Security Testing of Critical Infrastructures
Critical Infrastructure Security Testing
Energy, Water, Healthcare, Transport, Communication and Food are some examples of critical services essential for the functioning of any nation. Non-availability or even limited non-performance of these critical infrastructures quickly results in disturbance and distress.
Hacking of these systems has surpassed physical attacks as the most serious security issue facing network operators and governments. Criminals and nation/state actors can exploit the increasing complexity and connectivity of critical infrastructure systems for political or commercial gains. Outages also impact a critical infrastructure operator’s bottom line by driving up costs, and hampering ability to innovate, win and maintain customers.
Diverse infrastructure services such as water supply, transportation, fuel and power stations tend to be coupled together. Owing to this coupling, interdependent networks are extremely sensitive to failures in neighbouring systems such that a failure of in one network can produce an iterative cascade of failures in several interdependent networks. For instance, all infrastructures rely on availability of electricity, hence a power outage can have direct impact on availability of other services, such as transport, emergency, finance, communication, water supply etc.
While natural disasters cannot be eliminated, our ability to prevent man-made disasters can be greatly enhanced through careful infrastructure design and implementation, followed by security testing, particularly with tools buffer overflow and fuzzy logic application testing. This article examines the prevalent dependency on ICT technologies to manage critical infrastructure services and discusses how isolating an ICT component failure at the development stage itself could potentially help prevent a cascading critical infrastructure failure later on.
Critical Infrastructure Sector Risk Management
Modern threats to critical infrastructure are evolving at the same rate as the technology on which that infrastructure is based. Some key critical infrastructure sectors include:
· Energy generation and distribution – Integrated energy grids incorporate advanced digital functions to take enhanced reliability, efficiency, flexibility, and security of this critical national infrastructure. With increased interconnection and deployment of SCADA and ICS systems, security concerns arise. The Wall Street Journal recently reported cyber spies from China, Russia, and other countries may have penetrated the US electrical grid and implanted software programs that could be used to disrupt the system.
· Chemical production and distribution – A successful attack on a hazardous materials storage facility has the potential to cause mass casualties and panic. Security concerns related to storage and processing of potentially hazardous materials as well information systems that manage various production, storage and distribution processes in this critical infrastructure.
· Water supply -Water supplies are prone to disruption and contamination by potential terrorist or malicious acts to inflict mass casualties. Intentional dissemination of contaminants through a backflow event is an example of vulnerability for this sector that can be triggered onsite or remotely through ICT technologies.
· Public health systems – This sector has become more reliant on technology to support and improve the provision of care, disease prevention, and emergency response. With the proliferation of health information technology and cyber systems within the critical functions of the public health systems, there is a compelling need to address and manage the risks associated with cyber threats to this critical infrastructure
· Transportation systems – As transport systems embrace ICT technologies to take advantage of enhanced resource utilization and performance, they inadvertently increase security vulnerabilities for traffic control systems, power and telecommunications as well as signalling systems.
· Defence security services – As armed forces entrusted with internal and external defence of a nation’s boundaries embrace ICT enabled weapon and information systems, the command and control networks are increasingly vulnerable to disruption by cyber strikes done by motivated actors.
· Telecommunication – Telecom, in fact, touches nearly everything and everyone, and along with energy, it forms a foundation upon which all other critical infrastructure operates, wherein lies the appeal to cyber adversaries.
· Financial services – As business and financial institutions continue to adopt Internet-based commerce systems, the opportunities for cyber crime increase at retail and consumer levels. With cyber criminals exploiting everything including automated clearing systems to card payments and market trades, this sector is grappling with
delivering secure transaction, service availability and information security to its customers.
Most of these critical infrastructures, such as electricity generation systems, and transportation systems are monitored by the Industrial Control Systems (ICS) while others are controlled by the Supervisory Control and Data Acquisition (SCADA) and integrated PLC and HMI solutions.
The ICS manages almost every aspect of critical infrastructures. Initially, no data transfer took place between ICS networks and business networks. But this gap is no more present. Now businesses depend on ICS data reporting systems to keep a check on their operations. Therefore, it is important to have strict security guidelines on ICS, which no more remains an isolated system. Each ICS has its own typical vulnerability and is prone to a cyber-attack. For instance, manipulating the data in a SCADA system and HMI of one connected infrastructure implies meddling with the machinery, which may be linked to water lines, power grids or oil pipes, which again will result in the disrupted operations of that particular infrastructure.
Interdependence and Consequent Risk among Critical Infrastructure Sectors
What if the railway’s wireless communication system fails? Or what if there is an irregularity in gas supply which may affect electricity generation? Or what if a lack of water supply may adversely affect the agriculture sector? Or what if there is no Internet connection to perform any online banking transactions?
Most critical infrastructure sectors are mutually-dependent for their smooth functioning. This is one main reason why vulnerabilities are also on a rise. Failure of one infrastructure quickly cascades into failure of another, if the fault is identified and isolated quickly. A prime example is the infamous California energy crisis. It started just from a shortage of electricity supply and then left cascading effects on the gas and oil sector, apart from affecting the transportation services. That resulted in lower production of natural gas due to scarcity of electricity, which implied low supply of gasoline and petroleum. Also the transportation sector was affected because of their increasing need for liquid fossil fuels.
Sure, mutual dependence is good to optimize costs, but it also escalates the risk of multiple infrastructure failure.
Dependency on ICT to manage Critical Infrastructures
The Information Communication and Telecom (ICT) sector brings opportunities to other critical sectors by enabling functionality, faster performance and ease of service. No wonder physical critical infrastructures use ICT technologies heavily. The type of dependency and resultant vulnerabilities vary significantly depending on the purpose and service of the ICT component chosen. For instance, the ICT vulnerabilities of a power system include its three main components — computer, communication, and the power generator itself. Cyber dependency vulnerabilities arise when attacks can be targeted at specific systems, subsystems, and multiple locations simultaneously from a remote location. That is why SCADA systems, not designed for
either multi-location implementation or remote management via the Internet, are now increasingly vulnerable to cyber dependency related failures and malicious attacks.
Critical Infrastructure systems are either physical or virtual. Energy, transport, waste and water represent physical assets. Operational software systems such as SCADAs, process control systems (PCS) or distributed control systems (DCS), that yield the operational ability to supervise, acquire data from and control the physical process, represent the virtual assets.
Generally ICT and specifically SCADA systems rely on software development procedures and offer some degree of fault tolerance within their design. However, since most of these systems are now connected to other internal and external operational systems, they can be vulnerable to new types of failures that have not been considered when they were designed.
Vulnerabilities in Critical Infrastructure
There are a variety of hazards that can hamper the operations of critical infrastructure. Such vulnerabilities may include denial of service, negligence, forced malfunctioning of control systems (ICS), application testing practices that don’t predict vulnerabilities, terrorist attacks, natural calamities, accidents, or any kind of a criminal activity.
ICS often uses products based on standard embedded systems platforms. ICS tends to use commercial off-the-shelf software for these products, with the objective of minimizing costs and making the product user-friendly. As these products come in contact with the Internet, they’re open to the same threats as servers and PCs. As such, there are increased chances of network-based attacks on critical infrastructure.
Interruptions in critical infrastructure operations substantiate that cyber-attacks have an adverse noteworthy effect on them, resulting in industrial espionage, data loss and sabotage. For example, the Iranian nuclear facilities were pulled apart in 2010 by the Stuxnet malware program, without any real physical attack. Such an incident highlights how dangerous a cyber-attack on a critical infrastructure can be. Let’s see some of the common vulnerabilities in different sectors of critical infrastructure.
· Although the financial service sector takes a lot of effort to have sound security plans and policies through processes such as redeploying manpower, maintaining multiâ layered security infrastructure, and having robust backup facilities, it faces risks of cyber attacks, power outages, and natural disaster, thereby disrupting its regular operations. For instance, a hacker may access the fire-walls of a bank and start manipulating accounts of customers by placing an unwanted code into the computer files. Finding that one line of code among the entire file full of code will be close to an almost impossible task.
· The water and waste water systems is prone to adulteration with toxic agents, contamination due to the release of poisonous chemicals, apart from cyber-attacks, which might lead to fatal diseases affecting public health.
· Critical infrastructure systems such as power generation and delivery systems, water systems, transportation systems are bringing in more IoT devices to improve their accuracy of data and control.
· Farms use connected sensors to keep a check on crops and herds to optimise distribution of and pesticides, fertilizer and food.
· The telecom sector isn’t safe either. In fact the vulnerabilities in this sector are multiplying year-on-year. Hackers may attack telephone switches, Internet servers or the wireless ports through the use of DDoS or worms to wreak disruption in the entire system.
· Electric grids are highly susceptible to cyber-attacks. Most of the energy infrastructures are monitored by systems, which are premeditated for availability over a longer period of time, than for security. For instance, in an electronic substation, the hackers can send the main server into an infinite loop, which will result in not letting the operators control the power line. The hacker can either physically reach an isolated substation or access a wireless network to damage the electric connections.
· Even after implementing safe wireless practises and data encryption for protecting internal network traffic, the computerised monitoring system of transportation network is open to cyber-attacks from hackers and terrorists. An outbreak on even one switch in a train may result in a hazardous accident. Authorities continuously keep a track on airplanes and come up with improved methods of screening passengers, but air traffic control systems seem to be highly prone to cyber-attacks. Be it a wireless transmitter or an IP-based network used to exchange traffic information, they are all exposed to being hacked.
· The oil sector is exposed to being attacked by hackers, who may illegally access the distribution systems of the oil companies. They are capable of changing the data and codes, which will thereby affect the regular flow of raw materials and finished goods.
The nature of software, the criticality factor of the infrastructure, and how easily a vulnerability in it may be abused, together give an idea of how potent a damage might be. The ever-increasing number of vulnerabilities in critical infrastructure being disclosed is making the governments more vigilant and proactive so as to be able to act positively to any appalling consequences from such attacks. Reducing the vulnerabilities of critical infrastructure by providing an optimum level of security is the key to avoiding any negative effects on the society.
Pentest services delve deeper to pinpoint pathways to access, ranking the potential value of each and providing a clear roadmap for remediation. A penetration test is not only smart business practice but also an annual requirement for those who must remain in compliance with leading regulations like PCI, FERPA, HITECH, FISMA, SOX, GLBA, FACTA, and GDPR.
Let our team of experienced, ethical hackers conduct a comprehensive assessment of potential vulnerabilities, prioritizing those and recommending ways to block attacks before they damage your bottom line.
We begin with a simple question: what’s the least probable access point a
criminal might use to gather intelligence that provides the greatest potential impact on your bottom line? From this question, we outline possible targets of attack and entry points via electronic, physical, and human means. This includes information your own employees might publish in the public domain, weaknesses in email passwords or log ins, remote access, and mobile footprints. We then perform reconnaissance over the span of several days to assess potential vulnerabilities from all angles.
Next, we put ourselves in your potential attackers’ shoes to determine overall risk and valuation. Based on what we know about current capabilities, strategies, techniques, and tools, we document any digital assets you might have at risk. We then prioritize that risk based on the net asset value were a loss event to occur.
To put our findings to the test, we simulate ethical hacking attacks that are primarily focused on high value target assets. Those tests are customized to align with your unique environment, vulnerabilities, and technologies. Findings are prioritized and compiled into our recommendations to help you focus resources on areas that could mitigate the greatest potential loss.