The terrorist threat to critical infrastructure

By Ken Westin

The power industry, especially, should be increasingly concerned about recent reports that terrorist groups have been probing critical infrastructure in the United States. Even though recent attempted attacks against our power grid have failed, these failures are a critical aspect of learning. The next attempts may be more successful.

The fact that any terrorist group has been able to identify and probe exposed U.S. critical infrastructure should be cause for serious concern. There is no doubt that our critical infrastructure is exposed. Experts within the government and security industry have been telling us this for years.

If terrorist organizations are able to recruit people with technical skills or individuals with direct access to critical infrastructure, the potential for serious damage increases substantially. Just look to Stuxnet for a potential real-world example. 

When dealing with security of industrial environments, there are a number of challenges bridging the gap between operation technology (OT) and information technology (IT). On the OT side, the guys wearing hard hats fully understand physical security and the importance of reliable and stable systems. In this environment, if a singular system fails to function, it can have a cascading effect on the entire system with disastrous results. 

On the IT side, we have a group that knows how to secure infrastructure from remote hackers, but a compromise means merely an inconvenience compared to the potential effects of a successful industrial control attack. 

In order to secure our infrastructure, it is critical that the OT and IT groups collaborate and understand the strengths and weaknesses of each approach. More importantly, it is critical that these two groups understand the context within which they operate. For example, OT is focused on reliability and uptime, so if IT were to run a vulnerability scan against critical infrastructure and it caused a system to fail, we have a problem. Similarly, if the business connects a sensor on an industrial system to the main IT network without buy-in and collaboration with the IT group, they have put the entire system at risk. 

We need to begin with the assumption that these environments are being targeted by groups such as ISIS and plan accordingly. These groups may not be able to take the power grid down to cause damage, however they may not need to---particularly if an attack on critical infrastructure is a precursor or happens in tandem with a terrorist attack, to either compliment or distract. 

The FBI has been heavily involved with helping to secure critical infrastructure, through a number of outreach and liaison efforts with critical infrastructure partners. Through Infragard and other outreach programs with the private sector, academia, industry and the scientific community, there is a great deal of open communication regarding potential and active threats. 

Those involved in securing critical infrastructure should consider having members of their organization join Infragard as well as an Information Sharing and Analysis Center (ISAC) specific to their industry, the National Council of ISACs currently lists a number of groups such as  ICS-ISAC (http://www.ics-isac.org/) for industrial control systems, EC-ISAC (https://www.esisac.com/) for the Electricity Sector and a number of others.

When it comes to securing critical infrastructure, you are generally dealing with a very heterogeneous cluster of assets that are running a multitude of different operating systems, often custom developed for a specific purpose. This is very unlike the IT world where you are generally dealing with assets that run a common operating system and for the most part are alike and provide easy access, control and modification of the systems. In the OT world, you are dealing with a more volatile and unpredictable environment that can be difficult to update and patch, if updates are provided at all.  

There is no silver bullet when it comes to securing critical infrastructure from terrorist or state sponsored attacks. However, through closer collaboration within our organization across IT and OT, we can do a better job of finding common interests in securing systems and data. If we expand this collaboration across industry and with government, we can take a step even further in making these systems more resilient against attacks. 

Ken Westin is an experienced security researcher and analyst at Tripwire who has worked with law enforcement and journalists to uncover organized cybercrime rings with a special focus on incident detection, forensics and threat intelligence.