This document has been developed to assist organisations with some of the considerations when building and operating critical services from an ICS cyber security perspective. The next whitepaper in the series will focus on securing critical services and the inter dependencies between cyber and physical security.
2. Maintaining Operational Control of Critical Services
The ongoing operability of critical services, and protection thereof against all types of threats
- natural, physical, technological alike – continue to be of great concern to governments.
Such services include the provision of water, electricity, telecommunications, health services
to the population. Critical services are regarded as the mainstay of both developed and
developing economies worldwide, as they provide the basic services a society requires to
sustain itself.
During wars and conflicts, the critical services of cities and countries are often rendered
inoperable. Extreme events can strain critical services in countries most at risk, especially
less developed countries. As we have seen from recent events, even in peacetime critical
services have been targeted by threat actors. An active and vigilant posture is therefore
required at all times.
In business operations and cyber security alike the aim is to protect the “cheese” from
compromise or loss of operability. As an example:
• Within financial services, telecommunication, private and public sector corporates,
the “cheese” is normally associated with personally identifiable information (PII),
payment card industry (PCI), and sensitive data. Loss of or damage to this
information may lead to severe ramifications for both the company holding the data
and in some cases the individual to which the information belongs.
• Power stations, telecommunications, hospitals, and water systems are infrastructure
systems that governments globally typically deem to be critical. The “cheese” is not
so much data-centric, but is associated with the company maintaining “operational
control” over the Industrial Control Systems (ICS) that provide information for control
and operation purposes.
In the “CIA triad” (confidentiality, integrity and availability) with information technology
systems, primary importance is given to confidentiality and integrity, whilst with
operational technology systems the focus is primarily on availability of systems.
Establishing Critical Infrastructure
History shows that during a “rebuild or establishment” of a country’s critical services much of
this is undertaken under stress (war, political unrest etc) by contractors from foreign
countries, funded by external agencies with a mixture of foreign and local workers.
Building these critical services can take from months to years depending on circumstances.
In some environments, physical protection during the building phase is required. The
physical protection requirements are wide and varied - from protection of people, locations,
vehicles, construction equipment to the supply of food and water to the workers. And that is
just the start of the journey.
Industrial Control Systems
ICSs are an integral part of the operations of critical infrastructure, and are designed to
provide information for control purposes. As part of establishing the critical services, ICS
need to be designed, deployed, configured and operated securely.
Historically ICSs were deployed in an isolated, air-gapped environment, and as such
detection and prevention of cyber security attacks were not considered in the design
process. ICSs are becoming smarter, further automated, and more connected, which in turn
makes them more vulnerable to cyber threats.
3. Threat actors, by exploiting vulnerabilities in the staff, third parties, networks and software
used by these enterprises, could steal information related to the production process or even
bring operations to a halt.
Threat Actors
State and non-state threat actors with malicious intent also pose a profound threat to
governments, private businesses, and consumers worldwide. The consequences of a cyber-
attack on critical infrastructure could be catastrophic to that city, region or country.
Targeted attacks against critical services’ ICSs are real. A threat actor, also called a
malicious actor, is an entity that is partially or wholly responsible for an incident that impacts,
or has the potential to impact an organisation's security. Cyber threat actors can be defined
in a number of categories including:
• Nation states or national governments;
• Terrorists;
• Industrial spies;
• Organized crime groups;
• Hacktivists and hackers;
• Business competitors; and
• Disgruntled insiders.
There are reasons why state and non-state threat actors do not want to see the successful
implementation or operation of critical services, as disruption of these could:
• Lead to slowing down of economic growth and associated benefits;
• Maintain the continuance of civil unrest within the targeted region;
• Shift a government or administration’s focus to domestic and internal matters and
away from international affairs;
• Lead to a knock-on effect into the private sector;
• Lead to a strain in international relations with allies;
• Result in a loss of faith, trust or good standing with world organisation’s such as
NATO, WHO, IMF, World Bank etc; and
• Lead to a shift of the theatre of operations away from ground forces operations.
Former United States Secretary of the Department of Homeland Security Janet Napolitano
stated in 2013 that “Our country will, at some point, face a major cyber event that will have a
serious effect on our lives, our economy and the everyday functioning of our society”.
Though we have seen a rapid increase of cyber-attacks on critical infrastructure in the four
years since this was stated, we are yet to see an attack that has such a “serious effect” on
an economy. But is this the time to sit on our hands?
Keeping services up by improving your ICS cyber security posture
The cyber threat landscape continues to evolve and gain sophistication at a rate never
before seen. Simultaneously, attackers seem to be always a step ahead in exploiting
vulnerabilities across the people, process and technologies spectrum. Organisations need
the ability to be able to efficiently detect and mitigate against an advanced cyber-attack.
People, Process and Technology elements must be set up effectively to provide this
capability.
Operating a region’s or a nation’s critical services means that continual and unstinting focus
on the asset’s cyber security posture is required. You must be able to promptly “detect and
4. mitigate” a cyber-attack against your asset. To achieve this continual focus from the
appropriate teams as well as ongoing executive support is required.
Whether you are uplifting the cyber posture of an existing asset or a greenfield site there are
many key elements that you must establish including:
• Ensuring that the appropriate level of policies and procedures are developed and
kept current and relevant, including incident response.
• Ensuring that a multi-year strategy is developed and maintained, ensuring
appropriate cyber hygiene for the asset.
• Effective cyber security starts at the board level – ensure they are engaged, involved
and liable.
• Harden the human – develop and maintain cyber awareness training for the system
users.
• 3rd
Parties – Ensure you have an effective working relationship established, so in the
time of need you can depend on them.
• Undertake cyber threat modelling on your asset. Remediate as applicable.
• Cyber Incident Management Scenarios – Exercise, test, validate
• Ensure that you have appropriate detection and preventative controls established.
• As per the globally recognized NIST standards, “identify” recommendations to keep
an accurate inventory of control system devices.
• Implement segmentation – and have the ability to inspect (at a minimum) inter- and
intra-zone processes.
• Remote Access – ensure it is secure, and authorized users are appropriately
authenticated and that sessions are encrypted. Consider the use of thin-client
architecture, such as virtual desktop infrastructure (VDI).
• Ensure Role-Based Access Control is established.
• Undertake regular patching in line with applicable vulnerabilities.
• Ensure system logging is established and that logs regularly reviewed.
• Ensure that an appropriate level of 24/7 monitoring is established. If outsourced
ensure provider is a specialist ICS practice.
• Follow a framework – consider the NIST Cyber Security Framework.
There are numerous articles and publications that assist companies and countries to better
protect critical services from a cyber related attack. Both NIST and ICS-Cert have practical
cyber security recommendations for ICS including the ones shown below.
https://www.nist.gov/topics/cybersecurity
https://ics-cert.us-cert.gov/Recommended-Practices
Author – Dave Reeves – USS Group - +61 417 223 898 - www.linkedin.com/in/davereeves