by Ross Dyer
Renowned think tank Chatham House this week published a new report warning that those in charge of the UK’s nuclear facilities have underestimated the risk of a serious cyber attack. While some of the sensational tabloid headlines it generated are somewhat wide of the mark, the report nevertheless highlights again the potentially catastrophic effects of cyber attacks on SCADA and industrial control systems (ICS).
It should provide food for thought for any CISO tasked with securing such systems.
The report itself took 18 months of painstaking interviews with 30 industry specialists to compile. Lead author, Caroline Beylon, has been widely reported as warning of a “culture of denial” permeating the UK’s nuclear industry which, if unchecked, could increase the risk of a major incident. Several of the report’s findings will ring true with security professionals at other industrial facilities including energy and heavy manufacturing plants.
These include the misconception that systems are “air gapped” and therefore safe from remote attacks. In fact, “a number of nuclear facilities now have VPN connections installed” even though their operators are sometimes unaware of this, the report claims. Attackers can easily find internet-connected systems via online searches, and even where there are air gaps, they can be breached with a flash drive. In fact, SCADA and industrial control systems are “insecure by design” and often aren’t even patched because they can’t afford to be offline for a minute. The whole situation is made worse by supply chain vulnerabilities which could lead to compromise at any stage.
The report also points to a breakdown in communication between engineers and security personnel which means staff at facilities don’t understand security procedures. And it warns that a reactive approach to cyber security could mean bosses being unaware of attacks until they’re fully under way.
Keeping SCADA safe
Now the chances of SCADA attackers hitting a nuclear plant are pretty rare. If Stuxnet has taught us anything it’s that pretty much only nation states have the motive and funding to launch such cyber raids. But this doesn’t mean we shouldn’t be doing our best to minimise risk. It’s also true that while governments may be the ones attacking enemy CNI, few pieces of critical infrastructure are state-controlled any more.
The UK government’s job instead is to take a lead on improving information sharing and cyber security standards. Best practice guidelines, including those to help firms better measure risk, is what CNI firms running these legacy systems need.
In the meantime, here are some additional steps CISOs can take to fortify systems:
- Promote security by design in industrial systems
- Intrusion detection and network monitoring to spot advanced threats
- Extend strict security policies to the supply chain
- Improve security training/awareness and conduct regular drills
- Whitelisting could help to limit risk exposure and need for patching