Imminent Danger

March/April 2017

Imminent Danger

BY EVA KAPLAN-LEISERSON

Cybersecurity is at the forefront of the nation’s consciousness, particularly after reported hacking incidents tied to the recent presidential election. But those who study the issue have long been concerned, pointing out ongoing vulnerabilities that extend beyond information and data to critical infrastructure such as water and wastewater systems, nuclear power plants, electric power networks, and transportation systems.

Ensuring that this infrastructure is safe and secure does require technical mitigation. But many of the challenges, and potential solutions, relate to another factor—culture.

Cyberattacks are growing, and they can come from many different directions.

Robert Clark, P.E., coedited and contributed to the recently released Cyber-Physical Security: Protecting Critical Infrastructure at the State and Local Level. The environmental engineering consultant, who served as director of the Environmental Protection Agency’s Water Supply and Water Resources Division and liaison for homeland security research, lists potential threats as:

  • state-sponsored and nonstate cyberterrorists;
  • cyberspies stealing information for advantage;
  • cyberthieves engaged in illegal attacks for monetary gain;
  • cyberwarriors who are agents or quasi-agents of nation states;
  • cyber-“hactivists” who perform attacks for philosophical or nonmonetary reasons, or pleasure.

And critical infrastructure is increasingly getting hit. For example, cyberincidents in the water sector increased 79% from 2014 to 2015, according to the Department of Homeland Security, to 25 from 14.

Some incidents are unsuccessful or can be worked around. Last year’s hack of the San Francisco Municipal Transportation Agency that took ticket machines offline resulted in customers temporarily riding for free. But others have more dramatic consequences.

In the mid-2000s, a water and wastewater utility in Boca Raton, Florida, had to shut down for eight hours after a series of attacks that locked up the supervisory control and data acquisition (SCADA) system. As a case study published in the American Water Works Association journal explained, no data monitoring system existed for network traffic, so it was difficult to diagnose the source of the problem. Eventually, it was determined to be a data storm.

Dramatic examples from overseas prove instructional as well. Clark and other experts point to:

  • the disgruntled worker who retaliated against a wastewater management system in Australia in 2000 by spilling hundreds of thousands of gallons of raw sewage from the city’s wastewater management system into local rivers, parks, and public areas;
  • the Stuxnet malware, which reprogrammed Programmable Logic Controllers and damaged centrifuges, discovered in 2010 at a nuclear facility in Iran;
  • and two attacks that shut down electric power in the Ukraine in 2015 and 2016, which have been attributed to Russia.

According to control systems security expert Joseph Weiss, P.E., the same malware used to shut down the Ukrainian power systems is already in our US electric grids and had been tested there for the last couple of years.

“This is real,” the NSPE member stresses. “There’s nothing hype about this.”

As noted in a January 2017 Department of Energy report, “The US grid faces imminent danger from cyberattacks.”

Who Is Responsible?

Jeffrey Hahn, P.E., cybersecurity manager at GE Grid Solutions, previously developed and led industrial control systems cyberemergency training at the Idaho National Laboratory. While attacks are increasing, Hahn believes awareness has also grown. But, he and others say, there’s still a lot of work to be done.

In 2012, then Secretary of Defense Leon Panetta said that cyberattacks on US infrastructure could result in a “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

President Obama’s steps to protect critical infrastructure included a 2013 executive order that expanded a Department of Homeland Security program for information sharing between the government and private sector, and required the National Institute of Standards and Technology to develop a voluntary framework of standards, guidelines, and best practices. (NIST is in the process of updating the framework, which was developed through public-private collaboration, and is collecting comments through April 10. See https://www.nist.gov/cyberframework.)

But there’s an inherent challenge with federal responses, says Clark: the political structure of the US and issues of jurisdictional authority. While the federal government is responsible for homeland security and national defense, most of the infrastructure services are provided at the state or local levels, or are privately owned.

Therefore, although the federal role in cybersecurity has been debated for more than a decade, Cyber-Physical Security explains, action is limited and no overarching strategy has been developed.

The National Governors Association is working to address this challenge. The bipartisan organization, which brings together governors to work on public policy and governance issues, is spotlighting cybersecurity. The organization has been developing resources and is planning a March summit around its “Meet the Threat” initiative.

According to NGA, although much of the critical infrastructure is operated by private companies, they deliver a public good. Thus, their cybersecurity measures “are a matter of public policy.”

An October 2016 memo suggests steps for governors such as:

  • Working with other governors and state and federal lawmakers to evaluate the costs and benefits of regulation;
  • Institutionalizing regular contacts between relevant officials and state utilities;
  • Auditing existing rules and practices; and
  • Exploring public-private partnerships between state regulators and the private sector.

IT And/Or Engineers?

Another jurisdictional issue, at a more granular level, is the role of IT professionals versus engineers.

Joseph Weiss says that, after 9/11, cyberissues became matters of national security and IT took them over. “As we’ve made progress in the word cyber, it got diverted to be everything with an IT aspect,” he says. “And in many cases, not all, engineering was deliberately kept out.”

However, cyber is a reliability and safety issue, he says, and needs to be brought back into engineering—particularly into industrial control systems (ICS). “IT can’t kill anybody,” he stressed in a 2016 National Academies address. “Control systems can and have.”

The division between the security and safety worlds is a huge issue, Weiss says. For example, IT security efforts could actually damage a control system. Locking a workstation after a bad password is inputted a certain number of times could cause serious problems for a power plant. All an attacker would have to do is keep sending bad passwords, he says; then you’re locked out. “That can’t happen. It has to be looked at totally differently.”

IT and ICS have different goals, he says. IT is concerned most with confidentiality and privacy, while ICS focuses on reliability and safety.

One strategy is a cross-disciplinary team, Weiss explains, reporting to top-level executives. It should include representatives from operations, maintenance, engineering, IT, telecommunications, forensics, risk, and public relations.

Since 2002, Weiss has been running a conference to bring together IT and ICS professionals, with subjects such as “what IT professionals don’t understand about control systems” and “what control systems engineers don’t understand about security threats.” But its reach is small with two or three hundred participants, he says, and the message needs to reach a broader audience.

“You’re not going to make the IT person an engineer or the engineer an IT person,” he says. “But you’ve got to have both working together and they’re not.”

Hahn elaborates on other ways engineers can play a role, starting as early as the design process. Electrical engineers need to design secure systems, he says, and engineers working with industrial control systems must understand the difference between good and bad network traffic.

Taking Threats Seriously

While cybersecurity professionals have made progress protecting critical infrastructure, many believe it’s only a start.

Chee-Wooi Ten, an associate professor in the department of electrical and computer engineering at Michigan Tech, conducts research in areas such as SCADA cyber-security and modeling of interdependencies for critical cyberinfrastructures. He says the discussion has moved from debating whether cybersecurity is an issue to determining effective solutions. However, he’d only grade current preparation at a B-, compared to a C in the last decade.

One major challenge Ten describes is the lack of metrics to quantify risk and its reduction. Utilities need to understand the business case for cybersecurity investments, he says, and the metrics are still in the research stage.

GE’s Hahn sees people in control system environments not putting enough emphasis on cybersecurity. Instead, they think, “We haven’t been hit yet. What’s the big deal?” he says. So they don’t take the necessary steps for protection and monitoring.

He says that, while education has increased, what’s really required is a culture change.

“Years ago, safety became job one,” he explains. “A [similar] culture change needs to happen with cybersecurity: making sure it’s everyone’s responsibility and not just the IT guys who protect us.”

While many people still say it’s someone else’s responsibility, he adds, “in an actual event, it takes a village.”

That concept plays out even in various types of infrastructure. Clark explains that efforts to protect water systems after 9/11 focused on physical threats, such as contamination. But “we overlooked the idea at that time [that] even the ancillary related functions like energy could close down the whole water supply without anyone having to appear on scene.”

It’s taken a while for the water industry to recognize this interconnectedness, he says. For example, the director of a Cincinnati water utility told him, after the 2003 East Coast power outage, that they were within a day of having to shut down service to a million people because they didn’t have a system-wide backup power source.

“They hadn’t realized the impact of [connectivity] to the network,” Clark says. But now, he adds, more utilities and other facilities are starting to recognize the need to access emergency energy sources.

It’s important to step outside of your individual activity, he stresses, to look strategically at what else could have an impact.

Training and Talent

“Without a strong cybersecurity culture, there is no cybersecurity,” say the authors of a chapter on the topic in Clark’s book.

They note that while water managers (and other infrastructure leaders) may want to turn the responsibility over to technical staff, technical measures are only one leg of a three-legged stool. The others are people and processes—and are all necessary.

“Like managing any risk, a utility manager, the board of directors, or city government must take ownership of ICS/SCADA cybersecurity. They may not have the technical expertise…but they do have the responsibility for selecting and managing people and ensuring that the proper processes are developed and followed.”

Key steps include formally documenting policies and procedures as well as maintaining proper staffing levels and providing training.

The authors also highlight one possible method that could help address the divide between IT and engineering: a model in which an IT person is assigned to the SCADA group to help control systems engineers secure and maintain their system. This is “an ideal mechanism for mentoring and training,” they write.

But regardless of approach, managers need to make sure everyone involved with the control system is knowledgeable and trained on cybersecurity, the book says.

In addition, interdisciplinary experts are needed. Few cybersecurity or computer science students take engineering courses, Weiss notes. And engineering students don’t take classes on cybersecurity (or even computer science).

Ten explains that Michigan Tech is working on a new master’s program in cybersecurity. Although a number of other programs exist, he points to a need to combine the cyber and physical elements. “In terms of curriculum innovation, the integration of interdisciplinary research, [academia still has] some work to do.”

Clark believes that PEs can provide benefits in the cybersecurity arena.  Consultants or those on staff at a utility can put their professional background and training to use, he says. “Managers that don’t have that immediacy and connection will depend on professional engineers to be able to make judgments and recommendations,” he says. “It’s a great field for PEs to be involved in.”

But professional engineers trying to get up to speed may feel overwhelmed with a glut of information. Clark recommends that PEs focus on resources available through professional associations in their disciplines. And then, more generally, those available through NIST.

Hahn says the issue “really is common sense,” but it requires a change in mindset, from just ensuring systems work to ensuring they work securely.

He suggests asking questions such as, “What would happen if something like this happens?” Then “brain cells start churning, and answers start coming. And we’ll figure things out.”

2015 Cybersecurity Incidents by Sector
2015 CYBERSECURITY INCIDENTS BY SECTOR

DHS Resources

The Department of Homeland Security offers a number of resources for the critical infrastructure community.

See www.dhs.gov/topic/protecting-critical-infrastructure.