It was an event long predicted but when it finally happened security watchers were still taken aback.
On 23 December 2015, three Ukrainian power companies suffered an unexpected, near simultaneous power outage that left at least 225,000 people without electricity just before Christmas, a bitterly cold time of the year.
The incident affecting 30 sub-stations was bad enough but it quickly emerged that this was no technical glitch and had been caused by a carefully-planned cyberattack. Someone had gained remote access to the station’s industrial control system (ICS), seeding key systems with malware and even slowing emergency response by disrupting the ability to use backup power.
If a red line was crossed on that day, whose job is it to worry about the implications? In the case of the electricity grid, responsibility falls to power companies, regulators, and governments, but also to security vendors whose job it is to develop better protection technologies.
Tripwire is a company that finds itself right in the middle of this emerging industrial security market. The company has a history in configuration management, expanding through acquisitions such as that of nCircle in 2013 before being bought a year later by cabling giant Belden, which had also bought itself into industrial control.
A key mover at the company is Rekha Shenoy, who heads up marketing at Tripwire, which she joined ten years ago, while also looking after Belden’s industrial cybersecurity business.
“At the time, it was a small company looking for the next big thing. It’s funny how in some respects ten years later we are a larger company looking for the next big thing,” she says, a reference to Tripwire’s growing presence in industrial cybersecurity.
Belden, meanwhile, has been on an even longer journey. “It’s first customer was Thomas Edison,” she muses, a world away from its new customer base among power companies buying industrial networking and control – or perhaps not.
In hindsight, the pairing looks like a collision foretold. “Tripwire started seeing a lot of inbound interest from utilities. They had blackouts and brownouts they weren’t convinced were just power outages – there was malicious intent,” she says without naming names. Belden’s acquisition put it in the heart of that sector.
“I would go out there and talk to these customers and really bad things were happening. They were finding out about a breach when the Department of Homeland Security knocked on their door.”
Suddenly, the sector was getting ransom letters. Industrial control – the gamut of SCADA systems in power companies but also water management – was under attack.
“These aren’t theoretical risks, they are actually happening.”
These sectors couldn’t just abandon remote interfaces, that have spread across a vast complex of facilities and systems, but needed some way to secure them from attacks not foreseen when they were first designed and installed.
“Electrical engineers measure their success by the ability to keep everything up and running. But the IT security guy shows up and measures success by confidentiality. They’re in opposition to each other.”
New systems, including the best Internet of Things devices, can have security “baked in” from the start but applying this to legacy equipment represents a massive challenge, says Shenoy.
“That’s where we, Belden and Tripwire find ourselves. We’re helping our customers with what’s already there.”
A common misconception is that SCADA is a special case when in fact it must deal with the same LAN and PC security issues affecting any network.
“On the back end of this is probably a SCADA workstation. To an IT security team, this is a Windows machine but they didn’t buy it from Dell or HP, they bought it from GE, or Schneider Electric, or Schweitzer.”
Smart cities
The effect of attacks on a city power or water system would be bad enough but, as embedded and IoT technology spreads, it’s now just as likely the target could be the cities themselves.
A recent Tripwire survey estimated the market for smart city technology to have reached $37 billion (£30 billion), just as pessimism about securing it among professionals in the sector has surged. Seventy-eight percent of the 200 surveyed by the company said they believed that a cyberattack against the systems that underpin smart city systems was imminent. An almost identical percentage believed this would be capable of causing physical damage, with transportation a choice target.
Separating fact from fiction can be hard in a cybersecurity full of lurid predictions but it’s not an idle worry. Smart systems are being integrated into almost all new transport infrastructure with the possibility of automated buses and trains not far off in some countries. The potential for trouble at almost every level is clear.
“Cities get smarter every day. If you look at China, they are smart from the ground up. This new technology is coming in in bits and pieces.”
But according to Shenoy, smart city cybersecurity is still seen as an optional insurance policy.
“More and more people are waking up to the risk but they’re not funding it yet. Countries spend money on cyberdefence but what they’re using it for is intelligence.”
This leads to an odd world where billions can be invested in cyber defence but very unevenly.
“We spend money to protect our physical borders – land, sea, air and space – so what about cyber?”
She predicts that the definition of critical infrastructure will start to change rapidly. An example of this will be the re-categorisation of cybersecurity to embrace ideas about safety as well as resilience. Shenoy calls these “safety dollars” which, with lives potentially at stake, is another way to look at cybersecurity investment in utilities and smart cities alike.
With a long road ahead, it won’t be easy. Pressure from a still disengaged public will eventually speed change.
“They are all going to go kicking and screaming.”