chungking - Fotolia
A successful attack on critical sectors such as energy, communications, finance and transport, which rely on industrial control systems (ICS), could have potentially catastrophic human and economic effects across all sectors, according to Joel Brenner, senior research fellow at the Massachusetts Institute of Technology (MIT).
“The capacity to undertake these attacks is now in the hands of criminal organisations as well as nation states,” he told the CyberSec European Cybersecurity Forum in Krakow.
“Although there is a certain amount of deterrence that affects nation states from doing these things, that deterrence does not work against criminal organisations,” said Brenner, a former inspector general at the US National Security Agency (NSA).
In recent years, he said, there have been several examples of cyber attacks affecting critical infrastructure, such as the WannaCry attack’s affect on the UK’s National Health Service, the cyber attacks against the Ukrainian power grid, the Mirai botnet attack on DNS provider Dyn, and the attack on Saudi Aramco.
At the end of 2016, Brenner said security firm Kaspersky Lab estimated that 24% of the world’s ICS were under attack, and the underlying problem is that many infrastructure operators “aggressively retrofitted” ICS with digital controls that are exposed to the internet.
“The efficiency gains were immediate and obvious, but while the vulnerabilities were also immediate, they were not obvious to most people, or they were deniable – and they were often denied. However, now they are obvious to more people and they are no longer deniable,” he said.
MIT has produced a report outlining key recommendations at increasing ICS security based on a cross-sector workshop that included academics and government representatives.
Recommedations from MIT
The top recommendation is that key ICS controls must be isolated from public networks if they are to be made reasonably secure.
“It is a delusion to believe that we can take these controls and expose them to the public internet, which we know is insecure, and make the controls secure,” said Brenner.
The second recommendation is that governments should support a market for simpler and safer control technology.
“Complexity is our enemy when it comes to security, so there is no reason to use the same field programmable gate array for things like simple valve controls that is in a game console because superfluous functionality equals multiple vulnerabilities,” said Brenner.
“Such gate arrays have two million lines of code in them, and malware is extraordinarily easy to insert and extraordinarily difficult to find in two million lines of code. General purpose microchips and general purpose controls are unsuitable for controlling sensitive operational technology [ICS].”
This means, he said, that there are vulnerabilities in the supply chain that do not come from corrupting the supply chain, but come from the nature of that supply chain that seeks to market the most sophisticated products with highest profit margins.
“To change that, governments will have to begin to support a market for simpler controls so that controls for simple things like valves have all the superfluous functionality removed and are consequently much more difficult to corrupt and, if it is still corrupted, it is much easy to see or detect.”
Read more about ICS security
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security, according to a cyber defence expert.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
The third MIT recommendation is that market incentives, both positive and negative, must be re-aligned for cyber security.
“The factors that change behaviours in market economies include market opportunities, tax policies, liability, and regulation – dead last,” said Brenner.
“The tax and liability incentives are totally misaligned, because in every sector MIT examined, we were told emphatically that the rapid retirement of legacy systems was imperative, and we know how to create tax incentives to fix that, but we are not doing it,” he said.
The MIT report recommends that governments create tax incentives to accelerate the retirement of legacy systems and, at the same time, introduce liability for producers of unsafe systems.
“Apart from computer hardware and software, there is no other area of economic life in which one can sell unsafe, fundamentally insecure or unsuitable goods with little or no liability. This must change,” said Brenner.
While Brenner is confident that it will change eventually, he said it will be interesting to see if that change comes quicker in the US or in the European Union (EU). “But either way, the one will have an enormous leverage effect on the other, but it hasn’t happened yet,” he added.