By Michael Shalyt, VP Product Aperio Systems (www.aperio-systems.com)
Like many things in life, the greatest cyber threat to critical infrastructure is in the things we cannot see.
Both security analysts and the general public spend a lot of time and energy discussing big-name hackers — “Anonymous” and its cohorts or secret government agencies that sneak past perimeter defenses and wreak havoc on or expose sensitive data from IT systems after making their way in.
But attacks on critical infrastructure, though less discussed, can cause catastrophic damage. Lloyd’s of London estimates a successful attack on the U.S. power grid could result in $1 trillion worth of damage, not to mention the loss of life.
And as the head of the UN’s nuclear watchdog agency put it, after revealing that nuclear facilities in Germany and South Korea suffered disruptive cyber attacks, the stakes are no longer theoretical (see this Reuters article for more details).
Serious cyber attacks against critical systems can come from all directions and at all levels of sophistication.
Successful breaches by nation-states and political actors have dominated headlines but, in today’s world, attackers range from mere hobbyists, hacktivists, and cybercriminals to sophisticated state-sponsored attackers.
An Iranian national hacked the control systems of a NY dam, attackers left a quarter-million Ukrainians in the dark, and hacktivists with fairly limited skills were able to penetrate a water treatment plant in the US. And these are just the examples we know about.
We can safely assume there are numerous breaches that are as yet undetected or undisclosed.
Unfortunately, it is clear that persistent attackers can penetrate critical control systems – and when critical infrastructure is concerned, even a single destructive attack is one too many.
Therefore we must assume the worse – that the attacker already has control over the sensitive network.
Once attackers are inside, in order to inflict severe and long-lasting damage to critical infrastructure, they need to forge reported operational data — this is how they can blind operators and protection mechanisms and execute their attacks undetected.
What is Data Forgery?
Nearly every good spy thriller depicts a nail-biting break-in where a security camera system is reconfigured to play a continuous loop of an empty corridor. The hapless guard has no idea that the intruders are actually sneaking down the corridor at that precise moment.
When attacking SCADA systems, the malicious intrusion is twofold. It’s about putting systems into potentially damaging states and – like in a good spy thriller – hiding all evidence of intrusion.
After all, industrial control systems were designed to be as resilient as possible to malfunctions and physical disasters. Industrial control operations teams are well trained and highly experienced in managing faults, downtime, and even weather conditions.
When failures occur, operators are capable of reacting quickly and proficiently to stop the damage, minimize downtime and to isolate the source of the problem too, ultimately, protect the critical infrastructure.
Bottom line: Control systems and operators are able to prevent severe damage, as long as they know the true state of the plant. True state awareness is, in essence, the last line of defense.
How to protect against data forgery
Every physical device and process has a unique fingerprint, due to its particular history and features. This fingerprint is extremely sensitive to external manipulations. For this reason, physics is the key to detecting and reacting to data forgery.
For example, if a cooling system reports figures outside of normally acceptable parameters, sensors will alert operators to this abnormality.
But if attackers configure the cooling system to report acceptable performance levels, hackers can slowly shut down the system and threaten potentially dangerous and very expensive equipment – while the operators remain oblivious.
Physical sensor data can be compromised at every step, so we must validate the integrity and authenticity of the physical signals, revealing the true state of the system’s physical components.
This can be done either by rigorous encryption of the digitalized physical data (from the sensor all the way to the operator screen) or detection of data tampering attempts via comparison to a learned physical model of the specific equipment (using the laws of physics governing the dynamic system as a form of “natural encryption”).
But it’s not enough to know there’s a dissonance between physical reality and digital data. You must know first and foremost, whether it’s due to an attack (as opposed to, say, sensor malfunction). Next, you must be able to pinpoint the exact target of the attack.
Operators must know the specific valve, pipe, turbine or drill that’s directly affected. Non-specific alerts are of little use to operators since industrial plants and factories cannot afford to be taken offline due to ambiguous threats or false alarms.
True state awareness is critical to maintaining operational resilience and preventing physical damage. That is why data forgery, when used by malicious actors to rob operators of visibility into their own plants and equipment, is a growing threat and should be proactively addressed in order to prevent severe damage.
About the Author
Michael Shalyt, VP Product, Aperio Systems (www.aperio-systems.com)
Michael Shalyt leads the APERIO Systems research and product development team. Prior to joining APERIO, Michael led the malware research team at the renowned cybersecurity firm Check Point, following four years as a leading researcher and team leader in an elite IDF intelligence unit.
Michael is a graduate of the elite “Psagot” IDF academic program and holds a dual Bachelor’s degree in Physics and Electrical Engineering from the Technion, in addition to a Master’s degree in quantum control and quantum information, also from the Technion.
He has been recognized with numerous awards, including several Technion Presidential Excellence Awards, and a bronze medal for the Israeli team in the 36th International Physics Olympiad in Salamanca, Spain.