In 2010, operators at one of Iran's nuclear facilities looked at their computers when centrifuges used to enrich uranium spun at 84,600 rpm for roughly 15 minutes. Though the computers indicated everything was normal, the centrifuges were spinning some 34 percent faster than they should have been for that time frame. Unbeknownst to the operators, the plant had been hit with Stuxnet, a sophisticated piece of malcode thought to be developed jointly by Israel and the United States. A fair number of the centrifuges were likely damaged before the malware initiated the next phase, which began 27 days after the first — slowing the centrifuges from the normal speed of 63,000 rpm to a paltry 120 rpm for 50 minutes before speeding them up again, likely causing more damage. Furthermore, the attack prevented operators from turning the malfunctioning centrifuges off, maximizing the damage. Ultimately, researchers believe as many as one-fifth of Iran’s centrifuges were destroyed as a result of the malware.
One of the most unsettling aspects of Stuxnet industrial cybersecurity saga is how stealthy the attack was. “You have a guy staring at a screen that says the centrifuges are spinning at a healthy speed and there is nothing going on behind the scenes,” said Eitan Goldstein, director, industrial cyber and digital security at Siemens. “But if he is missing a piece of the puzzle, he [can miss] a cyberattack.”
The situation was similar in the 2015 cyberattack on Ukraine’s power grid, Goldstein said, “where in the first couple hours of the attack, the guys staring at the screens thought everything was OK in those substations.”
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
While the Stuxnet worm targeted air-gapped machines, the malware still serves as a warning of the type of damage hackers pose to industrial control systems, which is beginning to blur the lines between IT and OT, to the professionals monitoring or controlling heavy machinery in industrial environments. Attacks like Stuxnet and BlackEnergy, which was a component used in the Ukraine cyberattack, also point to the need to bring together real-time data points with operational data. “What matters for your business is also highly correlated to where hackers are going to go and where you need to place your detection capabilities,” said Leo Simonovich, vice president and global head, industrial cyber and digital Security at Siemens. “By leveraging production data, you can use that as an indicator for potential cyberattacks.”
Rob Greer, chief product officer of network security firm ForeScout also sees a convergence between IT and OT, and why that matters for industrial cybersecurity. “Some of our customers who brought us in on the IT side now have the responsibility for OT. They are adapting our platform over the last few years to support passive monitoring,” Greer said. One challenge is it can be difficult to monitor OT devices as actively as it is in traditional enterprise cybersecurity settings.
Greer also sees a growing need for security monitoring technologies that fuse network security and OT-based production data. “There are technical approaches to address that today,” Greer said, adding that ForeScout has been working on software to help support that objective.
Last year, Siemens commissioned a study with the Ponemon Institute to gauge the state of industrial cybersecurity through the lens of the U.S. oil and gas industry. One of the most telling findings from the research was that 59 percent of respondents believe there is more risk in the OT than the IT environment. In addition, just over two-thirds of those polled stated the risk level to their industrial control systems increased substantially in recent years. Traditionally, however, information technology systems such as the enterprise network were riskier cybersecurity targets than connected industrial systems used for operational processes. In 2011, for instance, the U.S. Industrial Control Systems Cyber Emergency Response Team published research indicating that management systems and human machine interfaces were the most vulnerable areas in industrial environments. But with increasing digitization of industrial facilities, cyberthreats tend to become more omnipresent, increasing the need to have a holistic view of what is going on within an industrial facility.
“Industrial companies are looking for automated ways to see what is connected and [is] what I am seeing operated and configured the way it should be?” Geer said. “If something is abnormal, they want immediate notification of that.”
Siemens is working with its cybersecurity partners Tenable, PAS and Darktrace on anomaly detection, vulnerability management and asset management, respectively. “We are pulling it all together, correlating it and running analytics on it and helping people understand what is going on,” Goldstein said. “For an operator, being able to make that judgement can enable an operator to decide ‘when I have to wake up my boss in the middle of the night or when can I go to happy hour?’” he added.