Securing Critical Infrastructure

As we reflect upon the broad  perspectives offered in this of FrontLine Security, particularly their varied input into the ­vulnerabilities of the many infrastructures upon which modern life, its governance and economies, rely – we are struck by the growing potential and increasing numbers of attacks upon their cyber component, the very life blood of much of our critical infrastructure. This is not just occurring in the western world – it is indeed global, in its targets, victims and perpetrators. To analyse the risks, and establish sufficient security and mitigation measures to remain effective, authorities responsible for these infrastructures are faced with myriad and complex arrays of often contradictory challenges. I felt it important to expose, from a Canadian perspective, some of the risks to some of our major infrastructures.

OUR SITUATION IN GENERAL
When one looks at the recent update available on Critical Infrastructure Security from Public Safety Canada, one is struck by the lack of detail and relative urgency to define and address the realm of actual damage done by cyber attacks on this infrastructure. The general report is good news, but judge for yourself, after reading other articles in this edition, if indeed the report helps you feel better informed of the scope and urgency of the cyber threat to our critical infrastructure sectors.

In reference to the increasingly relevance of cyber security for critical infrastructure sectors, the report says: “Connectivity and the world’s dependence on the internet continue to grow – as has the ­number and significance of cyber incidents. Canada’s Cyber Security Strategy, announced in 2010, is the Government of Canada’s plan for meeting the cyber threat. … The Action Plan 2010-2015 for Canada’s Cyber Security Strategy outlines the Government’s plan to implement the Strategy and meet the ultimate goal of securing our cyberspace for the benefit of Canadians and our economy...”, notes the report.

The resulting Renewed Action Plan (2014-2017) explains some of the thrusts and focus of federal coordination efforts to define threats, establish reasonable responses and security standards, and test them in coordinated exercises. They represent a laudable national strategic effort, but one must pause and look at this effort, particularly the report, and ask: “Where’s the beef?”

In the U.S., General Alexander, head of Cyber Command, testified before the U.S. Senate in February of this year. “We have a lot of infrastructure – electric, our government, our financial networks…We have to have a defensible architecture for our country, and we’ve got to get on with that… Cyber Command also needs to develop methods to prevent adversaries from easily penetrating networks and stealing data, money, and other property. During a cyber attack, hackers could shut down the power in the Northeast or attack the New York Stock Exchange and damage its data… the financial losses from such attacks could range in the trillions of dollars and potentially cost American lives. Government computer networks and transportation infrastructure also could be targeted.” He admitted to needing to yet resolve some “key capability gaps in dealing with these increasingly capable threats.” Though necessary security on the details was maintained, there was an obvious precision and sense of urgency in his words. What do we know of our vulnerability in these areas?

As tax season ended this year, it was interesting to note that, on our own Public Safety department web site, we find a warning that thieves are posing as Revenue Canada agents to obtain private financial data from citizens – but there is little or no warning of identity theft to obtain tax rebates. Whereas, this February, the Wall Street Journal reported that the U.S. Justice Department “filed charges against more than 880 people suspected of stolen identity tax refund crimes in the last budget year... The number of IRS investigations jumped 66% in the past year …” What is happening on this front in Canada?

On the positive side, there have been some good initiatives such as the announcement by Defence Research and Development Canada (29 January 2014) to fund 20 new science and technology projects as part of an approximately $14.5 million investment under the Canadian Safety and Security Program. These projects are built on a model of partnership between government, academia and the private sector. Of these, four deal specifically with cyber security on critical infrastructure.

1. Public Safety Canada will lead a study to ­produce ‘machine learning algorithms’ – a computer system trained to recognize malicious network data. It will assist in detecting ‘advanced persistent threats’ to computer networks. Partner: Dalhousie University.
2. Public Safety Canada will lead development of a method to leverage cross-sector resources to more effectively analyze critical, real-time intelligence against emerging cyber threats, thereby providing capabilities to assist security and intelligence communities during the investigation of cyber threats against critical infrastructures. Partners: École Polytechnique; and Natural Resources Canada.
3. The Government of British Columbia Environmental Assessment Office will lead a series of case study reports on Smart Grid Technologies to understand Canada’s current security vulnerabilities. These studies will contribute valuable knowledge to policy-making agencies and support their future efforts in securing Canada’s electricity grid. Partners: ABB Inc.; BC Government; and Tantalus Systems.
4. Industry Canada will lead a study that will assist in the development of a secure and functional framework to enable sensitive information-sharing between telecommunications network operators. Partners: Centre de services partagés du Québec; and Centre risque & performance de Polytechnique Montréal.

It is unfortunate that there are few actual private infrastructure companies taking part in these particular studies. Are they funding and sharing their own research on improving cyber security?

Let us look at just two key infrastructures: banking and energy. What is the state of their cyber threat and corresponding security?

BANKING
The banking industry has long been considered one of the most secure and secretive infrastructures in the world. The arrival of the debit and credit cards, as well as use of the web for normal banking such as cashing cheques, changed much of that in the span of less than a decade – and that trend continues to expand. The UK Business Times (4 March 2014) reported in PwC’s 2014 Global Economic Crime Survey, that “39% of financial services companies world-wide were hit by cyber attacks, compared to only 17% of firms in other industries.”

Cybercrime is growing and the methods are constantly evolving,” noted Andrew Clark, a partner in PwC’s forensics practice, in response to the survey (based on responses from 1,330 companies in 79 countries). “We see no abatement in attacks on banks’ infrastructure.”
Add to this, the increasing reliance on mobile phones for personal and corporate banking, and the threat of cybercrime and industrial spying increases exponentially. McAfee Canada lists the following as major cyber threats for 2014 in its annual report:

1. Mobile Malware   
2. Virtual Currencies
3. Cybercrime and Cyberwarfare
4. Social Attacks
5. PC and Server Attacks
6. Big Data
7. Attacks on the cloud

All of these will be felt in the banking industry, but will also heavily affect the cyber security of other major infrastructures. However, the banking industry does have the advantage that its losses can be more easily quantified and measured than others and, thus, they are more prone to invest a reasonable sum to reduce those losses. This is far more difficult for other infrastructures to rationalize. Add to this, however, a greater awareness of the loss of privacy, and even the banks have to be more careful. This is in evidence more and more. For instance, for recent online transfers of even moderate amounts, I have been called personally to confirm these with my specific agent, who advised me that this is now a widely standard protocol due to a gigantic increase in cyber fraud.

ENERGY
In my inquiries with major Canadian energy infrastructure players, they were all relatively secretive about their progress and arrangements. This is most telling and understandable. The risks are indeed quite complex to identify, define, cost – and eliminate. They vary from environmental activism to terrorism and cyber crime and interference on a major scale.

There is also a significant risk in relying on SCADA (Supervisory Control and Data Acquisition) for remotely controlling, on the net, the various infrastructure machinery and transmission of product, be it electricity, water, gas, oil, or even communications themselves.
Add to that the vast geographical coverage of such infrastructures, and imagine the immediate, immense, expensive and wide impact of failure. These sectors have generally deployed ageing systems that are all the more vulnerable to internet interference from more modern devices.

The task for them is not easy. For instance, in February, BBC News reported that: “Underwriters at Lloyd’s of London say they have seen a “huge increase” in demand for coverage from energy firms… Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date, and how they oversee networks of hardware that can span regions or entire countries. Energy firm cyber-defence is ‘too weak’, insurers say”.

That same month, Nextgov reported: “Of the roughly 260 cyber incidents reported to DHS last year, the majority (59%) occurred in the energy sector.”

Similarly, in respect of overall vulnerability, in March, the Wall Street Journal reported that: “The U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine of the country’s 55,000 electric-transmission substations on a scorching summer day, according to a previously unreported federal analysis.”

Also in March, USA TODAY reported: “There is evidence that energy systems, in particular, are becoming a popular target. The Department of Homeland Security recently reported responding to 198 cyber-incidents in 2012 across all critical sectors. Forty-one percent of these incidents involved the energy sector, particularly electricity.”

One can see why major infrastructures guard closely their measures and vulnerabilities – and the difficulty of even sharing with others in the industry.

The same McAfee report stated that: “More than 80% of business users use cloud applications without the knowledge or ­support of corporate IT. This loss of direct control of the enterprise security perimeter puts tremendous pressure on security leaders and administrators… Large enterprises may have sufficient leverage to put security measures in place that are consistent with the enterprise’s security posture. Smaller consumers of cloud-based services will not.’’ Not to mention the potential vulnerability brought on by the differing security of ­various sub-contractors.

WHAT NOW?
In this game of “cyber poker”, as so accurately depicted by David McMahon in his article, there is indeed a need to exchange information and share intelligence among cyber specialists and users, public and private owners, and providers at all levels of Critical Infrastructure. It is fortuitous indeed that specific Canadian efforts are being made to study and achieve this. I underline and recommend strongly to our readers, the recent launch of the Infrastructure Resilience Risk Reporter (IR3), published by the faculty of Engineering at Carleton University. It offers sound policy and practical approaches for public and private agencies at all levels to better your hand in this game.

There is a new and dynamic cyber world out there, where change is normal and rapid, and where infrastructure’s cyber resilience is as challenging as its physical protection.

___
Clive Addy, Executive Editor
© FrontLine Security 2014