How to make critical infrastructure safer—there’s a long way to go
In the run-up to Ars Frontiers, I had the opportunity to talk with Lesley Carhart, director of Incident Response at Dragos. Known on Twitter as @hacks4pancakes, Carhart is a veteran responder to cyber incidents affecting critical infrastructure and has been dealing with the challenges of securing industrial control systems and operational technology (OT) for years. So it seemed appropriate to get her take on what needs to be done to improve the security of critical infrastructure both in industry and government, particularly in the context of what’s going on in Ukraine.
Much of it is not new territory. “Something that we’ve noticed for years in the industrial cybersecurity space is that people from all different organizations, both military and terrorists around the world, have been pre-positioning to do things like sabotage and espionage via computers for years,” Carhart explained. But these sorts of things rarely get attention because they’re not flashy—and as a result, they don’t get attention from those holding the purse strings for investments that might correct them.
As a result, Carhart said, organizations aiming to benefit from the exploitation of industrial technology have spent years “trying to build their capacity so that when a geopolitical situation arose that it would be fruitful for them to do so, [they would] be able to attack infrastructure systems using cyber.”
An example of these capabilities is Pipedream, “a collection of tools that could be used to potentially intrude into industrial control systems and cause an impact to certain types of systems,” Carhart noted. Pipedream was uncovered by security professionals before it could be used to do damage, but it demonstrates that “people are pre-positioning to do things in the future,” Carhart said. “They have learned over the years, and certainly over the last couple of months, that sabotage, espionage, and information operations can be incredibly valuable as an element to traditional warfare… to demoralize enemies, sow confusion and dissent, and also impact the critical services that a civilian population uses while they’re also dealing with an armed conflict.”
Much is being done by people trying to defend industrial networks, and there’s a great deal of work being done to improve the security of industrial systems and prepare for trouble. But, “some industries are much more well-resourced than others” for those tasks, Carhart noted. Municipally owned utilities aren’t on the same footing resource-wise as large corporations with vast cybersecurity resources. The US’s Cybersecurity and Infrastructure Security Agency and other organizations are trying to help provide resources needed by municipal and other smaller utilities. But just how much CISA can do going forward to protect these organizations and other state and local providers of critical infrastructure is an open question.
Operational technology has a much longer life cycle than “normal” IT. We talked about what that means, both from the standpoint of securing existing OT and finding the people to do the critical work to establish and maintain that security. While some improvements are coming to security as Windows 10 makes its way into embedded systems and other OT, Carhart said, “we’ll probably be seeing Windows 10 for another 30 years in those environments”—and along with it, many of the security challenges IT has been facing down for years already.
Listing image by gremlin / Getty Images