When we start the interview Cliff Wilson (pictured left) – who is responsible for IBM security business in the Industrial, Energy and Utilities sectors across the UK and Ireland – voices his concern over the fact that many industrial control systems (ICS) still running today were designed, manufactured, and implemented, well before the internet came along. These devices were expected to operate in a more or less closed environment, albeit with degrees of simple wide area network connectivity. Nowadays, these ICS infrastructures are increasingly connected to back end process control and analytical systems. Many are even connected to the internet for ease and reduced cost of access. This new connectivity leaves them vulnerable to cyberattack from individuals and states: “In addition to being old, these systems can be highly fragile. Thus, penetration testing or other security analytical testing has to be carried out in a highly sensitive way – it is not hard to crash a legacy programmable logic controller (PLC).”
In terms of the footprint of industrial control systems, Wilson confirms that they play a critical role in the day-to-day operations of a diverse array of sites: “There is manufacturing, civil nuclear, power generation, power distribution, utilities, waste water and the whole slew of general manufacturing,” he says.
Surge in serious attacks
Turning to the direction of travel that Wilson, and his colleagues at IBM, are seeing with regards to the level, and origin, of cyberattacks on industrial control systems, he says that it is very much a mixed picture. On the one hand Wilson reveals that the kind of annoyance attacks – what he refers to as the ‘spotty youth’ in his back bedroom just having a go at a website and trying to break into a system – have reduced, significantly, in number: “This is one of the reasons why the overall graph [of attacks] looks like it has tailed off a bit.” On the other side of the coin, however, Wilson points to a worrying escalation in attacks at the more serious end of the spectrum: “These are things like the attacks on the power systems in the Ukraine which have been well reported in the international press.”
Expanding on the ramifications of the Ukraine cyberattacks, Wilson says that someone – believed to be an external third party – essentially reached in and switched off the power: “They disrupted the power network to a great extent across that country and did it in a way that the power operators couldn’t get the service switched back on again. You can imagine if you lived in a country where all of sudden the water disappeared, the electricity disappeared, the amount of fear and panic that would induce.”
Wilson continues on this theme by telling me that there is also a great worry out there that malicious software may exist on customer systems, especially those related to critical infrastructure. This means that potential attackers – individuals or state actors – could potentially cause disruption to critical systems and processes – without anyone really understanding what has happened behind-the-scenes: “This kind of suspicion comes from a number of cases where some critical Infrastructure organisations have looked at their systems in detail and found software that shouldn’t be there and, indeed, it has subsequently been proved that that software was there, in some instances, for a significant period of time,” says Wilson.
Pressed on whether it is easy to establish what a piece of malicious software is up to, Wilson admits that in practice things are not as straightforward as they might first appear: “Unless you do a fairly in-depth piece of security analysis, typically, you don’t know what that software is doing. I know of one organisation in another country, for instance, that when they found suspicious software they were advised by their local government agency not to take that software out, or to do anything with it, but to monitor it to get an idea of what the intention was. Was it exfiltrating data? Was it communicating with some external command and control system? Was it just gathering information about the network? Sometimes just plucking the suspicious software out, in terms of erasing it from whatever server, is not the smartest thing to do.”
Asked to comment on whether one of the issues here is that the utilities, and other users, are keen to have their systems more broadly connected, from a business perspective, Wilson agrees that this is, indeed, an ‘observable phenomenon’: “A lot of old industrial control stuff is, increasingly, being connected to the internet because there is a need to be able to patch application software, to pull out log data, to update operating system software versions – whatever it might be – and also to be able to extract operational process data to send to corporate management systems. Instead of having to drive a van half way across the country, for example, to look at a piece of industrial control equipment, it is much easier to connect that device to the internet and be able to query it remotely.” The danger of course, says Wilson, is when people do connect that piece of old equipment to the internet it is often done in a quick and simple manner without taking appropriate security into account.
According to Wilson the situation for industrial control systems is becoming even more fraught thanks to the widespread availability of online tools that attackers can take advantage of: “There is something out there called Shodan – a piece of software that can search for devices, including industrial control systems, and when it finds them try to log onto them using a number of different techniques. It logs off again but stores that information in a database on the internet which anyone can search through.” Wilson goes on to explain the ramifications of this information being publicly available. Basically, he says that if someone is determined to break into a utility company’s systems, for example, they can quickly find out whether any of the utility’s industrial control equipment is connected to the Internet: “They simply search through Shodan until they find a vulnerable device.”
Added to the concern over search tools, Wilson reveals that there is also the double-edged sword created by the fact that governments – and industrial control equipment manufacturers – will list on the internet known vulnerabilities associated with specific equipment: “Ostensibly it is being put up on a publicly accessible website so a technical person could research the issues associated with the equipment under their control and take appropriate remedial action – say update patching, or even think about replacing certain devices. The downside here is, of course, that the bad guys will look up these same repositories of information and, from their perspective, think that there is a company, a target, with lots of industrial control equipment, here is a list of all the vulnerabilities of those, I just might have a go at attacking them,” explains Wilson.
Time for action
Moving on to potential solutions here, and how IBM works with its customers to tackle this ongoing cybersecurity dilemma, Wilson reports that it can be tackled from a variety of standpoints: “We do penetration testing and systems assurance testing, specifically in the industrial control area. The idea there is to see just how hard it actually is to break into the industrial controls systems of, say, a critical national infrastructure company. Worryingly, it’s usually not that hard to get in. We also look for stuff that shouldn’t be there and to see where data is perhaps leaving the environment, where it shouldn’t be. We also look for differences between the “as-designed” and the “as-built” environment. We often get involved in advising our customers how to close those gaps, or to close those back doors in their industrial control systems, and how to put better security in place.”
Wilson shares that one approach, making inroads here, is in the shape of a technology capability which is basically designed to provide a protective envelope for these old and ‘creaking’ industrial control systems: “What we have done in the UK and Ireland at IBM is develop a security solution based upon multi-protocol Deep Packet Inspection (DPI) that can be inserted into almost any legacy industrial control system, of whatever type. The solution allows you to put a modern, robust, security control system around your key assets.” There is now no longer any excuse for having vulnerable controls systems out in the wild, concludes Wilson.