Codenomicon Ltd identified the Heartbleed bug which has turned out to be one of the biggest Internet security flaws ever unearthed. Ari Takanen, Chief Research Officer, speaks on the the vulnerability of the Indian power sector to cyber-attacks, and the complexities that the Heartbleed bug brings to the table.
Cyber-attacks are increasing globally on the power sector and recent research indicates that this was the fifth most targeted sector in 2013. What is the Indian scenario?
The Indian power segment is currently migrating to the next generation internet protocol (IP) based industrial control systems (ICS), including SCADA systems, and Smart Metering solutions. The National Security Council (NSC) has proposed a Three-Pronged Cyber Security Action Plan for India which includes the migration of power plants to the next generation ICS/SCADA systems and the introduction of smart cities. The execution of this plan would not only be a technological advancement but it would also involve security considerations. The introduction of IP-based communications exposes previously closed networks to external attacks. Accordingly, in the Indian scenario, as the country migrates to next generation ICS/SCADA systems, it needs to put cyber-security considerations to the forefront and put efforts into becoming cyber-ready.
How are power generation, transmission & distribution at risk from cyber-attacks?
There were 111 cyber incidents reported by the energy sector during the six months ending in May 2013, compared to about 81 incidents reported in the preceding 12 months, according to the report issued by DHS´s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In India, the energy sector is in the process of introducing and implementing the next generation IP-based ICS/SCADA systems. With IP-based communication used throughout the industrial control system network, packets can be routed into field devices from external networks. Field devices such as PLCs, RTUs, Smart Instrumentation and other embedded devices are the most critical elements of an ICS/SCADA network because they control physical equipment like pumps, valves, boilers, compressors, safety systems, etc. This equipment utilises ICS/SCADA protocols that were designed for communication between trusted devices in a closed network. These devices operate efficiently in closed networks, but in an open network things change dramatically. We are seeing cyber-criminals putting more focus into ICS/SCADA systems: they are doing more research (there is a growing number of reports on probing used map network infrastructure and locate weaknesses for future attacks, and they are writing more malware addressed specifically towards exploitation and disruption of ICS/SCADA systems. Already, several power outages have been attributed to cyber-extortion.
What are the complexities that the Heartbleed bug brings to the table as far as the Indian power sector is concerned? Could you elaborate in some detail as to which systems will be exposed?
The Heartbleed bug is a software weakness, a mistake in the code. Such mistakes are frequent as software is developed by human beings. Some weaknesses are caught during development and fixed. Some are reported later and patched. Others, so called zero-day vulnerabilities, remain undetected in the code. These unknown or zero-day vulnerabilities are the biggest threat to cyber-security, because there are no defences against them. The Heartbleed bug remained undetected for two years, during which time all systems using the vulnerable version of OpenSSL could have been compromised.
Small embedded "Internet of Things (IoT)" devices used in Smart Grids and Home Automation can be connected to the Internet. These devices are small computers that have the same type of weaknesses as any other smart devices. These small embedded devices rarely have security functionality to protect them from malware. Weaknesses such as Heartbleed can expose the credentials and encryption keys used in these IoT devices. Thus, to protect them from attacks, all such devices need to be reconfigured. As the Indian energy sector migrates to next generation ICS/SCADA systems, they can benefit from the experiences of companies operating in matured markets. Rather than wait to be affected to take action, the Indian power sector can mitigate weaknesses proactively and thereby harden networks against external attacks. Having a strong hardened robust network is the best defence against cyber-attacks.
The Industrial Control Systems Cyber Emergency Response Team of the US Department of Homeland Security has issued a Situational Awareness Alert for the OpenSSL Vulnerability due to the Heartbleed bug. How much of the vulnerability information disclosed in the alert is applicable to the Indian power sector?
Those responsible for the infrastructure should check their device inventory against the device list provided by ICS-CERT. Note that not all vendors have yet issued statements about their devices. India is currently in the phase of adopting next generation ICS/SCADA systems. The Indian power sector should take this opportunity to test procured systems before deployment. The systems should not just be tested for the Heartbleed bug, but also for future Heartbleed bugs, in other words, the zero-day vulnerabilities waiting to be discovered.
As critical infrastructure networks switch over to an Internet Protocol based backbone to cut down on costs and improve efficiency, how vulnerable do they become to cyber-attacks?
ICS/SCADA systems utilise protocols that were designed for communication between trusted devices in a closed network with no connection to the outside world. As a result, these protocols contain very little security features, such as encryption. More worryingly, they have never been hardened and, in the rush to improve connectivity of ICS/SCADA networks, many were simply encapsulated in IP wrappers. In other words, nothing was done to modify the actual protocols to answer to the changes in the operation environment. As a result, many critical infrastructures are not only exposed to external attacks, but also extremely vulnerable.
To protect critical infrastructure against cyber-attacks, good practices in network architectures and device maintenance are required. While old devices that are connected with serial bus and other legacy interconnections can remain unpatched for decades, weaknesses in new IP-connected devices can be more easily exploited. Therefore, patches for IP-based devices need to be deployed straight-away. Better yet, more vulnerability discovery should be done prior to deployment reducing the need for patching. Security is a process and practice. Companies need to find the correct processes for mitigating cyber-attacks, such proactive vulnerability discovery, early patching and network abuse monitoring, and train their staff to carry out these processes in a systematic manner so that they become company practice. Through good processes and practices, mitigating cyber-attacks becomes considerably easier.
On a whole, how vulnerable are SCADA systems and Programmable Logic Controllers (PLCs) used in the Indian power sector?
A lot of ICS/SCADA systems and devices, including PLCs, were developed a long time ago and they simply were not built to be operated in an environment that is accessible through the Internet. Many systems have never been hardened, meaning these systems have not been subjected to rigorous testing or wider use, which could have helped reveal the weaknesses or mistakes in the code. Now with the introduction of IP-based connectivity, it exposes these vulnerable systems to external attacks.
Hackers are increasingly targeting critical infrastructure around the world. The US ICS-CERT responded to 198 cyber-incidents against critical infrastructures in 2012, while the number of incidents in 2011 was 130 (+52 per cent). The most targeted sector was energy, accounting for 41 per cent of reported events in 2013, followed by water with 15 per cent. India is in the early stages of introducing this new technology, thus the nation is in a great position to adopt good processes and practices to ensure the cyber-security of its next generation ICS/SCADA networks.
How do you objectively measure the current risk level as far as cyber-threats are concerned in an organisation?
Constant security analysis of critical devices is required to understand the weaknesses in infrastructure components. Very few of these devices are analysed or monitored by security scanners. National CERTs can set up focus groups for Industrial Control Systems (ICS) to keep track of the national cyber-security level.
Analysts say that even isolated systems not connected to the Internet in power utilities are vulnerable to cyber-attacks? How does this happen?
Stuxnet was an example of a malware that sneaked inside the separated network using USB sticks. Other attack channels could also be possible. People are often the weak link when malware is intentionally introduced to these separated networks.
Are Indian energy sector companies giving due priority to cyber-security?
Yes, Indian energy sector companies are giving due priority to cyber-security. Our interactions have shown that actors across the industry are giving thought to cyber-security considerations. However, now is the time to move from talking and the display of intent to cut through bureaucracy and start implementing the necessary actions.
Other sectors like banking and telecom have more mature and comprehensive security mechanisms. What can the Indian power sector learn from the already-established security infrastructure?
Office PC networks, and major services are probably handled quite well in all these industries, but all of them have the same issues with IoT devices and mobile applications. The number of interconnected devices is growing so fast that security assessment techniques are often seriously behind the speed of adapting new technologies.
As the Indian power grid opens up to smaller operators who might not have a full IT support team to back them up, would not these smaller players introduce further vulnerabilities into the system?
Field devices are often handled by a completely different team than the IT support team. Understanding the network architectures when deploying these small embedded devices, and building a process for maintaining them is a new area for many engineers in ICS.
Smart grids and smart metering are radically altering the way power systems operate worldwide. How vulnerable are they to cyber-attacks?
They can be either much more secure than they were in the past, due to rapid maintenance and deployment of latest software updates, or if old maintenance cycles of years of no patching are continued then they can be extremely weak.
As far as global cyber-security regulations for the power sector are concerned, the US follows a voluntary reporting approach for its power sector while the EU has compulsory compliance in place. Which model would be most appropriate for the Indian power sector?
India needs to deploy its own model. In a number of countries, companies only adopt necessary proactive cyber-security approaches, once the government mandates it. The Indian power sector is also waiting, either for a mandate, compliance regulation, or just to see how other companies are deploying security. It might be that without government intervention they will wait until a major incident occurs. However, this would be too late. Cyber-security needs to be proactive and the Indian power sector needs to create its own working model to carry proactive cyber-security. This is not done by copy-pasting from the US but rather by studying their best practices and adopting them to the Indian environment.
I wish to start pvc / pp electric wire unit in Delhi. What kind of information I can get if I subscribe for your magazine
Pls invite me all auction in gujarat
we are doing business developing for solar power ,thermal power , customer supporting and we have 45 mw splar power on hand needs investors.....
pls call +910842559230