Securing America’s Connected Infrastructure Can’t Wait
Electrical grid blackouts, traffic light malfunctions, air traffic control failures, production plants gone haywire — for a while, such events were merely the stuff of Hollywood fantasy. But today, that is no longer the case. Industrial control systems, which command infrastructure and manufacturing processes in plants, traffic systems, and electrical grids, are increasingly “coming online” to interact with networks of small sensors and devices known as the “Internet of Things.” Together, these smaller devices and larger industrial systems form what specialists call the “Industrial Internet of Things,” and its vulnerability poses an enormous risk to national security. While cyber attacks on non-internet-connected critical infrastructure — like Stuxnet — required malicious code to be manually transferred to the victim device, hackers can now launch attacks on infrastructure remotely.
The new U.S. National Cyber Strategy states, “[W]e are vulnerable to peacetime cyber attacks against critical infrastructure,” adding that advanced adversaries “could cause large-scale or long-duration disruptions to critical infrastructure.” Commercial standards — rules and requirements that establish uniform engineering or technical criteria — are underdeveloped for the systems comprising the Industrial Internet of Things. Developing these standards will likely take years.
The federal government can impose standards for federal infrastructure, but it has no regulatory authority to impose any standards on the privately owned critical infrastructure that underpins the vast majority of American society. To overcome this lack of security standards, private entities — whose vulnerable systems can have direct impacts on national security — should adopt the risk-based cybersecurity frameworks that the federal government employs to address this very issue.
Threats to the Internet of Things
In 2015, then-Director of National Intelligence James Clapper testified that “rather than a ‘Cyber Armageddon’ scenario that debilitates the entire U.S. infrastructure,” the intelligence community foresaw “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
It seems the prediction is being borne out. In October 2016, Mirai malware impacted large portions of the internet, launching a distributed denial of service attack that exploited security weaknesses in devices like home routers, webcams, and DVR systems. The result was a coordinated flood of web traffic that overwhelmed internet services along the east coast — and while it didn’t compromise industrial systems, it provided a glimpse into the dangers of insecure Internet of Things devices. But then, in August 2017, hackers remotely broke into a workstation at a Saudi Arabian petrochemical plant and triggered equipment malfunctions.
The threat of hacking old infrastructure systems through new internet-connected devices is definitely possible and definitely serious. Power grids could be turned off, as they were in Ukraine. Industrial processes could be sabotaged, as happened in Iran. Traffic lights could be manipulated to jam roads and reroute cars, as demonstrated in the United States. Private entities who own internet-connected critical infrastructure need to aggressively secure their systems.
Recent survey data predicts there will be tens of billions of personal Internet of Things devices and over two billion Industrial Internet of Things devices by 2023. CyberX’s 2017 assessment of hundreds of industrial networks across the United States, Europe, and the Asia-Pacific found that one-third of such systems are linked to the public internet, often with inadequate passwords. In Fiscal Year 2015, the federal government spent almost $9 billion on Internet of Things systems, which will certainly include using these connected devices in infrastructure. And many other connected infrastructure systems continue to be privately owned and lie outside the government’s control.
Maj. Gen. (Ret.) Patricia Frost, former deputy commanding general of U.S. Army Cyber Command, recently underscored the risk to critical infrastructure. “I am gravely concerned that our public and private industries underestimate the intent and capabilities of our adversaries,” she said, “and their operational risk grows exponential with the rapid expansion in the IoT. Every industry and organization should not move forward without an in-depth digital roadmap focused on risk valuation.”
More Diverse, More Connected, and More Difficult to Secure
Securing digitally connected infrastructure systems is more challenging than traditional network security: For conventional information technology, devices of a single type tend to have similar capabilities. Most laptops, for instance, have similar data storage, processing, and network interface capabilities. This makes it easy to purchase security software and configure uniform settings on everyone’s computer. But with industrial control systems, security researchers may have to use different software and security settings for each individual device, such as on different types of road pressure sensors — greatly complicating the process of protecting the devices. In other words, device variability makes security more difficult.
To make matters worse, connected devices typically possess weak or no encryption, have weak default passwords, and ignore other common-sense security features — leading many to call these devices insecure by default. These devices also operate with minimal or no privacy protections, constantly collecting, analyzing, and communicating data to other connected devices, central servers, and computers that may perform further data processing and aggregation.
The overall “attack surface” significantly increases when these connected devices are combined with older, industrial systems that themselves have terrible security. Researchers have shown how easy it is to hack a traffic control system. Oil and gas pipelines are also vulnerable, whether through phishing attacks or through enterprise resource planning systems. Attacks against industrial control systems are on the rise, and the sheer number of Internet of Things devices connected to these systems gives adversaries many possible routes of attack.
Standards? What Standards?
To address these threats, system owners would typically turn to standards — basic specifications for how devices should operate. Standards make cybersecurity easier because they establish a clear baseline from which to judge the security of a system, acting as a rulebook for how to configure technology. U.S. government systems, such as the Department of Defense’s networks, are already secured based on standards, many of which are developed by the National Institute of Standards and Technology (NIST), part of the Department of Commerce, under its Special Publication-800 series for cybersecurity.
U.S. government standards are hyper-specific, setting baselines with which federal agencies should manage the security and data privacy of their information technology systems. For instance, a standard might specify the exact type of encryption for protecting data in a server or exactly how users should log into a system remotely.
To date, however, there are no dedicated federal standards for security and privacy of government Industrial Internet of Things devices. Beyond the government, the National Telecommunications & Information Administration catalogued existing Internet of Things security standards from over 30 private companies, international consortiums, and professional associations, similarly finding many disparate security recommendations but not a single security standard for connected devices. These devices have such a short concept-to-market timeline that industry organizations lack specific technical standards for them as well.
NIST is in the process of developing best-practice cybersecurity and data privacy settings specific to connected industrial processes. But standards require many technical trade-offs and will therefore take years to develop. Furthermore, given the rapid advancement of technology and devices, standards could be obsolete by the time they’re released. The absence of standards for both the Internet of Things and the Industrial Internet of Things — coupled with default insecurity and the complexities of an internet-connected environment — leaves federal agencies and companies in limbo when confronted with the likes of an electrical grid substation that wants to use an internet-connected network of sensors.
In the absence of clear standards, at least for now, federal agencies are considering risk-based cybersecurity frameworks, also developed by NIST, as a viable interim step to help make industrial systems more secure. Instead of a “laundry list” of standards that organizations should follow, risk-based cybersecurity frameworks examine the likelihood and impact of any potential cyber incident. Private entities that control connected infrastructure systems should turn to these frameworks as well. As Andrew Grotto recently wrote for War on the Rocks, there is a public and private need for “a comprehensive, enterprise-wide plan for managing cybersecurity risks” in smart infrastructure.
The Temporary Alternative: Risk Management Frameworks
When it comes to something like a cyber attack against an industrial facility, which could occur through any number of vectors and originate from any number of actors, it’s impossible to stop absolutely everything. Knowing what to prioritize makes the difference between a strong defense and a mediocre one. Risk management does just that.
People, processes, and technology are the three major vectors that introduce risk into a system. Internal risks may come from the likes of negligent employees, insider threats, or poor cyber hygiene policies (e.g., not requiring multi-factor authentication). External risks may include technical vulnerabilities, poor security of third-party vendor devices, and foreign and domestic actors who target systems. This is especially true for internet-connected infrastructure.
Risk management frameworks identify the likelihood and impact of a given event, such as a distributed denial of service attack or a device takeover by ransomware. Rather than providing a predefined, fixed-length list of compliance points, risk management constructs can account for many variables tailored to an individual organization’s needs. In the absence of clear security standards, federal agencies and private corporations responsible for securing internet-connected infrastructure can make use of these frameworks (also developed by NIST) right away.
NIST’s draft organizational security framework develops a common language for organizations to talk about their Industrial Internet of Things security policies. What security mechanisms are currently in place? What does available threat data tell us about potential hackers? How likely are those threats to pan out, and how severe are their potential impacts? While standards apply uniformly (hence the word “standard”), this risk framework is strongly contextual — ideal for the variability in connected industrial systems.
Extending the NIST Cybersecurity Framework to the Internet of Things
In late September, a NIST report recommended that federal agencies use a risk management framework to accept, avoid, mitigate, share, or transfer the risks associated with connected devices. The document proposes a simple three-step process: understand the device risk; adjust organizational processes and policies to address the risk; and mitigate against any fallout not prevented in the second step. Working together to accelerate adoption of this framework would allow federal agencies and private corporations to select the approach that best fits their needs and implement safeguards based on that — without waiting on the slow process of standards development. This would also support policy cohesion: Agencies and companies could collectively develop coherent policies on how to secure these systems, which, as Grotto suggested, could be coupled with reports to government on infrastructure security to further ensure cohesion.
Adapting risk-based cybersecurity frameworks is crucial for addressing threats to infrastructure systems that are vulnerable to hacking. Of course, other elements must be included in an overall strategy: Federal agencies and industry organizations would still benefit from collaborative standards development, and — as one of us recently argued — policymakers should include minimum cybersecurity and data privacy standards in any contracts with private entities selling Internet of Things technology to the government. Coherent policymaking across federal chief information officers would help bolster Internet of Things security, as we wrote in August. Megan Stifel, former director of international cyber policy on the National Security Council, has discussed the value of a “sustainability” metaphor in approaching Internet of Things security challenges, in which each actor’s responsibilities for protecting the ecosystem are clear. Robust education across federal agencies and the nation writ large is also needed.
Those who control Industrial Internet of Things systems cannot let the perfect be the enemy of the good. Standards for these devices and systems are currently nonexistent and will likely take years to be developed. NIST’s recommendation to adapt risk-based cybersecurity frameworks is a necessary interim step forward that should be adopted by federal agencies and private corporations alike.
Deb Crawford is an executive at the National Security Agency and a research technical lead at the Laboratory for Analytic Sciences. Justin Sherman is a junior at Duke University, a Cyber Policy Researcher at the Laboratory for Analytic Sciences, and a Cybersecurity Policy Fellow at New America.
The views expressed here are their own, and do not necessarily reflect those of the United States Government or the United States Department of Defense.
Image: Bill Smith