In this article, we discuss the current approach to information security and unacceptable incidents in the power industry. You may be surprised, but similar incidents have happened before. For example, in Venezuela in 2019, a sudden blackout of the grid led to a five-day blackout in 80% of the country, and a year later in India, a chain of blackouts affected the country's transport infrastructure, causing serious damage to trains and traffic control systems. destroy.
Strange things about information security in industry
According to our research, industrials are among the top three most attacked industries each year. For example, in the second quarter of 2022, organizations in this industry experienced half the number of attacks compared to the previous period. Most attacks resulted in the disclosure of confidential information (55%) and industrial breaches (53%). Malware attacks accounted for 76 percent, while ransomware was the leading attacker for virtual operators (61 percent).
Major virus software types attacking industrial organizations ( Q2 2022 )
While companies across industries, including the energy sector, are increasing their cybersecurity budgets and implementing various levels of information security solutions, including for securing process systems, the situation within the industry has not fundamentally changed. Our experience in analyzing the security of industrial enterprises shows that almost any enterprise, regardless of its size and security reserves, can be compromised in just a few steps.
In addition, the business itself needs to change: CEOs are now actively involved in setting cybersecurity goals, and there is a need for actual security. This demand is also supported by the government, which is creating the conditions for radical change. Why aren't businesses getting more secure? This question cannot be answered definitively today. There are many interrelated factors -- for example, staff shortages and a lack of IT security capabilities are forcing businesses to look at MSP or MDR service models rather than in-house solutions. However, security services for parts of the technical infrastructure of industrial companies are still only emerging on the market and have many limitations.
The same is true for other categories of safety features. For example, there are no data diodes (one-way data gateways) specifically designed for SAP or anti-viruses installed on IP cameras. That is, there are anti-viruses for process automation control systems, computer-aided process control systems (not much different from traditional anti-viruses), and encryption modules are installed in programmable logic controllers (PLCs). Does it make sense? The market is still undecided.
Seeing these and other "strange things," we conclude that something is wrong with the cybersecurity industry in general, and especially when it comes to securing industrial enterprises.
A Paradigm Shift in Attitudes to Cybersecurity
Today, it is nearly impossible to completely protect an industry, or any other company, from hacking and cyber infiltration. As a result, businesses at the C-suite and key executive level have started talking about the need for results at different levels. At Positive Technologies, we call this a results-oriented concept of cybersecurity, which includes the concept of unacceptable incidents.
Outcome-based security is a qualitatively and quantitatively measurable information protection system that protects a company's critical assets from unacceptable events.
For an industrial plant, there are always incidents that are unacceptable. To ensure these events don't happen, you need to clearly define them and their possible consequences. You also need to ensure a certain level of information security to prevent unacceptable incidents due to cyber attacks. The goal of a successful cybersecurity approach is to fundamentally improve the security of the company and, through them, the security of the industry and the nation as a whole.
An intolerable incident is one that occurs as a result of malicious activity, which prevents a company from achieving its operational and strategic objectives, or causes lasting disruption to its core business activities.
Not Allowed Events: How It Happens in Your Life
Industry attracts cybercriminals by its size, the importance of the business processes it performs, its impact on the world around it and the lives of its citizens. Prohibited events that can result from hacking industrial control systems include production stoppages, industrial equipment malfunctions, product damage, accidents. The consequences can be very serious: accidents can cover entire regions, and the damage is not only financial or material, but also physical.
Over the past few years, there have been high-profile attacks on industrial facilities around the world, causing power outages. Examples include the hours-long blackout in India, and the case of Venezuela, when the entire country was without power for five days. These unacceptable incidents due to cyber-attacks are interesting because they do not occur at the level of industrial facilities, but at the national power system. Let's take a closer look at these events.
The Guri hydroelectric plant in Venezuela was hit by a cyberattack: Attackers stopped a turbine, causing a sudden stop in power generation and a massive power dump on the grid.
Massive blackout in India: Attackers caused an unacceptable drop in power frequency and dispatchers had to shut down power lines. As a result, a chain of blackouts began in Mumbai.
Why Not All Cyber Attacks Are Repelled
Today, corporate cybersecurity is in most cases based on a rather simple principle: each specialist performs his functions strictly according to his terms of reference, according to his job description and his own work regulations.
For example, consider an industrial facility with process control systems, equipment, and processes installed. With their help, dispatchers monitor and control production. But he can't see what's happening in the IT infrastructure of the facility itself , and he doesn't know which critical events in the IT system might cause problems at the process level. This is not his job description, this is not his functional assignment.
Nonetheless, given the importance of the continuous operation of critical facilities and protecting them from cyberattacks and insider attackers, it is of course imperative for businesses to implement cybersecurity systems. This creates another on-site specialist, the security officer, who monitors all events happening on-site or across the enterprise's IT infrastructure. Interestingly, he did it in isolation from the main activities of the facility, without the slightest understanding of how the facility operates, or which modes of operation of major equipment or production lines are considered emergencies. He also doesn't know power or frequency thresholds and what it means to exceed them.
The reason is the same -- it is neither his functional area of responsibility nor his job description.
Therefore, neither the dispatcher nor the security officer can see the whole picture of the company's operation.
The picture is not rosy: protection systems seem to be in place, IT budgets are increasing every year, and information security professionals are monitoring a high volume of incidents, but some cyberattacks are still not repelled. Cyber resilience in businesses and industries remains a big question mark, as standard approaches to cybersecurity make it impossible to measure cybersecurity impact.
Standards for Measurable Safety Outcomes
We believe that cybersecurity systems for technical facilities must be able to:
- In terms of monitoring, know the main critical factors of the facility and their operating thresholds. Additionally, the system must be able to distinguish between normal and emergency operations of the facility.
- In terms of response, understand and respond to unacceptable incident scenarios of the company's technology and core business, not just the data of IT infrastructure, operating systems and network equipment. The effectiveness of cybersecurity comes from understanding the goals and attribution of attackers. The correctness and effectiveness of the response to the attack depends on this.
- In terms of asset management, it is not only necessary to have the latest information on the assets in the IT infrastructure (number of servers, type of operating system, domain name policy, etc.), but also to understand the content managed by a certain APCS system.
Effective Cybersecurity in the Power Sector
Cyber security systems need to be linked with process control systems and IT systems. Industrial plants should develop a process model and protocols for the interaction between information security specialists and control room staff. They should see a unified picture that links IT event data, the behavior of critical equipment, and events from control systems. With this approach, it is ensured that events that are unacceptable for industrial facilities and power systems become truly infeasible.
In our projects with clients, we always adhere to four basic principles:
- Ability to establish an end-to-end management process for the entire company - from top management to commissioning engineers to dispatchers;
- One result for the entire company - no unacceptable incidents across the company's entire infrastructure and business processes;
- The maximum degree of automation and robotization of the safety management process of the entire company;
- Centralization of all security management functions.
With a single product portfolio, we no longer need to differentiate between technical and enterprise networks. Requiring an end-to-end incident management process means obtaining information on incidents across all infrastructure, whether central office or remote site, corporate network or technical network. Therefore, in the spring of 2022 , we launched to the market the first comprehensive platform for protecting industry from cyber threats – PT Industrial Cybersecurity Suite (PT ICS) . PT ICS brings together key Positive Technologies products and their components that are deployed inside and outside of process control systems and are responsible for the safety of process systems. These components have all the necessary expertise, in particular to identify cyber threats specific to the industrial sector:
- MaxPatrol SIEM Industrial Agent collects information from process network nodes and provides specialized event normalization and correlation rules for popular process control systems from different manufacturers, out of the box. The solution can work with computer-aided process control systems and SCADA systems, among others. This makes it possible to analyze security incidents related to the allowed modes of operation of these systems and the user's access policies to their control and configuration functions.
- PT ISIM sensors, for process control systems from different vendors, are responsible for in-depth analysis of process network traffic, detect anomalies in the network, and help proactively search for threats (threat hunting).
- The MaxPatrol VM industrial agent securely scans process networks, auditing software and hardware from popular foreign and domestic suppliers.
- PT Sandbox 's specialized capabilities help you dynamically detect malware targeting technical systems of different vendors.
PT ICS effectively detects the actions of intruders in the industrial chain and provides end-to-end protection for the entire process infrastructure, including data networks, endpoints and special equipment, taking into account the operating mode of industrial facilities and the specifics of production activities. In essence, we are implementing the same approach above — making cybersecurity for industrial facilities actionable and measurable.