Why Taking a Technological Step Backwards May Better Protect America’s Critical Infrastructure Systems from Cyber Attacks
*Note: article originally published by the author on July 30, 2018.
You may have heard in recent news that Russian cyberattackers have infiltrated U.S. electric utilities, but you may be surprised to learn that this is not a new phenomenon. In fact, Russian hacking of the U.S. power grids was first reported back in 2009 but was likely occurring even prior to this date as part of the international cyber network espionage (CNE) operations that all world powers engage in to include the U.S. to collect intelligence on each other. Every day Americans have known since the discovery of the Stuxnet and Flame variants of malware that were reportedly used against Iran in an attempt to thwart uranium enrichment efforts, that it was only a matter of time before U.S. critical infrastructure was targeted by foreign adversaries in cyber attacks. So what exactly does U.S. critical infrastructure consist of? The 2013 National Infrastructure Protection Plan (NIPP) is an Obama Administration Department of Homeland Security (DHS) publication that lays out the (16) sectors of critical infrastructure as established by the National Plan:
If America were to come under cyber attack and lose control of or have any one of the sixteen unique sectors of critical infrastructure be shut down, let alone multiple sectors at once, it could have dramatic consequences on life as we know it. Nobody likes to think about doomsday scenarios, but if an adversary were to remotely shut down the energy grids, it would have a cascade waterfall effect on every other critical infrastructure sector that relies on electricity to function. For example, the U.S. Stock Exchange would be shut down which would damage the U.S. economy; ATMs would not have power; emergency services such as 9–1–1 would not work; planes, trains, and public transport systems would cease operating; government offices would close shop, and so on and so forth. The picture is grim, and no one is saying that this is what would happen, only that it could happen in a worst-case scenario. No one can definitively say to what extent the government and private sector has prepared for such an event, so there is no way to tell how much redundancy the U.S. critical infrastructure currently has built into it. For instance, for how long can at least some of the critical infrastructure systems can operate on backup generator power? It can be a bit unnerving to think about these types of situations, but leaders and security professionals have to plan for them to ensure that their respective organizations, and America’s critical infrastructure as a whole, are able to withstand and recover from such an event.
So How Did We Get Here?
In the pre-Internet era, U.S. critical infrastructure Information Technology (IT) systems were what is commonly known as “air-gapped,” which meant that they were not connected to any global network such as the Internet. Back then, there wasn’t even an option of connecting to the Internet as we’ve come to know it today, because it simply didn’t exist. Nowadays, air-gapping a system is done to protect it from Internet-based cyber threats. Think of air-gapping in terms of keeping a small cash reserve in your home that is accessible in case of an emergency situation where all of the ATMs have been shut down to prevent a run on the banks. Your “system” or personal cash reserve is not affected by this threat, and so your personal ability to purchase necessities remains unimpeded provided the stores remain open for business and stocked with goods for people to purchase. Many people have their own emergency stash just in case, they just don’t think of it in terms of computer networks. Maybe you maintain a copy of your personal computer files offline on a personal storage device that is disconnected from your computer and the Web? If something were to happen to your computer, you still have the backup you made of your personal files. The principle of air-gapping a system is similar to this.
But Isn’t Air-Gapping Just Security Through Obscurity?
In recent years, a lot of literature has been published railing against the practice of air-gapping systems. Instead, authors have asserted that in today’s connected world few systems are truly air-gapped anymore, and it makes more sense to develop Artificial Intelligence (AI) that is capable of scanning for cyber threats to critical information systems and establishing real-time monitoring of network security as if funding and skilled cybersecurity workers were not extremely limited resources.
However, it is difficult to mount an argument against air-gapping critical infrastructure systems if it makes the act of trying to remotely attack them virtually impossible. Cyber attacks would be limited to physical attacks (in person) or downloaded software updates which should be hashed and compared to vendor-provided hashes from trusted download sites prior to installation on any computer to prevent malware inadvertently being saved onto some type of USB storage device or media disc and physically loaded onto an air-gapped system in person via what is known as the ‘Sneakernet.’
Air-gapping is a divisive topic among cybersecurity experts with proponents on both sides. NIST, however, still recommends air-gapping and using firewalls on Industrial Control Systems (ICS) and air-gapping is still a best practice for DoD classified systems. Ergo, air-gapping is not security through obscurity when it’s done properly, rather it is an important security enhancement as part of a bigger defense-in-depth approach to protecting vitally important systems from external cyber-attacks. Security through obscurity relates better to attempting to hide a system and hoping that it isn’t discovered and compromised. No one, of course, is recommending anyone does that. That would be foolish. Instead, cybersecurity experts need to come together on this issue and recognize that an everything-always-connected world is not necessarily a good thing, especially when it comes to critical infrastructure systems given their importance in modern-day society.
Air-gapping systems don’t preclude system administrators from updating software with the latest security patches and other recommended security controls or best practices. In cybersecurity, the name of the game is defense-in-depth. You never want to rely on just one security control to protect a system, instead, you apply as many security controls as is feasible with regard to resource limitations such as budget, operational need, and trained/skilled manpower. Often, however, there are mandatory compliance regulations that organizations are required to adhere to with respect to the cybersecurity of publicly-owned (think Government at the local, State, or Federal levels) critical infrastructure.
The rub comes with privately-owned critical infrastructure systems and the option of choosing not to comply (at least somewhat) with Federal compliance regulations. For instance, the National Institute of Standards and Technology (NIST) publishes guidance for Information Systems (IS) security on a wide range of different types of systems and topics. NIST’s Special Publication 800–82 Revision 2 is a Guide to ICS Security and addresses Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and other Control System Configurations such as Programmable Logic Controllers (PLC). NIST specifically created an ICS overlay to be used in conjunction with the NIST Special Publication 800–53, Revision 4, a suite of security controls for Federal IS, that tailors controls for implementation on ICS. It is important to note that private industry is also encouraged to use the NIST Risk Management Framework (RMF) as much as is feasible to enhance cybersecurity within their own organizations.
Organizations such as the National Cybersecurity and Communications Integration Center (NCCIC), U.S. Computer Emergency Readiness Team (US-CERT), and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) exist to provide expertise on National cybersecurity policy and information sharing. Figure 1 illustrates the DHS cybersecurity hierarchy.
It is logical then that in terms of how computer networks and IT systems function, that a truly air-gapped or standalone system is “safer” than one that is connected to another system, let alone the Internet and all of the myriad of cyber threats that come with that beast. However, air-gapping should never be viewed as a ‘silver bullet’ security control that is the only security implemented on a system. If chosen to implement, air-gapping a system should be performed in concert with a whole suite of other security controls contained within cybersecurity frameworks such as those published by NIST.
It is difficult not to oversimplify this concept, but one cannot attack what isn’t there, or at least, one will have a much more difficult time attacking a system that isn’t physically connected to the Internet. Stuxnet’s limited success demonstrates how difficult it is to successfully execute attacks against air-gapped ICS. Shadow Nets are another problem entirely, and they represent the threat of contractor networks that may be attached to a customer network, but that isn’t properly secured and is, therefore, a potential vulnerability to the customer (e.g., the Department of Energy, or DHS who does possess sensitive information or critical information systems). If a cyber attacker can penetrate a Shadow Net to get to a bigger, more lucrative target such as an Internet-connected nuclear reactor plant, then I think we can all agree that is a critically severe (CAT-1) problem.
Huge Problem with even Bigger Implications
Shodan is a free Internet search engine that anyone can use to find vulnerable computer systems (e.g., ICS) and devices (i.e., the Internet of Things- IoT) that are connected to the Internet. Cybercriminals, cybercriminal groups, hacktivist groups, and even Nation-state Advanced Persistent Threat (APT) groups can use Shodan.io to target vulnerable systems and devices. In 2017, a security researcher ill-advisedly created a tool called “AutoSploit” that was published on GitHub which combines vulnerabilities cataloged by Shodan with exploits contained within the Metasploit penetration testing application. There is a concern that inexperienced cybercriminals that are known as “script kiddies” will use AutoSploit to carry out cyberattacks on critical infrastructure systems. It is a shame and a slight towards U.S. national security that it is this easy to find vulnerable U.S. critical infrastructure systems. That needs to be remedied, and quickly before our adversaries decide to launch a potentially crippling cyberattack on our nation’s critical infrastructure. That type of system vulnerability information should always be considered sensitive information at least and protected as such. Free and open information is great, but not at the expense of a sovereign nation’s critical infrastructure.
As an example of the type of damage that could result from this type of cyber attack, look no further than BlackEnergy. BlackEnergy is a type of ICS malware that has been used previously against targets in Ukraine and which has been attributed to the Russian APT 28 group, thought to be a Russian GRU military intelligence organization. Ukraine had its energy grids partially shut down in the Crimea region on December 23, 2015, which was alleged to have been the handiwork of Russian cyberattackers after political tensions escalated following the 2014 Russian annexation of Crimea. Will it take an event of that magnitude to force lawmakers to wake up and begin enforcing air-gapping of critical infrastructure systems, or is the U.S. doomed to learn this lesson the hard way?