Cyber-Physical Attack: Testing SCADA security

Hi Luis,

I was browsing through the book preview on Amazon and quickly realized what the book refers to as Cyber-Physical attacks. The company I work for has a group that deals primarily with SCADA-related products and services and I've heard it mentioned in passing over the years. Most people's exposure and awareness to things like this come mostly from what they see in the movies like Bruce Willis' "Die Hard 15" or whatever variation of the title that movie had that co-starred Justin Long, with Timothy Olyphant and Maggie Q as the antagonist cyber-physical terrorists/blackmailers. I'm sure reality is far from what's depicted in those movies. On the other hand, life soon catches up to fantasy so I guess we'll never know how long it will be before those kinds of scenarios will be possible at the kind of scale that the folks in Hollywood like to relieve us of our money with.

Anyway, I was wondering if, from a testing point of view, there were any unique problems with testing the robustness and readiness of the response to cyber-physical attacks. I mean it's not like everybody can afford to have an entire regional grid that's isolated from the "production" grid on which to try things out, right? What kind of challenges does having to test in production most of the time present? Of course, in my ignorance, that's what I assume happens. If not, then how do you test to scale? Hypotheticals and projections are fine but everybody knows even the best laid plans seldom survive first contact with the enemy. With the advent of IoT and the ubiquity of connectivity in almost everything, including the kitchen sink, how do security professionals even keep up with all the advancements in the field? The recent DDoS attacks involving connected devices like Home DVRs (and maybe even some refrigerators and toasters? Just rumors?) are just the beginning, I'm afraid. Is this a losing battle from the start?

Sorry for asking so many questions in one post. Feel free to pick out just the ones you feel most strongly about. I'll give you a chance to respond a little before my next barrage of questions.

First of all, in my job before I retired from the Defense Intelligence Agency, I was focused primarily on how to keep individual buildings secure from cyber-physical attack, not the entire Northeast U.S.  So, I can't really address cyber-security from a Macro level.  Don't think that what you are talking about is a stretch.  The Chinese have demonstrated their ability to disrupt things and from what I read in the papers, the North Koreans are spending 20 percent of their military budget on cyber.

The only thing keeping other countries from launching attacks is the fact that the U.S. would counter-attack.  I believe a U.S. counter-attack would be scaled based on the severity of the incursion.  As far as criminals and individual hackers, I don't think many would have the expertise to launch a devastating cyber-physical attack anytime soon.

Luis Ayala

So I take it that the book's discussion is primarily at the individual building perspective as well. I think some of my original questions still apply though. What are the challenges you face in testing your defenses and responses? Aside from testing in real-time "production" and having regular scheduled/unscheduled disruptions like most buildings have when they conduct fire drills and emergency response drills, how do you approach testing the security plans in a manner and environment that's as close to "the real thing" as possible without having to learn too many lessons from the real thing if, God forbid, it actually happens?

I can't really say much about how we tested buildings where I worked but I highly recommend that facility maintenance staff perform Black Start outages periodically to test the robustness of their recovery procedures.  You are correct that battle plans fall to the wayside the minute the shooting starts.  I have seen relatively minor details cause what were considered foolproof recovery systems to not work properly.  For instance, when one vendor installed a software update to the Building Controls System at Three Mile Island, that caused a major headache, as you probably recall.

It's always a good idea to perform a test like this when you have a regularly scheduled outage such as for periodic scheduled maintenance or when replacing a major piece of equipment.  Shutting down all systems is very rare for critical facilities so that may only be once a year, but should be enough time if you plan properly.

Lou Ayala

So how much collaboration and coordination goes on between local governments and large private enterprises in forming and testing the security plans? Fire drills are coordinated with the local fire departments and active shooter response drills are coordinated with local police and other emergency services. Is there a special branch of government that helps handle the response to cyber-physical attacks? FBI or Homeland Security maybe? I can't imagine that there are many local police departments who have Cyber-Physical Attack Response Teams in place today.

In the past, many private organizations did not want to admit that they had been hacked so they put on a face at cyber conferences like they don't have any problems.  Lately, they are warming up to the fact that it would be best for them if they admit they've been hacked and let us help.  This whole field is evolving and more coordination with Federal and local authorities is needed to prepare for the eventual cyber-physical attack.  Right now the DHS and FBI send out alerts almost daily to companies that sign up and are notified in real-time when a cyber-physical attack takes place or when a new vulnerability is found.  Their emails include information such as what happened, how serious it is and where to go to get a patch.

Luis Ayala

Luis Ayala wrote:In the past, many private organizations did not want to admit that they had been hacked so they put on a face at cyber conferences like they don't have any problems.  Lately, they are warming up to the fact that it would be best for them if they admit they've been hacked and let us help.

That's good to know. I learned very early on in my marriage to never try to keep a secret from my wife. She'll always find out, sooner or later. It's never good when it's later. I think it's the same with businesses and security incidents. They just have to learn to own up to making mistakes and show that they are able to learn lessons and apply them back into a program of learning and improvement. Sure, your stocks might be in the doghouse for a while but as long as you take measures to avoid having the same problems from happening again or causing the same kind of disruption, loss of service, loss of trust, etc., customers stay pretty loyal as long as they are getting whatever else they need from you. Right?

I suspect most customers are ignorant of the potential for identity theft.  I don't think companies are too concerned because they are insured.  I read that when Target was hacked, the company eventually came out ahead financially because the insurance company paid more than Target lost.  Until legislators start to levy hefty fines, companies will continue their lackadaisical approach to cybersecurity.

Luis Ayala