I spend a fair amount of time attending various security conferences, as I’m sure many of you do. Recently I’ve noticed a change in agendas and, perhaps more significantly, shifts in attendance on topics related to Critical Infrastructure Protection (CIP). In the past, these sessions were dominated by discussions of ICS/SCADA vulnerabilities and specialized malware designed to probe and extract insights from very custom, not widely distributed systems.
Since the introduction of President Obama’s executive order in 2013 and the related NIST cyber security framework in 2014, the discussions have advanced in focus and practicality; I for one am grateful for the expert focus on security this discipline receives. But the sort of uber threat that seemed to reside in the dark corners of the audiences’ collective mind, i.e., the unauthorized take-over of power or water systems, now seems too narrow in today’s context of interconnectivity.
Trying to relate to ICS threats, at least for those outside of the industries commonly associated with CIP (utilities, refineries, military defense, water treatment, etc.), is a bit difficult. The primary context for most following the discussion was that of a potential victim, a consumer suffering the implications of compromise.
But more recently the scope of the discussion is changing. Driving this change is in my view, the expansion and privatization of power generation on one side, and the vast proliferation of connected devices of consumption on the other end. Sitting in the middle are the critical systems we all rely on for safety and security in our day-to-day lives. The threat has generally been of critical systems being overtaken and then doing very bad things to consumers, ranging from disruptive to downright life threatening. But now, the consumers themselves may in fact represent to greatest threat to infrastructure, not vice versa.
This of course, is where the intersection of CIP and IoT becomes very clear. With an estimated 50 billion connected devices coming online over the next 5-10 years, it is impossible to know the potential impact of a large scale attack generated through these endpoints. Much of the IoT security debate continues to center on the risks the devices, if compromised, pose to consumers. For instance, at this month’s Black Hat and DEF CON conference, two researchers made quite a show out of exhibiting some potentially dangerous hacks of a Tesla that could impact operation of the car. But what about the vulnerabilities in devices such as these in becoming a threat to the infrastructure itself?
Could a Tesla be hacked in a way that essentially weaponizes it against the power grid, for example? I think it’s natural that IoT device manufacturers (at least the handful that are emerging as security conscious) would concentrate first on the consumer impacting vulnerabilities in an effort to protect product adoption. But these backwards impacts on the broader power infrastructure warrant careful consideration as well.
Why? Consider the investments being made to maintain security around critical infrastructure vs. the investments going into innovation that has the net effect of increasing the attack surface of previously more isolated systems. Certainly the Obama administration has shown a commitment to increasing spending around cyber security protection, including $5.5 billion in funding to enhance cyber threat protections for the Pentagon (much of which targeting CIP vulnerabilities). But on the other side of the ledger is an unending stream of funding going into the expansion of IoT devices and related services. IBM alone has committed to spending $3 billion over the next few years to do their part in mining the resulting data proliferation.
This is not the first time we see changes in CIP in response to increased cyber threats and risk. Critical Infrastructure Information Protection (CIIP) emerged as a new discipline, a subset if you will of CIP. This was an important step in preparing critical infrastructure from the growing array of cyber threats. But a strategy based solely on fighting the ongoing battle of vulnerabilities and exploits threatening to compromise these systems is incomplete. Strategies for protection must be based on the assumption that all of these security measures (physical and logical) will fail. A foundation of the strategy must include the steps taken to reestablish and maintain operations of systems when critical data is lost, or even when unauthorized control is gained.
There are a couple of lessons from the private sector that highlight the benefits of this “assume the worst” approach. During March and April of 2014, the Boston Children’s Hospital became the target of a series of cyber attacks. The attacks received considerable attention, mostly due to the nature of the target and their connection with a high profile, controversial custody case. But of critical note is the arduous process followed by the hospital long before the attacks occurred, which was a key to successfully maintaining operations. As part of their proactive cyber threat planning, Boston Children’s Hospital developed complete plans for running what had become highly networked clinical operations without the benefit of the network. Processes that had come to rely on access to data or other devices had to be outfitted with the “plan B” scenario, meaning going back to many manual processes.
Another example of preparation focused on the assumption of failure comes from Netflix, and their virtual Simian Army. In an effort to ensure the ability to respond to unavoidable and nearly unpredictable causes of outage, Netflix created a collection of tools to randomly simulate common availability issues in the datacenter. They have also opened the program up to outside contributions of new tools to further challenge the Netflix operational capabilities and resiliency.
What is clear is that the pace and veracity of threats against both traditional and non-traditional critical infrastructure elements will continue to expand. Successfully keeping up with the threat landscape will require the community to continue to expand the scope of the discussion to consider the impact of non-traditional IT devices turning into threats from the consumption side. And finally, the best strategy for ensuring mitigation of these threats will require taking the steps in not just implementing defenses, but also maintaining operation in the face of successful attacks.