Cyber-Security Basics, Rev b

I have been involved in various projects that required rigorous cyber security protection for the last two decades, and have accumulated the information below from various sources, including those three listed immediately below. However, I do not consider myself a cyber-security professional (rather I'm an energy systems engineer). It is recommended that any utility or facility considering upgrading their cybersecurity contact such a professional. The best starting place for this is probably your primary energy control system providers. You might also consider the last three organizations listed below.

Information Sources:

Information Assurance Technical Framework, https://apps.dtic.mil/docs/citations/ADA606355

NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, Rev 2
https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

NIST.SP.800-37r2, Risk Management Framework, with updates from 6/5/14
https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

Cybersecurity Professionals:

Information Systems Security Association (ISSA) https://www.issa.org/

IBM Security, https://www.ibm.com/security/

Microsoft Secure,
https://www.microsoft.com/en-us/security/default.aspx

Siemens Cybersecurity
https://new.siemens.com/us/en/company/topic-areas/cybersecurity.html

Sources of Cyber Threats

Hackers, viruses and malware have been around almost as long as computers. Read the subparagraphs below to see how these evolved to attack control systems.

1.1.) Emergence

In the beginning there were only a few computers and only large corporations and government entities could afford them. The only hackers were computer professionals that amused themselves by circumventing the few controls that were around back then.

Then the personal computer was invented. This process started in 1972, when Xerox’s Palo Alto Research Center (PARC) invented a machine called ALTO that contained all of the basic elements of the modern PC. This was followed by in 1977 by several similar machines (mainly Apple II, TRS-80). What happened at that point was that two “killer apps” emerged -- software applications that made these early machines much more useful. These were VisiCalc (electronic spreadsheet) and WordStar (word processing). These early applications could make life much more productive for a wide range of professions. The next element was set in place when IBM created their PC in 1981, and made its technology open. Since IBM made it, businesses took it seriously. Within a few years virtually all businesses had PCs, soon followed by a large percentage of middle-income households. Most applications that were on mainframe computers migrated to PCs within a few years.

One more advance was required before the environment was ready for mass cyber-attacks. The Internet was growing slowly by the late 1980s, and was mainly used by the scientific community. In the period from 1985 until 1993 a series of advancements in network designs, agreements granting increased commercial access to the Internet, and finally the emergence of the World-Wide Web and Web Browsers finally created the modern Web. By the end of the 90s most PCs were connected to the Web.

Of course, as soon as the Internet started to jell, so did the first malware. Although the earliest viruses date back to the mid-60s, in 1988 the Morris worm was among the earliest malware spread via the Internet.

Since then it has been an ongoing battle between attackers and the cyber-security engineers. However two recent new elements have been added, as described below.

1.2.) Emergence of Computer Control Systems

Computer control systems have existed as early as the 1950s. The early systems were very good at performing simple, repetitive tasks that were too boring for a human. In case you haven’t noticed, computer control systems are now taking on tasks that can challenge a human – like flying airplanes, driving cars, landing space ships and stabilizing the electric grid.

Along with these increased capabilities come increased risks. As computer control systems manage large complex processes, these processes become vulnerable to attacks. Furthermore many of these process control systems are connected through corporate networks to the Internet, providing a path for attack. Even where control systems are isolated, casual behavior when it comes to data “purity” standards threaten these systems (read: social USB flash-drives).

1.3.) New Players

More recently cyber espionage moved from amateur to professional status.

After the break-up of the Soviet Union, major well-organized criminal enterprises emerged. They saw the financial sector as potential source of large amounts of money, and they could extract these funds by exploiting vulnerabilities in the financial firms’ IT systems. In the mid-1990s a Russian national allegedly masterminded the break-in of a Citicorp's system and was ordered to stand trial in the United States. His organization breached Citicorp's security 40 times in 1994. They were able to transfer $12 million from customer accounts and withdraw an estimated $400,000.

More recently major government entities created espionage groups that employ some of their best computer professionals. Recently, targeted-malware have taken down large process control systems.

​​​​​​​1.4.) Targeting Industrial Processes

Although criminals tend to target financial institutions “…because that’s where the money is”[1], government entities seem to be more interested in targeting industrial processes. Why should someone target a specific industrial process? There are many potential reasons, including:

• The product produced by a process is considered damaging to the interest of a government entity, and thus that entity is targeting the process.
• The product produced by a process is competing with a product produced by another company that is closely affiliated with a government entity, and thus that entity is targeting the process.
• A government entity wishes to punish another government or organization, the process is critical to that body, and thus the attacking government is targeting the process.

There will also be other instances where a government entity is probing for vulnerabilities, or has found one and is creating a back-door to the process in case they ever want to shut it down.

When one considers the diverse ideologies of various government entities around the world, almost any process could be eventually targeted due to one of the above reasons.

2.) Pushing Cyber-Security into Existence

Most governments recognize that cyber warfare is escalating rapidly. Regulatory agencies have already passed laws ordering government-controlled entities to implement cyber-security processes, and be audited to assure compliance. Furthermore, these rulings are also becoming more demanding with every revision in response to escalating cyber-espionage technology.

In our society, any major new requirement will result in the industry addressing that requirement introducing new products and services to respond to that need. In the case of cyber-security the primary industry is information technology (IT), and the firms in this industry quickly reacted when the U.S. first pushed process-owners to implement more robust cyber-security. The first such organizations in the U.S. were government-entities responsible for intelligence and defense. However soon after those mandates, electric utilities were informed that they would need to follow suit. The following is a brief history of the development of cyber-security standards for electric utilities:

• 1998: The North American Electric Reliability Council (NERC) led the effort to assess the electric industry’s readiness for Y2K, at the request of the U.S. Department of Energy.
• 2000: NERC was appointed as the electric utility industry’s primary point of contact with the U.S. government for national security and critical infrastructure protection issues.
• 2008: The Federal Energy Regulatory Commission (FERC) approved Critical Infrastructure Protection (CIP) reliability standards designed to protect the nation’s bulk power system against potential disruptions from cyber security breaches. These standards were developed by NERC.
• 2009: The initial CIP standards were implemented by all North American utilities that owned or controlled bulk electric transmission assets. Initial audits were started.
• 2010: Initial NERC CIP Standards were updated (also updated every year after 2010). Pipeline Security Guidelines (voluntary) were released for the petroleum and gas subsector of the Energy Sector.

Outside of the standards for federal government entities and CIP Standards for the North American Bulk Electric Transmission System, all efforts by the federal government have been voluntary. All cyber-security work in private industry is also voluntary, although these may be a reasonable part of FTC-mandated information-security due diligence. However, the idea that corporate processes are just as vulnerable as customer information is an emerging concept. At least the federal government is starting to act on these vulnerabilities, even though this is only the first baby-step on a very long road.

2.1.) Emerging Need

In February of 2013, President Obama issued Presidential Policy Directive (PPD)-21, Critical Infrastructure Security and Resilience. The first paragraph of PPD-21 is below.

The Nation's critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure – including assets, networks, and systems – that are vital to public confidence and the Nation's safety, prosperity, and well-being.

On February 13, 2015 the president issued Executive Order -- Promoting Private Sector Cybersecurity Information Sharing that strongly supports cooperation among organizations in all sectors, including federal governmental organizations. Two paragraphs from the introductory section of this order describe its purpose:

In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies, and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.

Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.

This directive goes on to build on an existing class of organization it calls Information Sharing and Analysis Organizations (ISAOs). These organizations had existed for some time as Information Sharing and Analysis Centers (ISACs) which are organized under the National Council of ISACs. These organizations and how they are enhanced by the above Presidential Directive are described in a later subsection 3.2.7.

2.2.) Specific Capabilities

The following are examples of threats to system integrity or unauthorized access to system information:

• External entry into a system (generally via a network)
• Malware being inadvertently or intentionally introduced into a system
• Inadvertent system misuse
• Internal attack (for example, by an employee)
• Denial of service attack (typically saturating a system resource with bogus requests)
• Physical damage to the system
• Poor design (this can be a primary cause, but is more likely a contributing factor)
• Damage or loss of supporting infrastructure resulting from a natural event

The components described in the following subsections can help secure a system against many of the above threats. The systems and methods described below are only the basic elements of a cyber-security design. There are many more components and techniques that can be used to secure a system.

​​​​​​​​​​​​​​2.2.1.) User Authentication Subsystem

This subsystem makes sure that only authorized users can have access to the system, and only to the extent required to do their jobs. Some of the capabilities of this subsystem include:

• This subsystem implements a password policy that includes a strong password for each user that is changed periodically.
• There is central administration of users, password and privileges.
• A policy can be defined that requires background and other integrity checks for all system users.
• Users are locked out of the system if there are a consecutive number of incorrect login attempts.
• All user-actions should result in event logs that describes the action and contains the user’s identification.
• User will be logged-off if there is no activity for several minutes.

Highly-secure systems require multi-factor authentication. Potential factors include:

• Something the user knows (like a password or pass-phrase)
• Something the user is (biometrics)
• Something the user has (like a smart card based on a public-key infrastructure a.k.a. PKI card)
• Some place the user is (like inside a specific secure perimeter: see the next section 2.2.2)

​​​​​​​​​​​​​​2.2.2.) Secure Perimeter

A secure perimeter isolates a critical system from any potential threat. The network inside this perimeter should be a private domain. Any parts of the network that must pass through an unsecured domain should use encryption. Any communication with components outside of the secure perimeter should be through a firewall. Intrinsically secure methods (like Blockchain) should be used for all transactions through the public domain.

​​​​​​​​​​​​​​2.2.3.) Defense in Depth

The defense-in-depth design-method puts multiple layers of protection between a potential threat and a vulnerable system asset. These layers could include using a secure perimeter, firewalls to segment the system, the intrusion detection assets described in section 3.2.4 and a patch management system (section 3.2.5) to mitigate potential vulnerabilities.

2.2.4.) Intrusion Detection Assets

The applications below are designed to detect intrusion by unauthorized entities into critical systems: The first two types are typically called intrusion detection systems (IDS). Anywhere from one to all of the applications below can be used in a given system.

• The host IDS is a software application that runs on each host (computer) in the system and looks for unusual activity such as new applications, processes, or changes in resources usage.
• A network IDS system monitors network activity, and also looks for unusual activity.
• One type of IDS goes by several names such honey-pots, canaries or traps. These are network nodes that look like legitimate targets for attack, but only exist to attract attacks, document such attacks and indicate the presence of a threat.
• Anti-malware or anti-virus programs are commonly used on most computers. The primary tool of these applications is a database of known viruses with their signatures. This database should be frequently updated with newly identified signatures.
• Heuristic routines look for general malware behavior signatures (rather than specific malware signatures like normal anti-virus programs).

2.2.5.) Patch Management Subsystem

All software components are vulnerable to attack. There are two types of vulnerabilities – those that are currently unknown and those that have been identified. Day-one attacks exploit vulnerabilities that are not known by the target-software author/vendor at the time of the attack. When a new attack method emerges, reputable vendors will quickly identify the vulnerability, classify its severity and start working on a patch to eliminate the vulnerability. Once these patches have been released (over 1,000 per year for a large system are not unusual), each must be discovered, evaluated and implemented if reasonably beneficial to security for the specific system. This is the job of the patch management subsystem.

​​​​​​​2.2.6.) Backup Policies and Systems

This section relates to backing up the programs, working files and data of systems periodically, not redundancy (back-ups) for system-elements.

Systems owned by large corporations have utilities that perform on-going backup of all elements, however these implementations often have gaps. The following is recommended:

• Multiple chronologically-tagged backups (at least daily for at least 365 days)
• Periodic off-site transfer of all back-up files to a secure location
• Enough network bandwidth to perform backups without disrupting other functions
• A back-up policy that results in all system software, databases and states being frequently backed-up
• The policy and practices should ensure that mobile assets and embedded systems are periodically backed up.

​​​​​​​​​​​​​​2.2.7.)Information Sharing and Analysis Centers (ISACs)

Per the website for the National Council of ISACs: “ISACs are trusted entities established by Critical Infrastructure Key Resource (CIKR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors, and with government. ISACs take an all-hazards approach and have strong reach into their respective sectors, with many reaching over 90 percent penetration. Services provided by ISACs include risk mitigation, incident response, alert and information sharing. The goal is to provide users with accurate, actionable, and relevant information. Member benefits vary across the ISACs and can include: access to a 24/7 security operations center, briefings, white papers, threat calls, webinars, and anonymous CIKR Owner/Operator reporting.”[2]

Individual ISACs are established for many major industries, including:

• Automotive
• Aviation
• Communications
• Downstream Natural Gas
• Elections Infrastructure
• Electricity
• Emergency Management and Response
• Financial Services
• Health
• Healthcare Ready
• Information Technology
• Maritime
• Media & Entertainment
• Multi-State
• National Defense
• Oil and Natural Gas
• Real Estate
• Research and Education
• Retail and Hospitality
• Surface Transportation, Public Transportation and Over-the-Road Bus
• Water

The National Council of ISACs was formed in 2003 when a volunteer group of representatives decided to meet monthly to address common issues and concerns.

The February 13, 2015 Presidential Executive Order directs The Secretary of Homeland Security to work with existing “Information Sharing and Analysis Organizations”, encourage the development of such additional new organizations and promote information sharing among these organizations and with the federal government.

[1] Sutton’s Law. Willie Sutton, a famous bank robber from the 1920s through the 1950s, is alleged to have responded to a reporter asking him why he robbed banks with this statement.

[2] https://www.nationalisacs.org/