Industrial infrastructures are increasingly connected, getting smarter and more efficient in the process. Along with these gains comes the need to protect infrastructure assets from cyber attacks. A major cyber attack on the US grid, for example, could cost up to $1trn, according to a recent report by Lloyd’s and Cambridge Centre for Risk Studies. To discuss the state of industrial cyber security and how to best advance it, Look ahead interviewed Ralph Langner, founder of the Langner Group and a cyber-security expert specialising in industrial control systems. In 2010, he led the team that reverse engineered Stuxnet, the first malware designed to destroy physical assets. Here he shares his views on what can be done to better protect infrastructure assets.
You are famous for leading the team that reverse engineered Stuxnet. How did Stuxnet change the way governments and industry view cyber security?
Governments around the globe have understood that cyber is a military domain—a doctrine that was formulated and advocated most importantly by former Deputy Secretary of Defense William Lynn and former CIA chief General Michael Hayden. Today, billions of dollars are spent annually for offensive military cyber capabilities. A similar landslide effect did not occur in the private sector, which is mostly in a state of denial at the moment. Many asset owners lull themselves into thinking that what happened with Stuxnet has no effect on their risk landscape and that if a nation-state would chose to cyber attack them, they couldn’t fight it anyway—which is plain wrong, by the way.
Which type of industrial infrastructure would you say is currently the most vulnerable to cyber attack?
Digital industrial control systems are generic devices that can be found throughout all industries. You also find them to control things like elevators, escalators or air conditioning. Even the military uses the same systems. For this simple reason, vulnerabilities don’t differ much across industries, and attackers have a big menu to choose from.
Apparently, hackers seem to like the energy sector best, evidenced by the highest number of intrusions. This is not really surprising considering the national security impacts of energy. If an aggressor gets a chance to control the supply of gasoline or electricity of an adversary, that’s quite a bargaining coin, whether it’s used as threat or as an actual attack.
The typical government answer to the various high-profile intrusions of the energy sector has been to rely on deterrence, a risky gamble because it assumes a) reliable attribution and b) a rational adversary. If we look at players like North Korea, which already has decent offensive cyber capabilities—think about the Sony hack—the latter assumption can be challenged.
Apparently, hackers seem to like the energy sector best, evidenced by the highest number of intrusions. This is not really surprising considering the national security impacts of energy.
Without going into details that could help cyber hackers, what type of threat would you say infrastructure assets are most vulnerable to?
The big open door at the moment is indirect infiltration via contractors by sophisticated threat actors. We thought that after Stuxnet pretty much everybody down to cab drivers would be aware of this, but the fact is that even today plant managers responsible for ultra-critical installations fantasise about being protected by “air gaps”. If one wants to attack a high-value target by cyber, the logical route is to go after ill-protected contractors and simply wait until they go on-site for scheduled plant maintenance and connect their malware-infested laptops to critical networks. Easy to do, easy to stop, yet few people care.
What are best practices when it comes to protecting critical infrastructure from cyber attacks?
The most important point is to take a strategic, long-term approach. This is well known in IT but still found rarely in operations technology. If you approach cyber risk as a project or, even worse, focus on technical [network] topics only, you will never be able to achieve sustainability and cost-efficiency. You will be fighting the symptoms rather than the disease.
The major step in reducing cyber risk is to commit on a solid cyber-security plan that is implemented as a continuous process and relies on fact-based verifications [audits] and provide the resources to make it happen. Funnily enough, many organisations never really check if their cyber-security efforts have any real impact. The resulting fuzziness of cyber security is one reason why executives have some reservations about the subject. This can be changed by providing solid reports with good metrics.
When thinking about short-term priorities, the best advice I can give is to address the risk of indirect infection by focusing on remote access, walk-in laptops, USB sticks and the communication of files (anything from technical documents to executables) via email. Surprisingly, many asset owners don’t maintain a full and accurate list of contractors along with their roles and responsibilities. Others don’t control remote access tightly. All very effective low-hanging fruit if one considers that the most promising infiltration route to high-value targets is via contractors.
Another observation that we have made is that the chances for success are better if the whole effort is driven by OT [operational technology] rather than IT. Experience shows that it is more realistic to educate control system engineers in cyber security than educating IT folks on PLCs [programmable logic controller], fieldbuses, protective relays, real-time requirements or safety in general.
The one idea that I strongly suggest to forget about is that any technical gizmo—no matter if it is called an intrusion-prevention system, data diode or any other fancy name—would be enough to make a facility reasonably secure. It’s tempting to believe that you could buy your way out of cyber risk by simply installing the latest gadget, but it will never be enough. A solid cyber-security strategy always involves behavioural and organisational changes. However, we are getting better at understanding how to make these changes as smooth and cost-efficient as possible.
The major step in reducing cyber risk is to commit on a solid cyber-security plan that is implemented as a continuous process and relies on fact-based verifications [audits] and provide the resources to make it happen. … A solid cyber-security strategy always involves behavioural and organisational changes.
What role do you see for public-private partnerships in developing and promoting best practices?
The idea of public-private partnerships sounds good and has been touted for decades, but we are still waiting to see significant results. What I see as much more promising is private-private partnerships where asset owners, starting in the same industry, share information on cost-efficient ways to improve protection. We actually don’t need the government to help us [in] protecting industrial facilities. I strongly believe, backed up by experience among our client base, that private partnerships for cyber security will be one of the most important coming trends to make this exercise more efficient. We use social networks and the cloud for all kinds of trivial leisure activities, we should start leveraging technology for information sharing on more serious matters.
Some organisations, and governments, have been looking into building up “retaliatory capabilities”. Is there any evidence that such a strategy is effective in reducing the number or impact of cyber attacks?
If there is any evidence I haven’t seen it. What we do see is that Stuxnet has started a cyber arms race in which even the least logical player feels compelled to participate. Sometimes I wonder if the idea of being able to retaliate in cyberspace is just an odd excuse for investing in the new military domain which is, compared to other domains, not just sexy, but also dirt cheap. When it comes to retaliation, one should not forget that some actors are pretty much invulnerable while others might just not care.
You described the sophistication of the Stuxnet payload as being “rocket science”. As a security consultant, have you seen anything as sophisticated as Stuxnet since then?
No. But what we see is clearly post-Stuxnet attacks. Think about high-profile cyber-attack campaigns against the energy sector, such as Energetic Bear or Black Energy. While these campaigns so far did not intentionally destroy or degrade industrial equipment, one of their objectives seems to be to get in the position to do so, so that, when the time has come, the attackers could take down significant parts of the energy infrastructure. And if you think that casual AV [anti-virus] signature updates and annual security patches do the trick, you are definitely living in a pre-Stuxnet world.
Looking ahead, what will the cyber-security environment of 2030 look like and how will it differ from the cyber-security environment we face today?
In my crystal ball the world looks much less cyber safe in 2030 than today. With the present mania to connect everything from passenger airplanes to toilet seats to the Internet, it’s going to be extremely difficult, and in some cases maybe even impossible, to reverse course and go back to less complex architectures that we actually understand and manage to secure.
This article is published in collaboration with GE Lookahead. Publication does not imply endorsement of views by the World Economic Forum.
To keep up with the Agenda subscribe to our weekly newsletter.
Author: Clint Witchalls is a writer at GE Lookahead.
Image: A man types on a computer keyboard. REUTERS/Kacper Pempel/Files.