Cyber Security
Cyber risk assessment for critical infrastructures
C Jane Lo APSM Correspondant
30 | Asia Pacific Security Magazine
ritical infrastructures are “luxurious targets”, said Ido Yitzhaki (VP Business Development, ODI Ltd) at the second edition of Asia ICS Cyber Security Conference 2018, held at Resorts World Sentosa, 19th-21st Nov 2018 When the Black Energy malware struck the Prykarpattya Oblenergo power plant in Western Ukraine, reports indicated a spear phishing campaign was the initial point of compromise. 3 years later in Oct 2018, Ukraine critical infrastructures were attacked again - this time by Grey Energy malware. While an evolved and more sophisticated variant, the malware relied on the decades-old social engineering technique to gain access to the network – phishing. Stuxnet, which hit the Iranian Nuclear Power plant in 2010, was delivered via a USB thumb drive into computer systems in the facility. These episodes highlight that despite “air-gapping” - a physical separation of the network controlling the critical infrastructure (commonly referred to as operational technology) from the corporate infrastructure (or corporate information technology), cyber attacks on critical infrastructures are still on-going. These case studies illustrate two main reasons for the occurrences: • heavy reliance on mobile devices for data exchange (legitimate or otherwise) – including USB thumb sticks – which facilitates the malware infiltration or, • infiltration via insider threat through the inadvertent clicking on malicious emails (or phishing), which opens up initial entry points for attacks to remoteaccess, conduct more reconnaissance and in many cases, gain understanding of network architectural designs and activities
and personnel credentials. Increasing awareness on phishing campaigns and instituting a mobile device security policy, or encrypting emails to preserve confidentiality are some standard first line of defences against cyber attacks. What about Penetration Testing? The air-gap design prompt many to argue if penetration testing, typically focused on internet-connected networks, is useful for one that is not connected to the “outside” world. Operational technology is typically multi-vendor, non-homogenous and like any corporate network, legacy equipment adds to the complexities of integration. Inherent shortcomings that are forgotten, unnoticed or simply disregarded become back-doors for malicious actors to gain unauthorized access, become real vulnerabilities in these architecture perimeters. Penetration testing, therefore, is an additional line of defence against cyber attacks on the critical infrastructure. David Ong (Attila Cybertech, CEO), “OT systems: To pen-test or not to pen-test?”), referring to the “Penetration Testing of Industrial Control Systems” by Sandia National Laboratories (2005, David P. Duggan, Michael Berg, John Dillinger, Jason Stamp), stressed “performing network penetration testing on operational systems should be taken with a clear understanding of the testing actions”. These control physical processes can cause real world consequences beyond waste and equipment damage: health and safety risks. Some are time-sensitive – such as those powering air traffic control compared to local train network; some depend on specific external environmental factors for safe operations – such as requiring water at a certain pressure