July news roundup

There has been no shortage of industrial cybersecurity concerns in the news last month. Particularly noteworthy are the Federal Energy Regulatory Commission’s new CIP standards and the Lloyd’s of London report about the future of our critical infrastructure, including a frightening potential attack scenario. If you missed any of these stories, check out our July news roundup to quickly catch up.

GAO: Military power grid vulnerable to cyberattack (ABC News – July 27, 2015)

United States military bases’ power grids are at risk for cyberattacks according to a new Government Accounting Office report on defense infrastructure. The document concludes that these bases are vulnerable to cyberattacks that could greatly effect operations. Retired Navy captain Joe Bouchard said the problem will eventually be corrected; however, in the interim there will be a lot of opportunities for sophisticated cyberattacks on military bases.

Energy commission looks to strengthen grid’s cyber security (Business Insurance, July 21, 2015)

The Federal Energy Regulatory Commission (FERC) is offering new rules intended to improve the U.S. electric system’s cybersecurity. These standards are intended to address possible threats to communication networks and other electric system assets and will address issues ranging from personnel and training to physical security of the bulk electric system’s cyber systems and information protection.

UK leads critical infrastructure cyber security, but changestill needed (Computer Weekly, July 16, 2015)

A National Grid security manager notes there is a need for real cultural change in the energy sector in terms of security, especially in the U.K. He says the rate of change in technology across the world comes with increasing risks to industrial control and SCADA systems. Additionally, there is an increasing reliance on cyber tools to operate critical infrastructure systems. In combination with physical and cybersecurity concerns, the energy sector needs to mitigate these risks. FERC describes the goal as “a forward-looking, objective-driven standard that encompasses activities in the system development life cycle from research and development, design and manufacturing to acquisition, delivery, integration, operations, retirement and eventual disposal of the equipment and services.”

Stuxnet-style attack on US smart grid could cost government$1 trillion (SC Magazine, July 13, 2015)

According to the recent Lloyd’s “Business Blackout” report, the potential financial loss from a Stuxnet-style attack on the U.S. smart grid could be more than $1 trillion. The report provides a hypothetical scenario in which hackers use a Trojan attack to shut down electricity generation control rooms to create a blackout across 15 U.S. states. While researchers admit this attack is improbable, they do agree that it is technologically possible and would result in huge government and insurance pay-outs, as well as a rise in mortality rates, decline in trade and “general chaos on transport networks.” The Lloyd’s report suggests that these hackers would likely be engineers with the ability to write malware. While the cybersecurity market is still evolving these risks and losses are very much possible.

For a look at other industrial cybersecurity news we find noteworthy, check out our Junenews roundup.

Waterfall/Area 81 team succeeds despite inclement weather on Fourth of July weekend

A short trip away from its headquarters in North Carolina, the Waterfall/Area 81 Racing team traveled to Roebling Road Raceway in Savannah, Ga., for the SECS.

Richard Franklin, driver of car 81, planned to use these races to prepare for October’s SARRC Invitational Challenge Championship race; Tim Pierce, of car 18, planned to do the same for the 2015 Runoffs in September. This boded well for the team on Saturday, as it qualified third and fourth overall. Franklin finished first in SARRC and Tim finished second in SECS.

However, Sunday’s races were cancelled due to unstable weather.

“The whole team weathered the storm and sacrificed its comfort and well-being to get the car to the grid. We would not be successful without these efforts,” said Pierce.

Franklin added, “Hopefully, those who showed up on grid will receive Championship points for their efforts.”

All in all, it was a productive weekend for the team, proving once again that it can continue to capture Championship points among unforeseen circumstances.

The team continues its 2015 racing schedule at Charlotte Motor Speedway for the Daylight-into-Dark Double SARRC/SECS on Aug. 15 and 16. Be sure to stay tuned to www.Area81Racing.com and our Facebook page for updates.

Digital Bond Labs assess FLIP technology’s unidirectional security

Last month, Digital Bond Labs, a cybersecurity lab focused on finding new security and reliability vulnerabilities in control-system components, performed a security assessment of Waterfall’s FLIP product line. We have great confidence in our solutions at Waterfall, and DigitalBond’s testing verified what we were already convinced of, that the FLIP cannot be transformed into a bidirectional communication channel, nor can it be controlled remotely.

The Waterfall FLIP is type of a hardware-enforced unidirectional security gateway. The technology replicates control system servers to IT networks without enabling anything to move in the opposite direction. When needed, the Waterfall FLIP also replicates servers from IT networks to control networks, for as long as is needed. For example, FLIP products are routinely deployed to replicate historian data out of control system networks nearly continuously, and reverse orientation several times per day so that the FLIP software can fetch anti-virus and other security updates and transmit them to the control system.

Digital Bond’s findings were in line with Waterfalls marketing message for FLIP, stating that:

• It could find no way to transform the FLIP into an interactive bidirectional channel, and that “the FLIP is always a one-way system.”
• IT could find no way to remotely control the FLIP mechanism that reverses direction from either the “inside” or “outside” networks.

Digital Bond concluded that, since the FLIP is unidirectional at all times, and the direction cannot be remotely controlled, “the FLIP is a much stronger security mechanism than a firewall.” Digital Bond Labs’ researchers also concluded that the FLIP “provides a defensive advantage versus. traditional thumb drive data transfers” because the FLIP “provides a single entry point to the control system network that can be hardened and monitored versus thumb drive transfer, which introduces a risk of infection to every system that the thumb drive is connected to.”

Unidirectional security gateways prevent IT security issues from weakening operational technology (OT) security. The verification from Digital Bond Labs serves as assurance that Waterfall solutions are capable of protecting reliability-critical systems and process equipment from security threats. Cyberattacks aimed at control systems have much greater potential consequences than attacks on IT systems. Unidirectional security gateways stop IT network attacks from becoming OT problems.

Waterfall also has FLIP technology solutions for Substations. Learn more on our product page.

June news roundup: How safe is the U.S. power grid?

Are the U.S. power grid and other critical infrastructures safe from cyberattacks? According to recent news and research, the answer is no. Reliance on the power grid is increasing, as are the threats that plague it. Read the latest on the risks to U.S. critical infrastructure below in this month’s news roundup.

A Critical Threat (SC Magazine UK, June 30)

Attacks to Iran’s nuclear plants and last year’s attack on a German steel mill prove the level of damage that can be done with little effort. Critical infrastructure can easily be penetrated; therefore, SCADA devices that aren’t secure are causing growing concern. These threats are fueling global legislation.

Power Grid Vulnerable To Cyber Attack, Former Defense Secretary Says (Inquisitr, June 30)

According to former Secretary of Defense William Cohen, the U.S. power grid is becoming increasingly vulnerable to terrorist attacks. These attacks, he stresses, are likely to be cyberattacks, which have the capability to completely shut down the power grid. Furthermore, the American Society of Civil Engineers (ASCE) did a formal review of the U.S. power grid, which resulted in a barely passing grade of D+. This grading shows that U.S. critical infrastructure is in poor condition with a strong risk of failure. That being said, there is not enough attention or funds dedicated to secure the power grid.

Industrial Control System Breaches Rising, Says New Report (ITWorldCanada, June 25)

Attacks on industrial control systems and SCADA systems are increasing at a rapid rate. According to a recent survey by the SANS Institute, more than 30 percent of respondents said their organizations’ control systems have been breached. Of those, 17 percent acknowledged six or more breaches so far this year alone.

Ex-CIA Director: U.S. Wide Open to Grid Attack (WND, June 21)

Has the Obama administration done enough to protect the U.S. power grid? A former CIA director says no. According to R. James Woolsey, the country has done a poor job protecting the critical infrastructure that includes the Internet and the power grid. He proposes a few reasons as to why security has not been a high priority in the U.S., including the administration’s lack of focus on this issue. He says that the U.S. power grid has 18 critical infrastructures, with 17 of them relying on electricity. If the entire power grid is hacked, so many things are at risk: food, water and even lives.

Will America’s Power Stay On? (Homeland Security Today, June 13)

Aside from the risk of cyberattacks, security and energy experts are also warning that the U.S. power grid is equally vulnerable to natural factors that could result in outages across the country. According to a recent Johns Hopkins University study, there are shortcomings across all 50 states, such as variations of standards and lack of accountability at the national level. The report states that these shortcomings, if not addressed soon, could be exposed on a much larger scale. The North American Electric Reliability Corporation (NERC) has failed to produce enforceable standards and, as a result, outages will likely occur.

Want more critical infrastructure news? Read last month’s news roundup

May news roundup

Every day, the need for effective cybersecurity becomes apparent across new global sectors. Whether in the energy industry, power grids or critical infrastructure, it is clear that industrial cybersecurity is essential to an international audience. We’ve got the latest on this growing theme in this month’s news roundup. 

Water and wastewater utilities at high risk of cyberattack (Water Online, May 26, 2015)

Federal cybersecurity experts are finding more and more vulnerabilities in control system components. Of the 245 cyberthreat-related incidents last year, 14 came from the water sector. Water utilities are bringing in an increasing amount of attention from the Homeland Security Department. According to a survey by the Ponemon Institute, nearly 70 percent of critical infrastructure companies suffered a security breach in the last year. Moreover, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has said that the number of vulnerability reports for industrial control systems increased more than 15 percent in the last year.

Ensuring pipeline physical and cyber security (Plant Engineering, May 20, 2015)

Production of oil and natural gas in the United States and Canada is much higher than ever before. However, an increase in gas production means a denser network of pipelines, inviting more cyberattacks. The U.S. has more than 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines and 2.15 million miles of natural gas distribution pipelines, which are all sensitive to impending threats. While there have not been reports of pipeline attacks in the U.S., the number of international attacks is growing.

Africa's critical infrastructure vulnerable to attack (IT Web, May 14, 2015)

According to Yusuph Kileo, cybersecurity and digital forensics investigation expert, Africa’s greatest security threat is to its critical infrastructure due to several factors. For instance, because of their lack of knowledge in the field, decision makers in Africa do not consider cyberthreats a priority. There is also a lack of collaboration and few laws to protect the continent against cyberattacks, especially those to its critical infrastructures.

Iran rapidly building cyber warfare capabilities (Free Beacon, May 12, 2015)

According to a new report by the State Department, recent research suggests Iran may have intentions to use its cyberforce to attack global critical infrastructure. Hackers in Iran have been the culprits of multiple attacks to the private sector, including energy and power firms.

Utility, security experts warn of mounting threat to grid (Capital New York, May 7, 2015)

During a panel discussion at the Independent Power Producers of New York conference, security experts discussed cyber and physical vulnerabilities in the energy sector. The U.S. power grid is the most complex risk landscape, so says William Flynn, former Homeland Security principal deputy assistant secretary for infrastructure security. Threats to the U.S. power grid include domestic and overseas acts of terrorism.

Interested in learning more about international industrial security? Read more in last month’s news roundup.