Protecting critical infrastructure from cyber attacks
As critical infrastructures become connected, Qatar needs to be aware of possible attacks, such as those that happened in 2012 in the oil and gas industry, writes Andrey Nikishin of Kaspersky Lab.
The critical infrastructure in Qatar is a major example of the national importance when talking about cyber issues. Cyber security issues for smart cities are also to be considered, especially to protect the city power grid, transport, mobility and other interconnected intelligent systems’ integrity and availability. Doha is on the verge of being transformed to a smart city, and Qatar is preparing for the 2022 World Cup – all of which require high levels of synchronisation, flexibility, reliability and resiliency.
Traditionally, industrial facilities have relied on the absence of a direct connection to the Internet to keep their critical infrastructures safe from harm. This ‘air gap’ was deemed to protect industrial networks from becoming infected with malware or attacked by hackers.
Today with the increasing prevalence of the Internet, industrial facilities appear to be increasingly connected to the Internet for different reasons. Third party contractors (hardware and software vendors and integrators) need to maintain their equipment, which they can now do remotely via the Internet, for example. This connection to the outside world has reduced the previously airtight nature of the air gap, giving hackers and malefactors an easy route to attack.
Attackers are also becoming more sophisticated in their approach, with a not-long-ago discovered piece of malware, called Fanny, designed to jump over the air gap and steal information from a network that was considered to be isolated and out of reach. In another case, a malware attack went beyond espionage and caused massive damage to a steel furnace at a European iron plant.
Earlier cases of the apparent 2012 attacks at Saudi Aramco, the world’s largest oil company, and RasGas, the Qatari gas giant, are also cautioning examples of both how vulnerable automated manufacturing operations can be, and the sheer scale of the damage that can be caused by a single incident. This begs the question, how far can such cyber espionage go and how serious can the damage be?
The focus for industrial facilities therefore needs to be on critical infrastructure protection within the connected world and managing the associated vulnerabilities brought by alternative and indirect ways to connect to the industrial network.
The following scenario of a large, complex facility in a difficult-to-reach location is typical. It could be an automated water purification system – a water treatment facility providing an entire city with potable water. To meet the expectations of modern civilisation, this facility must operate round-the-clock, every single day of the week, 365 days a year.
Normally, the equipment installed in such facilities requires regular maintenance. For this reason, it is important to be informed about the physical state of the equipment, otherwise it is difficult to tell how worn it is and whether or not it needs to be repaired. Without this knowledge, equipment may be taken out of service for maintenance at the wrong time or left to go on working too long.
To be able to identify the moment when equipment has become critically worn and requires maintenance, online sensors and controllers are used. Advanced technologies come into play, providing communication between the physical equipment and the outside world, allowing analysis of the equipment’s condition and an informed decision to be made about its maintenance. This is not simply a case of a computer connecting to the Internet to provide remote management and control, but for physical equipment, which controls a real physical process being put online.
The estimate shows that companies can save up to millions of dollars by taking this approach. But it is a double-edged sword. You can easily imagine the consequences of a cyber incident, which may be committed due to Internet connection: no water at all in the city, flooding or widespread water pollution.
Prevention is the cure
The air gap can no longer provide airtight protection for these critical infrastructures, and industrial facilities need to put in place reliable, information security measures to close the vulnerability. For many, their facility may have already been compromised with malware or have a network full of holes. To understand the extent of the problem, a security audit of the facility will help identify vulnerabilities and create a threat model. Following the risk assessment, overlaying the threat model with a security map will help to apply the proper security solutions to critical areas and mitigate the risks where such solutions are not yet in place.
There is no out-of-the-box security solution but it is imperative that industrial facilities do not rely on the air gap to keep them safe. A robust solution should consist of multiple layers, each covering a specific area to protect from malware and phishing, clean email from spam and viruses, fend off network attacks, etcetera. We cannot emphasise enough the importance of keeping the operating system and software fully updated and patched, so this functionality should also be on the list of ‘must-haves’. Ideally, the solution should cover different levels of automation, from the conventional corporate network down to networks that connect the equipment. But over and above that, security should be considered an evolving process that requires constant effort to stay one step ahead of the bad guys.
To ensure the security process is as robust as possible, the threat posed by employees needs to be taken into consideration. Even the best spam filters, email anti-virus and anti-phishing tools cannot guarantee 100 percent efficiency in a constantly evolving cyber threats landscape. Cyber criminals will find more and more vulnerabilities to exploit and invent more and more ways to bypass the security solutions. Even a tiny fraction of a percent is enough, given the six orders of magnitude when we talk about numbers of threats encountered every day. It is also important never to rely on technology alone, but also to educate employees, increase their awareness and foster a cyber-culture to reduce their chances of falling victim to a social engineering trick.
Andrey Nikishin is the head of Future Technologies Projects at Kaspersky Lab.