes down to one simple answer, the Supervisory Control and Data Acquisition (SCADA) system — the control system which sits basically at the heart of every power station. SCADA was built in an era when cybersecurity was not an issue, and as a result these public utilities are a low-hanging fruit for hackers.
SCADA systems require human-machine interface (HMI) software, which allows users to interact with the system. A lot of these systems were developed more than 15 years ago, without security features in mind. Now all the big organizations are racing against time, and spending vast sums to secure critical components. It’s projected that nearly $2 billion (U.S.) will be spent on securing critical infrastructures by 2018.
So how do the hackers get in? It’s quite simple when you leave your SCADA system outside of your protection boundaries. According to experts SCADA and ISC systems are regularly set up outside of the firewall zone, making then easy targets. The hackers only need to find out where in the network they reside, which is often just a click away, even for script kiddies. Making it even easier to attack a utility is the existence of websites that list databases of vulnerable SCADA systems worldwide and that are connected to the Internet.
Human error has always been the biggest factor in any Cyberattack. The infamous Stuxnet worm, designed by the United States and Israel to sabotage Iran’s nuclear program, was distributed via a well disguised phishing e-mail.
Too often, a lack of cyber-awareness and erroneous human nature leaves the door open for these types of malware to get into internal networks to launch their mayhem. Lack of strict physical security controls makes it a simple process for a trespasser to access and infect a critical system with malware merely by inserting a USB stick into any unattended workstations or servers.
Why don’t these public utilities do more to protect their infrastructure? Because replacing an entire system is prohibitively expensive and usually not an option — which leaves either updating or upgrading the system as the only viable option.
Additionally, more than 50 percent of companies think upgrading their systems would be disruptive to daily service. The cost of updating these legacy systems is also sometimes not feasible for many companies, as they consider infrastructure to be a sunk cost, even while realizing that the consequences of a breach could be catastrophic.
The situation is becoming dire as more sophisticated attacks are carried out by motivated terrorist groups. Often these attacks are backed by rogue nations, and the frequency of them is on the rise. Protection against such attacks is now a top priority for many private and public energy companies. Protection of such critical components will require a multifaceted control system, including security around the SCADA system, as well as physical and human control.
A job for IT security
With such exposure and the potential for massive damage, there is great demand for skilled IT security professionals — in fact, cybersecurity is currently the fastest growing segment of information technology.
There is a great amount of work to be done to protect public utilities. Vast numbers of SCADA systems need to be updated with the latest patches to eradicate existing and potential vulnerabilities. Other important steps to protect utilities include:
- Make systems conform to the Security Development Lifecycle Assurance (SDLA) certification, to ensure proper cybersecurity standards are maintained and built in to the lifecycle of products.
- Monitor integrated computer solutions.
- Maintain due diligence of the security control for all control systems.
- Properly document change management and lesson-learned reports for future fixes.
- A demilitarized zone (DMZ) should be implemented as an outer protective shell for the SCADA system to filter any malicious ingress or egress of traffic.
- Implement regular and thorough training of employees on proper cybersecurity practices.
With so many systems at risk, the demand for cybersecurity pros is high, and the best way to prove your skills is, as always, certification. Five solid cyber security certifications on the Indian market include:
EC-Council Licensed Penetration Tester (LPT) demonstrates an individual’s ability to audit network security, perform penetration testing (pen test) and recommend corrective actions for any vulnerabilities. Certified individuals are able to conduct pen tests utilizing EC-Council’s renowned methodology for penetration testing.
GIAC Certified Penetration Tester (GPEN) enables security professionals to evaluate networks and systems for existing vulnerabilities and recommend and implement solutions. GIAC is a global leader in security and their credentials certify that trained individuals not only know how to conduct pen tests according to best practices, but also understand and take into account the legal ramifications involved with such tests. This cert is rapidly growing in popularity and value in India.
EC-Council Certified Secure Programmer (ECSP) is a great certification for preventing breaches due to coding errors. Certified professionals utilize best practices and proper programming techniques to write high-quality code to protect against vulnerabilities. Individuals can certified in .Net and Java.
Certified Secure Software Lifecycle Professional (CSSLP) validates the ability to develop applications and software security protocols for an organization. Training includes a strong emphasis on the ability to reduce exposure to potential vulnerabilities and how to choke-off potential points of breaching throughout the software development cycle.
Check Point Certified Security Expert (CCSE) enables certified individuals to build, modify, deploy and troubleshoot Check Point Security Systems. An exciting portion of this training involves hands-on lab exercises dealing with debugging firewalls, how to optimize VPN performance and upgrading the security of management servers. This is a great certification for those working with Check point systems, and is a good lead into the higher certifications of Check point’s Managed Security Expert (CCSME) and the new Certified Security Master (CCSM).
A serious and ongoing problem
Cyberattacks on public utilities, especially the big energy sectors like oil, gas, and electricity are very real and dangerous threats to a nation. The potential for damage by a hack can be as horrific as that of a military invasion. Fortunately more governments and companies around the world are waking up to the danger.
Unfortunately, many are still not buying the fact that bringing down these critical infrastructure will not only seal their fate but also can leave a lasting mark on a nation and irreparably damage a company’s reputation.
The opportunities for IT security professionals to help protect an entity’s critical systems are wide open. Certification in any of the above credentials will prepare an individual and open doors for high-paying jobs as reverse malware analysts, pen testers, and systems security analysts. If you like a fast paced career filled with daily challenges, opportunity for growth, and above average pay, then consider a cybersecurity certification.