On April 13, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a critical infrastructure alert on their National Cyber Awareness System titled: “Advanced Persistent Threat (APT) Cyber Tools Targeting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) Devices”.^[1] This joint Cybersecurity Advisory, released by CISA, the Department of Energy, the National Security Agency, and the Federal Bureau of Investigations, serves as a warning that certain ICS and SCADA devices, crucial components of critical infrastructure, are susceptible to takeover by APT actors, a matter of concern for all of us. This is not the first alert of its kind, and it is safe to assume that it won’t be the last. As we approach the one-year mark since the publication of this alert, it begs the question: have we made progress in preventing, responding to, and recovering from risks to ICS?

The Vulnerabilities of Automated Control Systems

SCADA, an acronym for Supervisory Control and Data Acquisition, plays a crucial role in industrial processing. These control systems enable facilities to monitor and interact with their computer systems and equipment. However, like most online systems, SCADA faces numerous cyber risk challenges. Mitigating these risks requires constant vigilance and adaptation.

In the digital age, the public and private sectors have realized that cyber systems are vulnerable to attacks and must be protected. The dynamic nature of the cyber threat landscape has put critical infrastructure and manufacturing sectors under immense pressure. These sectors serve as gateways to millions of lives and therefore require closer monitoring, stricter practices, and consideration of the intentions of Advanced Persistent Threat (APT) actors concerning automated control systems.

Automated control systems are essential for modern living. They enable factories to manufacture goods more efficiently, meet customer demands, employ safer manufacturing methods, and reduce costs. However, they also pose significant vulnerabilities. Cyber threats targeting automated controls in manufacturing plants and critical infrastructure, such as national water treatment systems, oil and gas pipelines, and the electrical grid, don’t just impact the facilities themselves but also jeopardize the well-being of millions of citizens who depend on their reliable operation. Safeguarding our water supply, for instance, relies on precise control of chlorine and other cleaning agents through automated control systems. If a malicious actor successfully launches a cyber attack on these systems, they could manipulate chemical levels and cause significant harm to millions of lives.

Real-Life Examples of Attacks on Critical Infrastructure

In February 2021, hackers breached the water-treatment system at a Florida water treatment facility and attempted to raise the level of sodium hydroxide from 100 parts per million to 11,100. Sodium hydroxide is a chemical that is used to control water acidity at safe and regulated levels but becomes poisonous at the high levels the hackers tried to manipulate.^[2] A more recent and well-known example is the cyber-attack that was carried out on the Colonial Pipeline by malicious actors in May 2021. Though primarily a ransomware attack, the perpetrators targeted Colonial Pipeline’s control systems that managed gasoline output.^[3] The attack against the Colonial’s online systems caused massive gasoline shortages across the entire East Coast and demonstrated that our critical infrastructure is prone to hacks. Why is it complicated to prevent such breaches to automated systems?

Challenges in Preventing Breaches to Automated Systems

According to sources such as Cyber Magazine and Trend Micro,^[4] one reason preventing breaches in automated industrial control systems is the automated technology behind the majority of these systems.^[5] Manufacturing systems, in particular, pose a significant challenge in this regard. According to the cybersecurity consulting firm Performanta, while these systems perform their intended functions effectively, updating manufacturing systems carries inherent risks.^[6] Consequently, a large portion of these systems remains outdated, leaving them vulnerable to cyber attacks that could result in devastating and potentially fatal consequences.^[7] The engineers responsible for developing these automated systems could not have anticipated the current threat landscape. The issues stem from the core design and the programs essential for system operations, which are difficult to replace or rewrite.

Attempts to revise legacy programming to better protect against current cyber threats may be incompatible, overly complicated, or even damaging to the entire network of the system. The highly expensive option to replace existing systems in working condition to more modern alternatives is an unpopular choice and, in some cases, not viable due to the lack of new technologies and processes within the sector. How do we mitigate the cyber risks associated with these systems?

The Role of OTHSolutions and CISA in Safeguarding Critical Infrastructure

OTHSolutions provides consulting and contract support to federal agencies with the mission of identifying and mitigating cyber and infrastructure risks. One of our largest clients is CISA at the Department of Homeland Security (DHS). Read about how we support CISA here. CISA leads several important programs, among which the Chemical Facility Anti-Terrorism Standards (CFATS) program holds great significance. This program regulates facilities that handle chemicals that can potentially be diverted or manipulated for use in attacks. The CFATS program adopts a risk-based performance standard and places strong emphasis on cybersecurity and cyber hygiene within the sector, which heavily relies on SCADA systems. To promote better cyber hygiene, CISA offers relevant considerations, impacts, and best practices for users, which can be accessed here.^[8]