The recent Cyber Squirrel Project report captured the imagination of many. While the image of rogue squirrels storming a nuclear power plant is amusing, the scale of the threat they pose is relatively tame. However it shouldn’t be ignored and for that reason the report should be applauded as it highlights a very important issue – that critical infrastructure is under constant threat of disruption.
Squirrels 879 - Humans 3
According to Cyber Squirrel 1, there were 1,700 animal related outages in 2016 – with practically every species covered from squirrels, birds and even frogs getting in on the action.
While a wildlife outage is obviously far more frequent, it doesn’t mean that the threat from human initiated outages should be trivialised. Returning again to the Cyber Squirrel report, it records that just 5 million people were affected by animal outages. A crude calculation puts that at almost 3,000 per outage. In contrast, if a malicious actor successfully penetrates the critical infrastructure, the scale of the devastation has the potential to be immense. An illustration is the very targeted cyber attack launched against the Ukraine in 2015, that single event affected 225,000 people.
Calling pest control
Of course, not all attacks cause instant damage as many who remember Stuxnet know.
This malicious worm was accountable for causing substantial damage to Iran’s nuclear program. Believed to have arrived on a USB stick, the worm caused the centrifuges to effectively ‘malfunction’ spinning too quickly at times, then too slowly at others, while performing completely normally in between. While in itself this didn’t cause any systems to fail immediately, over time the strain from these excessive speeds caused the infected machines to disintegrate.
A lack of visibility into what was happening within the infrastructure meant that these abnormal fluctuations were not identified, so evasive action or even further investigation before the damage occurred, was not possible.
While squirrels lack the power to spin a centrifuge excessively, a poorly placed nest may cause overheating, nibbling a sealed container may cause water seepage resulting in an intermittent fault or eventual short circuit, the list goes on but you get the idea.
Whether caused by someone upright on two legs using a keyboard, or down on all fours biting through cables or clogging up vents, what is important is having the ability to identify the cause quickly. Then, activate incident response plans as rapidly as possible to minimise additional damage to critical infrastructure and industrial control systems.
Set a humane trap
Visibility of critical infrastructure is often easier said than done. When you consider that a standard power plant will typically have an average 50,000 real-time processes, using standard networking tools to monitor, manage, and then troubleshoot is akin to mission impossible. The task of manually analysing the resulting data is not only time-consuming, but also error prone.
Using advances in computer science, such as machine learning and artificial intelligence, could hold the key. These ‘tools’ build an internal representation of a complex industrial network and its physical processes. Next they take advantage of the predictability in control system traffic by establishing a baseline of ICS network communications and conducting active monitoring for anomalies.
Machine learning is devoted to solving problems without the need for further direct programming. The principle is to program generic algorithms that then use artificial intelligence to actually learn from data to solve problems. Once AI / ICS experts set-up the structure for interpreting the data, the machine learning algorithms operate with minimal direct programming.
This ‘Deep Learning’ allows algorithms to decode the detail and automatically model large, heterogeneous industrial systems. By establishing a baseline of critical infrastructure behaviour – whether a power plant, manufacturing process, rail network, or any other complex infrastructure, it is then possible to actively monitor for anomalies that detract from predicted or ‘expected’ behaviour.
This powerful combination enables real-time modelling and monitoring of the systems that control industrial operations in a way that is far beyond the capabilities of humans. The ability to learn from data enables the discovery of hidden correlation that is simply too complex to be spotted manually, helping to build more accurate systems that do not need “signatures” to determine good versus bad.
Regardless of who, or even what, is causing the problem, operators of industrial control systems need the ability to automatically identify potential issues in real-time. This can speed the investigation of incidents and ultimately contain attacks before significant damage can occur.
Edgard Capdevielle, President and CEO, Nozomi Networks
Image Credit: Flickr / Moyan Brenn