Penetration testing is one of the practices that energy industry companies must employ to improve their overall IT security standing.
Much has been written and said in recent months about the need for the United States energy sector to radically improve its overall approach in addressing matters of IT security. Risk management and assessment has to evolve in order to mitigate the threats posed by cyber-space. Specifically, in a letter authored in April 2009, Michael Assante, chief security officer for the North American Electric Reliability Corp. (NERC) – which oversees the resiliency of the entire U.S. energy grid, called out stakeholders across the sector for failing to adequately meet the requirements of IT security standards that his organization had already introduced.
Assante, who sat with me on a panel on infrastructure security at this year’s RSA Security Conference, asked his constituents to begin moving far more quickly and comprehensively to meet the controls and best practices required under NERC’s Critical Infrastructure Protection (CIP) regulations. The CSO essentially said in his missive that affected organizations have been doing the bare minimum to comply with NERC CIP, versus truly embracing the underlying spirit of the mandate. Mr. Assante challenged stakeholders to assess the likelihood of remote manipulation of critical assets via the internet. Shortly thereafter, a Wall Street Journal investigative piece reported that overseas hackers had been able to successfully establish a foothold inside the IT systems supporting the U.S. electrical grid for years before ever being discovered. Through this activity, the larger public finally became aware of this pressing issue that many in-the-know security advocates had been touting for a long time and as a result it seems that we have finally entered the era of change that has been needed to improve protection of these critical assets so important to American stability.
The U.S. electrical grid has long maintained an acceptable level of engineered resilience in the physical sense, but the continued introduction of IT-based control systems, in particular Supervisory Control And Data Acquisition (SCADA) technologies that feature IP-based network connections, or which can be configured to connect with such networks, have introduced an entirely new and hazardous opportunity for remote cyber-attacks to be carried out against our power infrastructure. The business continuity and resiliency movement following 9/11 has exacerbated the cyber-security posture of these critical infrastructures. The remote backup data centers, increase in remote users and the use of wireless technologies have dramatically increased the number of avenues by which hackers can now access these once closed systems. When one discusses the various breeds of cyber-threats that might affect the grid, the most common perception is that denial-of-service attacks are the biggest concern, but the truth is that type of threat, while ominous, is arguably superseded by the potential for attacks that could turn infrastructure control systems against themselves and cause irreparable physical damage to equipment. In today’s integrated environment, this is a realistic scenario if attackers can gain access to the right systems. This is because many of the energy industry’s safety systems have become digital and remotely accessible, which means that an adversary could modify the grid’s safety parameters in such a way to cause harm. With today’s heavy reliance on user-friendly Graphical User Interfaces (GUIs), an adversary might not even need to be fully versed in the intricacies of the targeted control system. In addition to a lack of integrated safety mechanisms, most common control systems have detailed public documentation, and in some cases simulators and test sets, that make it easy for an adversary to become knowledgeable enough to carry out a sophisticated attack. In addition, as proven by Core Security’s own work in the field of SCADA security research, many vendors of these technologies have not developed the same security response mechanisms as seen in the world of mainstream IT, leaving customers exposed to potential attacks even when flaws are identified and reported publicly. All of these scenarios I’ve described are not only plausible but realistic given the nature of today’s dependence on IT systems and the rise of international cyber-crime and cyber-espionage. This is why the time for action must be now.
While there may be a number of different opinions regarding the most effective manner of helping the organizations supporting our critical electrical grid to rapidly advance their security standing, my argument would be that no process or technology at our disposal has greater promise than automated penetration testing. In addition to helping energy organizations meet a range of existing elements of NERC CIP and FERC guidance’s, products such as Core Security’s CORE IMPACT Pro pen testing software give energy providers the most realistic method of assessing precisely how their IT systems and security controls will stand up in the face of real-world threats. By emulating the exact same type of behaviors that one can expect from our cyber-enemies, grid providers can use these self-assessments to rapidly get their hands on vital information about where their most dangerous risks reside. If organizations in the energy space are truly serious about meeting their existing mandate to improve IT security from industry regulators including FERC, and want to understand the most effective manner of rapidly improving their ability to prevent attacks, they must take on the role of an outsider and actively probe their own weaknesses to prioritize risks. Understanding how these systems can manipulated by remote adversaries is paramount to managing the operational risk in today’s hostile digital world. Failing to do so could result in catastrophic events that interrupt our economy and overall way of life.