Critical Infrastructure Companies Need to Better Protect Their Operational Technologies
Cybersecurity is the set of practices, processes and systems for protecting Information Technologies (IT), which consists of computers, networks, software and stored information, from digital attack. Cybersecurity has become a preoccupation for the government, private sector, institutions and individuals. Billions are spent annually to defend governmental, corporate, and personal IT from cyber intrusion. Innovative companies have developed new ways of providing security.
A major aspect of cybersecurity is the protection of critical infrastructure. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” There are 16 critical infrastructure sectors, including energy, communications, food and agriculture, transportation, water and wastewater, nuclear power and materials, major manufacturing, and defense industries.
All these sectors are dependent on IT, not merely for communications or billing, but for the operation of major physical systems. Most of them employ IT-based supervisory control and data acquisition (SCADA) systems to monitor and operate a wide variety of hardware. For example, the energy sector is critically dependent on SCADA technology to manage the flow of power, direct the operation of production and storage facilities, and monitor the state of energy usage.
The threat to these large, complex systems, essential to not only the way we live but our very lives, is quite severe. The same IT and SCADA systems that allow for the efficient management and operation of critical infrastructure sectors also create enormous vulnerabilities that adversaries will seek out to exploit. The cyber threat to our energy sector, perhaps the most critical of all, has been growing for years. According to a report by the Idaho National Laboratory prepared for the Department of Energy: “Cybersecurity for energy delivery systems has emerged as one of the Nation’s most serious grid modernization and infrastructure protection issues.”
The dominant focus of infrastructure security is on protecting computers and networks from the introduction of malware. When it comes to critical infrastructure, hackers look for ways of entering the networks and then wend their way to the software programs that control operations. Often, the hackers will look for easy entry points, such as electronic billing systems or supply chain communications, from which they can then launch attacks against SCADA systems or other IT-based means of monitoring and directing operations within a sector.
It is becoming harder to protect entire networks from hacking. The explosive growth in the use of IT for personal and business purposes, and the move to a world where the so-called Internet of Things is ubiquitous, has resulted in a massive increase in potential entry points for hackers. Recently, it was discovered that IT-enabled baby monitors could be hacked. Moreover, hackers keep finding new network vulnerabilities and investing in ever-more sophisticated malware.
Protecting critical infrastructure is a never-ending problem. Operating systems must be constantly patched as vulnerabilities are uncovered. Computer systems and networks are routinely needing upgrades as new malware is developed. The expense of that is significant. Some experts have characterized IT security spending as a “black hole.” Any new approach that does not have to be constantly enhanced would significantly reduce future costs of cyber defense.
An alternative approach to establishing a high level of infrastructure security at an affordable cost is by focusing on operational technologies or OT. OT consists of hardware, such as valves, pumps, generators and SCADA-enabled machinery, all of which are critical to the operation of networks that deliver power, water, and oil and gas.
By focusing appropriate critical infrastructure protection on keeping OT secure, utility companies and others in critical infrastructure sectors can simplify their cybersecurity requirements and significantly reduce costs. The key is to focus on protecting IT-directed OT, rather than an entire network. This can be done by placing a device that only allows pre-defined, legitimate signals to be sent to the OT on a network. No non-specified commands could pass through a protective device. Even if a hacker could penetrate an electric utility’s network, no malware intended to cause OT malfunction could penetrate a device or machine.
Such a system, called Binary Armor, already exists. It could revolutionize the protection of OT. Essentially, it places an in-line barrier to cyber intrusion on a network in front of the OT device. The Binary Armor unit monitors all communications to a piece of OT. Only legitimate commands within the defined operating parameters of the OT can pass through. A command that would cause the OT to behave improperly, or self-destructively, could not pass, regardless of how cleverly the malware was written. This system also will prevent accidentally sending the wrong command to the OT, which is what happened in the Chernobyl disaster.
Because the system is “pre-loaded” with the legitimate commands and operating parameters for that OT, it will rarely need to be upgraded, unlike typical cybersecurity systems. Moreover, Binary Armor would allow utilities and other critical infrastructure sectors to use commercial networks, rather than proprietary ones, further reducing cybersecurity costs. Finally, it would radically increase the problem and costs for the hacker, primarily because a Binary Armor unit must be physically accessed to be reprogrammed.
Currently, a Binary Armor unit must be installed on a network. This is not difficult. The current Binary Armor unit is a 3x2x2 inch box with two Ethernet access ports and a power source. It weighs about six pounds. But in the future, the basic technologies could be embedded into OT, simplifying the cybersecurity challenge.
Strong action needs to be taken now by all critical infrastructure sectors, particularly for energy, to enhance their cybersecurity protections. Public utilities would be remiss in not testing Binary Armor to understand its applicability for their networks.
Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Goure has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.