Headlines in the news media claim that ISIS is attempting to gain access to cyber assets that comprise the nation’s energy infrastructure. The article points out that, for now at least, there is desire, but little capability. The disparate, proprietary systems that run our nation’s power plants, refineries, and petrochemical industries take a high degree of sophistication to manipulate successfully. This was also a topic of conversation at this year’s DEFCON 23, a conference sponsored by cybersecurity professionals and hackers. The theme of the presentation, “Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion,” is similar to the theme of the article. It takes a high level of expertise to infiltrate and manipulate industrial control systems successfully. Right now, hackers are largely satisfied with gathering intelligence on proprietary control networks as a precursor to further action.
Developing the proper capabilities takes determination, effort, and time. Groups like ISIS definitely have the determination and are willing to put in the effort. That means time is running out. Sooner or later, capabilities will evolve to the point where they can easily automate and deploy. Malware, for example, used to be somewhat difficult to create. It required a specific knowledge and skills to exploit a system. Now freely available utilities effectively allow low skilled individuals to “create your own malware.”
The current efforts in cybersecurity are focused largely on traditional IT systems and assets. Locking down networks, encrypting hard drives, enforcing password policies, and other initiatives are commonplace. However, when it comes to the proprietary Industrial Control Systems (ICS), measures taken pale in comparison. Control systems are often viewed as difficult to manage from a cybersecurity perspective because of their proprietary nature. For this reason, companies focus on hardening the shell around the ICS.
As the headlines indicate, hackers are focused on finding ways to manipulate your ICS. For now, getting access to your systems is a “win.” Consider this a fair warning to take precautions that will detect their manipulations.
How is your facility preparing for the day they take control?