Protecting Vital Infrastructure from Cyber Attacks
In this technological age, most of our critical infrastructure is run by computer systems. The power grid, public transportation, water treatment plants, refineries, gas lines and nuclear power plants are all at the mercy of anyone with the right software and the knowledge to initiate a cyber attack.
The threat of data breaches is one thing -- information gets stolen, money is lost -- but attacks on industrial control systems, sometimes also referred as SCADA or Supervisory Control And Data Acquisition systems, pose a much greater threat, a physical threat to our security and potential for loss of life. The vulnerability of computer systems and control systems at companies running critical infrastructure leaves a door of opportunity open to acts of cyber warfare. Once industrial control systems are hacked, enemies could do something as dangerous as open dams, release poisonous gases, raise the temperatures in nuclear plants, or cause explosions. Even if the actual utility company has high security standards, hackers tend to go after third party contractors that have access to these systems and typically much lower security standards.
Reported Industrial Control System Hacks
Many hacks on industrial control systems worldwide have been revealed in the last three years, and intelligence agencies have collected data on hackers abroad that have infiltrated computer systems at U.S. utility companies. In December of 2014, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated in a press release that a variant of Black Energy malware, thought to be used by Russian hackers, has "compromised numerous industrial control systems." Also last year, a Chinese hacker nicknamed "UglyGorilla" was found to be behind several utility company hacks searching for ways to control natural gas, water, heat and other utilities in the U.S. He was later indicted for infiltrating Westinghouse's computer system and stealing nuclear power plant pipe system designs.
In the 2014 fiscal year alone, there were 79 hacking incidents reported at energy companies. This number is not the real total since many breaches go undetected for long periods of time and most go unreported.
Security Issues with Current Equipment
The heart of the issue is that equipment used in industrial control systems is often built to last 30+ years. This means there is equipment in use out there that is decades old, still has decades of useful life, and was never built to have any kind of network security controls. However, to compete in the increasingly competitive market, companies have had to 'Internet-enable' their industrial control systems so monitoring and control can be done remotely. This saves millions in preventative maintenance, travel, and personnel costs, enabling them to become ever more productive and cost competitive. Unfortunately though, most of this equipment will never be able to be upgraded enough to meet today's security requirements and replacing this equipment is outrageously expensive. These companies are gambling that they won't be hacked, but it is only a matter of time.
Another dilemma faced by industrial control facilities is that the decision makers deciding to put their control systems 'online' are systems engineers, not cybersecurity professionals. Cybersecurity experts recommend training these employees to be aware of and identify these threats. Although these engineers should be aware of security threats, they can't be expected to acquire the same knowledge and abilities as someone that works in cyber and network security.
An Economical Solution
So in order to compete, it is essential for critical infrastructure providers to network their industrial control systems. There are ways to accomplish this remote control and monitoring more securely though. Charon Technologies has developed a unique device called CommLock Connect that is about the size of a deck of cards. This hardware-based security device can be connected directly to industrial control systems so that a secure and encrypted connection is made between these devices and the systems controlling them. This can be done through the internal or external network and due to the hardware-based security, is not vulnerable to the typical software vulnerabilities. This innovative solution by Charon allows engineers to do their jobs without worrying about security threats and saves millions of dollars in new equipment expenses by rendering older, but fully functional, equipment secure.