Not enough is being done about critical industrial infrastructure cybersecurity, pointing to a lack of adequate training and a culture of complacency amongst operators of critical industrial infrastructure,according to Steve Mustard, a industrial cybersecurity expert with the International Society of Automation.
“Everywhere I go I see the same issues, so this is not so much a company-by-company issue as it is an ‘industry culture’ issue,” says Mustard, an ISA99 Security Standards Committee member and an important contributor to the development of the ISA99/IEC 62443 industrial cybersecurity standards. “So much work has been done in the IT world on security that many believe they have mitigated the risks.”
The ISA/IEC 62443 series of industrial automation and control systems (IACS) security standards are designed to prevent and mitigate IACS security vulnerabilities across all key industry sectors and critical infrastructure.
Mustard, a UK registered Chartered Engineer and European registered Eur Ing and consultant with extensive development and management experience in real-time embedded equipment and automation systems, spoke recently to a meeting of industry officials in petroleum and petrochemical operations.
He told them that despite greater overall awareness of the need for improved industrial cybersecurity, not nearly enough is being done to implement basic cybersecurity measures and reinforce them through adequate staff training and changes in corporate culture.
“For example, most security experts at the NIST (National Institute of Standards and Technology) meetings on the US Cybersecurity Framework could not understand why we were still discussing the most basic security controls,” he said, pointing out that a visit to almost any critical infrastructure facility will reveal that while there may be established policies and procedures in place, they are not properly embedded into training and the operational culture.
“Too many owner/operators I meet believe that because they have not seen a cybersecurity-based incident themselves that it will never happen,” he said. “This sort of complacency is why there will be a major incident.”
Mustard points to the steady flow of cyberattacks on industrial automation control systems (IACS) and supervisory control and data acquisition (SCADA) networks being tracked by the Repository of Industrial Security Incidents (RISI).
“There have been many incidents in the past 10-15 years that can be traced back to insufficient cybersecurity measures,” he says. “There are many every year, most of which escape public notice. In fact, it’s widely believed that there are many more that are never reported,” he discloses.
“The RISI analysis shows time and again that these incidents are generally the result of the same basic cybersecurity control failures,” he said. “It is often only the presence of external failsafe and protection mechanisms that these incidents do not lead to more catastrophic consequences. “
Unfortunately said Mustard, many use these protection mechanisms to argue that the concern over the consequences of cyberattack is exaggerated, and yet incidents such as Deepwater Horizon should teach us that these protection mechanisms can and do fail.”
Mustard said that while the need for safety is well understood in facilities such as offshore drilling rigs, attention to security is often minimal.
This is partly because these facilities are usually so remote (i.e. 50 miles offshore) and/or appear to be secure (It’s not possible to just walk into an offshore or onshore facility without having the appropriate clearance), he said, and also because there is little or no experience of cybersecurity-related incidents, whereas there is usually some direct or anecdotal experience of safety-related incidents.
“Another issue is the very significant reliance on third parties to install and support IACS equipment,” Mustard continues. “This creates two issues—in-house staff often lack complete understanding of the equipment needed to provide reliable on-site support and there is a continuous flow of third-party staff in facilities. Although security is generally tight in these facilities, there is a lot of reliance on third parties to ensure their own contract staff are correctly vetted, and yet third parties may not be as thorough as owners and operators.
“Furthermore, third-party employees will have their own computers and removable media. The owner/operator may rely on the third party to scan their devices for malware before they are connected to the IACS equipment, but there is no guarantee that this is the case.”
Ironically, despite repeated warnings from various federal and university security institutes about their danger, he said that use of USB devices still remains one of the most common ways an industrial control network can be infected.
“I heard recently anecdotally that a major oil and gas company detected the Stuxnet virus on its networks, and was found to have originated from an infected USB drive,” he said. “This company has relatively good cybersecurity controls in place so you can imagine how easily this can happen in other organizations that have not yet grasped the importance of cybersecurity.”
This conceptual blind spot on the part of industrial companies is due to several factors, said Mustard. “Many, or even most, IACS equipment runs without anti-virus software,” he said. “Rarely, is the equipment ‘security hardened’ and very often default accounts and passwords are either hardcoded or not removed/changed before go-live.”
In addition, Mustard said, the operating systems and applications are often not patched at all or if they are, they are not patched regularly. This, he said, creates a whole host of vulnerabilities that can be exploited by malware.
“While most standards recommend the elimination of USB removable media devices and that all ports be locked down, this is rarely the case,” Mustard said. “Since machines are usually not connected to the Internet, removable media is often the only way to transfer files. And while IT policies might enforce virus scanning of such devices before and after use, this often does not get enforced in IACS environments.”