CYBER SECURITY—1: Effective defense requires thorough risk assessment

Protecting a pipeline system from cyber attack requires placing independent barriers and protections (technical countermeasures) around its supervisory control and data acquisition system in an effort to keep communication paths secure.

The first part of this series, presented here, describes a risk assessment for cyber attack before detailing a number of potential attack avenues requiring attention as part of a vulnerability assessment. Part 2 (next week) will detail application of a particular approach to vulnerability assessment.¹

Background

Pipelines and associated facilities have come to the attention of terrorist and extremist organizations outside of the US (including some in the UK and Canada).^{2 3} These organizations have mounted successful attacks on such facilities. The US has experienced incidents of vandalism and blackmail threats against pipeline facilities.^{4 5}

In one instance a blackmailer positioned what appeared to be explosives on the Trans Alaska Pipeline System and sent a photo of this to the respective pipeline executives demanding money.⁶ Accidental pipeline incidents have also resulted in deaths and damage in the US and made headlines.

The US government (as well as those of Canada and the UK) maintains an incident database and has determined pipelines are attractive potential targets for future terrorist activities.⁷ Pipeline operators no longer have the option of implementing a comprehensive security program. Such a program is now essentially a mandate, even if the US Transportation Safety Administration Pipeline Security Division still officially classifies them as voluntary.

Even if it were not being strongly encouraged by various governmental agencies, a pipeline company would normally want to perform a risk assessment as part of good business practices and of establishing a legal basis for proving it has given serious attention to corporate governance, risk management, and compliance issues.

This article will not specifically address physical attacks on cyber assets, but providing a suitable level of physical security and protection for such assets is essential. If physical security isn't addressed, it may be pointless to worry about cyber security.

The International Standards Organization has a standard derived from a solicitation of IT management best practices—ISO-17799—which has been heavily drawn upon by the North American Electricity Reliability Council in creating Critical Infrastructure Protection standards (CIP-002 through CIP-009) for the electric utility industry. The International Society of Automation uses some of the same standard's recommendations in its SP99 Industrial Cyber Security standards work.

Both instances require an operator to define, establish, monitor, and protect both a physical security perimeter around critical cyber assets and an electronic security perimeter around those same assets. This article will not specifically address aspects of the physical security perimeter but will assume it is being addressed as part of an overall security program including cyber security.

NERC CIP standards are available at the NERC web site and offer good suggestions regarding physical security.

A risk assessment is a structured procedure used to identify and rate the likelihood and consequences of various credible threat scenarios. Threat scenarios take (credible) threat agents and examine realistic ways in which they could exploit vulnerabilities to attack a vital asset. These include scenarios addressing physical attacks on facilities (such as trying to blow up a portion of a pipeline) or scenarios addressing cyber attacks on critical systems (like getting a malware infection into the supervisory control and data acquisition system computers).

Going through these exercises helps sort out credible threat agents, how these threat agents could attack vital assets, and, if such attacks were successful, what would be the consequences. Most organizations do not have enough detailed information to perform such analysis in any quantitative manner. But it is usually possible to make a qualitative assessment of risks and consequences.

Risk assessment

A cyber security risk assessment is predicated on the presumption an intentional, hostile attack will be made and will attempt to generate the maximum possible damage through compromising the automation systems. Risk analysis involves enumerating and evaluating the following basic elements of the risk equation:

Threat agents that might realistically stage attacks.
Assets likely to be subject to such attacks.
Vulnerabilities enabling an attack to be successful.
Consequences of a successful attack.

Understanding that risk and consequences are related, but not the same thing, is important in making a risk assessment. Risk attempts to combine the likelihood of an event with the consequences of an event. If an event has dire consequences but is extremely unlikely to occur, the risk is low. If an event is very likely to occur but has minimal consequences, the risk again is low.

Accounting and insurance underwriting treat risk as a financial calculation. In the industrial automation world, including pipelines, since people can die or be seriously injured, and there can be environmental harm, risk is much more difficult to quantify.

The accompanying equation provides a simple description of risk (see box below).

People tend to focus on consequences and not likelihood. Asteroids do strike the earth, and when they do, the consequences are dire. Yet we make no provisions for asteroid insurance because the likelihood of one hitting us is so close to zero the resulting risk is essentially zero.

Acting to alter either component of the equation—likelihood and consequences—can reduce risk. If you can't reduce the likelihood, then you try to reduce the consequences. If you can't alter the consequences, you try to reduce the likelihood.

In financial terms, risk is generally stated as a financial loss experienced as the result of a successful attack; an amount that is usually annualized to reflect the probable time span during which such an attack is likely to occur. Annualized exposure is then used to justify the amount of funding invested in reducing the risk.

A strictly financial risk analysis, however, can't easily accommodate issues not conveniently expressible in dollars, such as loss of life or effects on the national economy and security. It also has difficulty determining the time span over which an event becomes likely to occur.

A qualitative assessment can address nonfinancial issues. The likelihood of an event is not always easy to define in quantitative terms. The more attractive assets are as a target, and the greater the number of vulnerabilities in a security perimeter, the more likely an attack is to occur.

Threats

The US government has already determined pipelines are attractive targets for terrorism and that credible threat agents exist who would be prepared to attack both pipelines and related facilities. The only parameter in the presented equation the operator can manage is the number of vulnerabilities in both the physical and cyber defense perimeters that would enable a successful attack.

Viable threat agents aside from terrorists also need to be considered when performing a risk analysis. The full list of potential cyber attack threat agents includes:

Malware (malicious software such as viruses and worms).
Human error (mistakes, poorly trained insiders, poor procedures, etc).
Insiders (disaffected or angry employees, contractors, etc).
Former insiders (terminated employees, contractors, etc.).
Outsiders (hired hacker groups, terrorists, criminal groups, etc.).

Terrorist groups either have, or can hire, the technical expertise to stage a cyber assault, if they so choose. One could argue physically protecting a long-distance pipeline is nearly impossible, and thus a physical attack is more likely than a cyber attack. But as the government makes it harder for terrorists to enter the country or operate inside the country, a cyber attack may become more probable.

Environmental activists are also included among the threatening outsiders and have staged attacks and made threats against pipeline operators.8 Organized crime (both inside and outside the US) has found cyber crime pays well, but there is no clear and obvious motivation for those groups to target pipelines, except possibly for extortion and blackmail.

The huge range of already existing and deployed malware and the constant introduction of new malware require cyber risk analysis include it as a credible and probable threat agent. Human error often plays a part in cyber attacks. Many malware infections are delivered accidentally by uninformed or careless employees. Many successful hacker attacks on systems are enabled by employees using simple, easy-to-guess passwords. Poorly trained employees might also fall for social engineering tricks and reveal confidential information enabling a successful attack.

Employee training and education are a critical element of cyber security because human error frequently defeats expensive technical protective measures. Well developed and clearly explained policies and procedures are key components in an overall cyber security program.

Whether a given pipeline organization has current or former employees, contractors, or consultants with the needed skills and a desire to cause harm or a monetary incentive to do so is a question each organization must answer itself. But according to the US Federal Bureau of Investigation, insider-initiated incidents of intentional industrial sabotage have been increasing steadily during the past 10 years. Mergers, downsizing, reorganizing, and outsourcing have led to growing disaffection among both hourly and salaried workers.

Fig. 1 shows cyber crime statistics gathered by the Computer Security Institute over a 6-year interval. Disgruntled employees are a major factor in these statistics.

This article classifies a cyber asset as:

A computer or intelligent device containing a microprocessor and some form of communications interface.
A local or wide-area communications infrastructure and associated components.
Software (including operating system, networking, and application programs), data, and configuration information contained by a computer or intelligent device.
Information-documentation about any of the above (regardless of format) that would, if accessed by a threat agent, expose or create exploitable vulnerabilities.

Making critical information (such as user account information) or critical documentation (network Ethernet-MAC, IP addresses, etc.) available to a computer-knowledgeable attacker, would make his efforts to penetrate critical systems both easier and more likely to succeed.

Evaluating the consequences of a given cyber asset being disabled, disrupted, damaged, altered, revealed, or otherwise made unavailable will allow further differentiation of these assets. If the consequences are unacceptable, the asset is critical.

All-encompassing security is an unrealistic and potentially hugely expensive goal. Cyber security should therefore focus primarily on protecting critical cyber assets.

Communications interfaces

In addition to developing an inventory of cyber assets, the beginning of a risk-assessment process should also diagram communications' interfaces, showing all interconnections between and among assets. This documentation, however, would itself be a cyber asset and would need to be treated as confidential information.

Table 1 shows examples of the types of things falling into each of the four cyber asset categories.

Creating a communications interconnection diagram is an essential step in risk assessment because to launch a cyber attack, the attacker must have some communications mechanism providing him access to your cyber assets. Such a communications path could be a telephone circuit, a wireless network connection, a local area network Ethernet connection, or even a connection created through an existing connection to another network (such as the internet).

One of the most basic and ubiquitous communication mechanisms usually goes unnoticed when addressing communications access: the manual transfer of files from one computer to another. Portable electronic devices and removable storage media provide literally dozens of ways in which malware can be delivered to a target system. Identification of communication access points therefore ought to include CD and DVD drives, USB, Firewire (IEEE-1394), PCMCIA and Ethernet ports, and memory stick slots (Compact Flash, SD, miniSD, microSD, and smartCards).

Many seemingly innocuous devices with a USB connection—digital cameras, digital video recorders, MP3 players, and many color printers—actually contain integral file systems and storage that can deliver malware to a target system (Fig. 2). They could, of course, also be used to carry away sensitive and confidential files copied from a critical system. Installing a certain major vendor's printer driver or just accessing an infected printer over a local area network has led to viruses being spread to computer systems; the Funlove virus for example.

A good starting point for a communications interconnection diagram is to create an up-to-date, detailed system block diagram for the SCADA system monitoring and operating the pipeline. This diagram should show all key components, as well as all of the communications interfaces between and among these components.

Fig. 3 is an example of a representative SCADA system block diagram, with the level of detail typical of the level of what might be found on most such drawings. Such a diagram usually shows interconnections between and among local system components and at least the SCADA system end of interconnections to other systems and networks. But it usually won't indicate what is at the other end of a wide area network interconnection (e.g., the corporate WAN leading to the Internet).

Another important communications interface often unnoticed and undocumented consists of alternative communication interfaces installed in computers attached to critical local area networks. Most new laptop PCs come with integral Ethernet interfaces, and most will also have a built-in analog telephone modem, integral WiFi, and frequently even an integral Bluetooth wireless adapter. The same can be true of desktop PCs.

These alternate communication interfaces can make a simultaneous communication connection, offering a path through the PC to the local network connected via the Ethernet port. It is important to note the presence of these interfaces when constructing a system network interconnection diagram.

Pretty much all PCs today, when interfaced to a local area network (LAN), will be using one of the variations of Ethernet and will be running an IP protocol stack on top, causing TCP-IP networking to be used between and among local computers.

The strength of IP-based networking lies in establishing a connection, regardless of the number of intermediate computers. Inside IP-networked PCs is a layer of communications software (the IP layer) that will route message traffic if it arrives at the PC on one communications connection but is not actually addressed to that particular PC. In such instances IP will look for another available communications connection and send the message off on that alternate path (Fig. 4).

If a PC is connected to a critical LAN, such as the SCADA system's LAN, and has an enabled wireless adapter, then an attacker could connect to its wireless interface and pass through the PC onto the SCADA's LAN. The same can be true for a PC with an active telephone dial-up or cellular-based connection to the Internet, while also connected via Ethernet to the SCADA LAN.

Both scenarios offer a communications path an attacker could use. It is also important to identify any computers with dual Ethernet adapters connected, via these two different Ethernet adapters, to a critical LAN and a nonsecure LAN, as the same kind of routing function can occur. An example might be a PC connected to the SCADA LAN and also to a site business LAN including an Internet connection.

This is not the same as having two Ethernet adapters for the purpose of network redundancy. The example SCADA system block diagram Fig. 3 incorporates redundant LAN switches and Ethernet interfaces, to improve system reliability and availability not with two different networks, but one replicated (redundant) network.

If Ethernet switches are used to create the local LAN(s) connecting all SCADA system components, and there are unassigned ports on those switches, such a block diagram may not show if those ports are active or disabled. An insider who can access such a switch, however, can use a free port to connect to the SCADA LAN, unless all such ports are disabled. If VLAN (virtual local area network) technology segments equipment into logical groups, this information should also be documented on such a drawing.

Such system block diagrams may, or may not, make it clear what type of communications connection technology is present for each connection. The drawing also may not clearly show what protocol support is in place on each such circuit shown. Knowing some of these details can help assess the risk of a possible cyber attack via a communications interface; the details of the interface showing the potential level of vulnerability.

Information about what the other end of each communications interface looks like, and to what the system at that other end may be connected (such as the Internet) will often be missing from a SCADA's block diagram. It is good policy to assume the other end of any communications circuit you do not fully control is not secure.

Vulnerability assessment

A risk assessment attempts to establish parameters for gauging the impact of a successful attack against a critical asset. The results (consequences) of a successful attack on a pipeline, or associated facility, be it physical or cyber in nature, can be organized into a manageable number of consequence categories. These can then be qualitatively ranked based on increasing level of seriousness, using a variety of topic-specific rating criteria.

Table 2 provides an example of a potential consequences-ranking matrix using seven criteria. The quantity and types of criteria, and their severity rankings, will vary from one pipeline organization to another, but the general need to create such a qualitative consequence matrix and make a business determination as to what level of consequences can and cannot be tolerated remains.

At this point in a risk-assessment process, the likelihood of a successful attack still must be addressed. Looking at cyber assets and considering attack scenarios in an attempt to answer the questions what would happen if this asset were made unavailable, and how could an attacker bring this about?

Answering the "How" part of the question requires an understanding of what (cyber) vulnerabilities exist and how they could be exploited by an attacker. Identifying the communications interfaces is key to making a vulnerability assessment because cyber attacks cannot occur without some form of communications channel between the attacker and critical cyber assets.

A commercially available assessment methodology and associated tools can formalize the process of making a vulnerability assessment. These methodologies can help gather relevant information about your systems and networks and help generate a vulnerability assessment based on these data.

Vulnerability assessment methods fall into two categories: active and passive. An active vulnerability assessment involves actually trying to break into one's own systems using hacker tools such as Metasploit, Nmap, and Nessus, a process called penetration (or pen) ≠testing.

The primary problem with making an active vulnerability assessment on an operating system is the real possibility of disabling the SCADA system being assessed. Active assessments are best done on either backup systems or on test-training-support systems. Such tools require expertise and it is best to hire experts to perform an active vulnerability assessment.

Passive vulnerability assessments evaluate the available communication paths into critical cyber assets, reviewing known computer and communication system vulnerabilities before applying approaches such as fault tree analysis or failure mode effect analysis to derive a scenario probability and severity estimate. The industrial automation sector uses a number of passive vulnerability assessment methodologies (some with software tools to help automate the process), including some developed by end-user organizations.

The Idaho National Laboratory has established a national SCADA test bed for studying SCADA system vulnerabilities and has published various articles and papers providing guidance in this area. The American Petroleum Institute, in conjunction with the Process Control Systems Forum, has a working group on defining SCADA cyber security self-assessment methodologies. IBM offers the IBM Internet Security Systems ISS-X program and consulting services.

The US Department of Energy's Office of Energy Assurance offers a well written and comprehensive do-it-yourself guide to Vulnerability Assessment Methodology,9 specifically developed for the electric power industry, but highly SCADA-oriented. It addresses a comprehensive range of vulnerabilities, both physical and cyber.

References

Shaw, T., "Energy Infrastructure Cyber Security: Pipelines—A Step-by-Step Guide for Keeping Pipeline Infrastructure Safe From All Cyber Attacks," Oil & Gas Journal Research Center, 2009.
"IRA bomber sentenced to 25 years: Man convicted of Tyneside oil and gas attacks gives thumbs-up to judge," The Independent, Aug. 23, 1994.
http://www.cbc.ca/canada/british-columbia/story/2009/07/04/bc-pipeline-bombing-encana.html
"Terror threat first for pipeline firm," AP Online, June 3, 2007.
"Alaskans on edge after terror warning," AP Online, Dec. 24, 2003.
"Trans-Alaskan Pipeline System Security: Recent Threats," Suburban Emergency Management Project, http://www.semp.us/publications/biot_reader.php?BiotID=560
US Department of Homeland Security, Transportation Safety Administration, Statement of John Sammon, Assistant Administrator Transportation Sector Network Management, before the Subcommittee on Railroads, Pipelines, and Hazardous Materials, Committee on Transportation and Infrastructure, US House of Representatives, June 25, 2008.
"EnCana warned of more bombs," Calgary Herald, July 17, 2009.
http://www.esisac.com/publicdocs/assessment_methods/VA.pdf

The author

William T. (Tim) Shaw is senior consultant, Cyber SECurity Consulting. In addition, he has held senior positions at Hathaway Corp., EMC Controls, Texas Instruments, and Foxboro Corp. Shaw has more than 30 years' experience in industrial automation, including process-plant automation (DCS and PLC systems), SCADA systems, electrical substation automation, building automation, and factory automation. He holds a BS in electrical and computer engineering from University of Michigan; an MS in engineering science from Loyola College, Baltimore; a PhD in computer science from Kennedy-Western University; and a CISSP certification in cyber security from the IS(C)º. He is a senior member of the Instrument Society of America (ISA) and is also a member of the IEEE Computer Society.

More Oil & Gas Journal Current Issue Articles
More Oil & Gas Journal Archives Issue Articles