Countering the cyber threat
Securing critical infrastructure from cyber attacks
Security of critical national infrastructure must now involve defending against threats from the cyber world. We hear from the experts about where cyber attacks are coming from, and how they could threaten the region’s utilities
Ever since Stuxnet demonstrated that a crucial energy facility could be physically damaged by an attacker on the other side of the globe, the calls to protect critical national infrastructure from cyber attacks have grown much louder.
The challenge is that the very concept of cyber security is much harder to visualise and quantify than responding to material threats, and it is consequently harder to convince stakeholders of the risks that exist.
That’s not too surprising of course – tell someone an armed terrorist is readying an assault and they know how to prepare; tell them a twelve-year old in another country is going to crash their systems, and they may just look bemused.
The threats, however, are definitely there. Both our experts agree that the problem is very real, that the attacks are becoming more sophisticated, and that they are growing in frequency. Oman’s National CERT (OCERT) has, since 2010, worked to actively counter cyber threats to Oman. Badar Ali Al-Salehi, OCERT director, says that his organisation has noted significant increases in threats during the past two years.
“As far as the scale of the problem, in Oman we have handled more than 900 cyber security incidents within the country. Tens of thousands of cyber attack attempts targeting Oman were recorded, whilst the number of malware incidents increased by 250% from 2010 to 2011,” Al-Salehi says.
Such an increase in frequency is matched by the proliferation of the types of attacks that Oman National CERT has seen being used in a similar time frame.
“In terms of the actual threats we are seeing, if we were to run through the top five, they would be firstly, website defacements – basically hacking – targeted at government or critical infrastructure websites. The second is the compromise of accounts – be it email, financial or applications.
Third is cyber blackmail, which is often a consequence of the compromise of an email account. We are also seeing a lot of malware infection and, finally, phishing attacks, where real websites are duplicated for financial gain,” he says.
Article continues on next page ...
Such attacks – cyber blackmailing, phishing, compromising accounts – could of course have easily conceivable impacts on the running of critical national infrastructure, in common with the impacts on any business. The concern now is that threats are developing which are focused specifically on attacking infrastructure automation systems.
“We have seen new trends and new threats in the past two years that are highly customised to target specific infrastructure. The Stuxnet was basically a wake-up call for all critical national infrastructure to review and evaluate the security measures that were already in place. Although it started in Iran, the Stuxnet issue has been seen now in multiple countries.
Furthermore, the new version – Duqu – has again proved that new threats and malware are increasing, and that they are targeting different infrastructure. It started with nuclear plants, now oil and gas, and water are potential targets too. Lately we have also seen ‘Flame’, which is described as a new weapon that has recently joined the Stuxnet and Duqu family,” Al-Salehi says.
Guy Meguer, general manager of Cassidian CyberSecurity in the Middle East, also believes that Duqu signals that hackers have altered their methods and are developing the next generation of attacks. This is especially concerning, as the development of digital automation within infrastructure systems leaves a particular vulnerability that could be exploited.
“Ever since the internet started to be successful, everyone has been thinking about protecting the internet, protecting the databases, protecting the information systems. At the same time, the information in the energy arena has moved from the old analogue era to the new digital era. By having digital automation for energy, you are immediately talking about connecting automation with the business and corporate information systems. Since these IT systems are connected to the internet, any threat from the internet can use the business network to reach the digital automation,” he says.
Both our experts believe that where this specialisation of threats potentially leads is to extremely serious, even fatal consequences.
“With utilities, the threat is that an attack could basically shut down key infrastructure. It could, for example, cause a system to show reports that are not accurate or fake, and ultimately cause physical damage to the systems. With electricity, water, oil & gas, these are crucial sectors and damage could be severe,” Al-Salehi says.
Meguer agrees that attacks could have very severe results, with effects that are far easier to grimly visualise than concepts of hacked data and stolen passwords.
“If you consider the example of a hacker attacking an energy plant and being capable of remotely destroying the information system of a power plant or pipeline. It will not only damage the automation, it may damage the plant itself.
You could have an explosion, and the consequences of having an explosion could be in the same range as if you had a physical attack. The attacker wont risk exposure at all and the cost is nothing. That is why the security market is today moving from the legacy of physical security into information and cyber security,” he says.
Article continues on next page ...
Middle East vulnerability
Meguer says that the Middle East has a particular vulnerability to these cyber attacks because of the overwhelming centrality of the energy sector to the region’s economy, its society and its wider existence.
“Everything in the Middle East is focused around oil and gas, around energy, around water distribution. The fact that everything in the Middle East revolves around energy makes cyber security more critical here. If Brazil, for example, loses some energy assets, it has other assets and it can survive. I can’t imagine this region surviving without energy.
So what is simply critical elsewhere, is nationally critical for the region. Everything here would be impacted by any attack on these critical assets,” Meguer says.
That being said, the world at large would still inevitably feel the consequences of an attack on the Middle East’s crucial energy sector, and Meguer says it is this that makes cyber security in the region a critical part of national security thinking.
“The Middle East is managing most of the energy around the world and we of course know how important energy is to the world. So the region has understood that it’s not only at the heart of the global economy, but it’s also a matter of national security and this is where awareness is very high and where authorities have decided to go for plans to put the measures in place that are needed. Protecting these energy plants, these assets, is part of protecting global security,” he adds.
There is an equally daunting picture painted when our experts consider where attacks are actually coming from, and the motivation behind them. Al Salehi believes that serious potential attacks can come from basically any quarter.
“I think attacks come from everywhere. They come from countries – those probably have political interests. They come from hacking groups like Anonymous. They come from organised criminal groups. What makes it more complicated is that there are people involved who have no interest in financial gains, but only for reputation. Some students, for example, get involved just to show their hacking muscles – their capabilities and their skills.
“Attacks can really come from anywhere, and there is not necessarily a reason behind it – or at least not a serious reason behind it,” he says.
The task that is set for those working against these threats appears fairly substantial, and Al-Salehi says that co-operation at an international level will be crucial in readying national CERTs defences. Countering threats that transcend national boundaries – and consequently local laws and customs – is a particular challenge, but one that must be faced to coordinate responses to attacks.
“International cooperation is very important. We believed from day one that sharing information is crucial. We have become an active member of a number of international organisations and sit on the board and steering committee of some of them.
For example, we contributed to the establishment of the GCC CERT, which is a virtual committee that addresses cyber security issues, and have drafted a cyber security strategy for the CERT organisation in the region as part of our contribution and mandate to this commitee.
“It was very import that we got involved with these international organisations as it doesn’t just help with sharing information, but also helps us address new threats that we haven’t yet seen within Oman or the GCC. From these international relationships, we have started conducting cyber exercises where we simulate attacks and get national CERT’s to participate and respond to the ‘threat’. This helps evaluate the readiness of national CERTs to address such attacks,” he says.
Conversely, from the supplier perspective, Meguer says that the national security aspect of cyber security means that operations must be as local as possible.
“In this kind of operation, where you are dealing with national security, the operation must be done locally. In no way would the UAE or Saudi or Qatar want security systems run from Europe. So we have to be Emirati in the Emirates, Qatari in Qatar and Saudi in Saudi Arabia,” he says.
Meguer says that Cassidian CyberSecurity benefits from parent-company Cassidian’s partnership with the region’s governments in relation to physical security.
“Cassidian is, for example, already providing a complete security solution for some countries. You can imagine then that once we have got this kind of relationship with the authorities, when it comes to information systems, it’s a natural consequence to talk about cyber security at the same time as physical security. It doesn’t require a specific approach, just knowledgeable people and trust on both sides,” he says.
There is clearly a need for critical national infrastructure - such as power and water installations - to think seriously to protect themselves from cyber threats. The fact the threat is invisible doesn’t make it intangible, and the consequence of inertia could be disastrous. Moreover, the attackers are certainly not getting complacent, and infrastructure operators will need to constantly respond and defend against an evolving threat.
“There really is no end point. As technologies advance, hackers advance their techniques as well. It is really a war between good and bad. Or rather, it is race – you have to keep up to date all the time or you will fall behind,” states Al-Salehi.
Meguer also believes that responding to the threat requires constant attention and a creative ability to anticipate the next unseen attack.
“Nobody knows what will happen tomorrow with cyber attackers, but we have to be prepared for everything unexpected. This is where the industry and the governments have to work together in order that they are prepared for the worst case. Nobody today can tell you what this worst case will be, but we have to be prepared for everything impossible,” he concludes.
Article continues on next page ...
Security Operations Centre
Cassidian CyberSecurity’s answer to protect the automation systems of critical infrastructure has been to integrate a range of security solutions into a turnkey solution that can be deployed in the field.
The company has partnered with Canada’s Tofino Security to provide industrial firewalls for the automation system, protecting the dedicated industrial protocols from outside attack. In addition, the system utilises whitelisting to ensure that any command entering the protected automation zone is coming from a safe site from an approved authorised sender list.
A ‘deepcut’ inspection is also used to analyse every piece of information that comes from the internet and discards any that are not in line with automation protocols.
Oman National CERT
Oman National Computer Emergency Response Team (CERT) has a number of methods through which it aims to counter cyber threats to Oman. It has reactive services focused on responding to security incidents, analysing attacks, coordinating responses and liasing with local law enforcement.
It also has proactive services focused on preventing or minimising the impact of security incidents. This encompasses conducting vulnerability assessments on networks and systems, monitoring Oman’s cyber space against threats and attempted attacks, and keeping citizens informed of current cyber threats.
The CERT also undertakes digital forensics of attacks and cyber crimes for law enforcement agencies when cases are brought against cyber attackers. Cyber security training and awareness is also employed to promote security awareness and the building of cyber security capabilities in Oman.