Cybersecurity for critical infrastructure

Our critical infrastructure, from the electric grid to manufacturing and hospitals, is not always sufficiently protected against hackers targeting industrial automation and control systems.


Mike Mullane

2 years ago | 5 min read

Uploaded by Markus on Unsplash

All too often, cybersecurity is understood only in terms of IT, where the emphasis is on protecting, in equal measure, the confidentiality, integrity and availability of data — the so-called C-I-A triad. Unfortunately, this approach does not work for the cyber-physical assets that keep modern society safe and functioning. These assets, also known as critical infrastructure, are found in a wide range of sectors, such as energy, health, manufacturing and transport.

The Industrial Internet of Things (IIoT) has accelerated the growth of cyber-physical systems, where the once separate domains of IT and operational technology (OT) converge. Sensors and monitors connected to OT gather, analyze and communicate data with other devices and systems to improve quality, efficiency and safety.

This needs to be reflected in any cybersecurity strategy for protecting OT because industrial environments have to cope with different kinds of risk. The priorities are protecting people and the environment. In the cyber-physical world, everything is geared towards the physical movement and control of devices and processes to keep systems working as intended. For example, OT helps ensure that a generator comes online when there is an increase in electricity demand, or that an overflow valve opens when a chemical tank is full, in order to avoid hazardous substances spilling. 

In OT environments, industrial automation and control systems (IACS) run in a loop to check continually that everything is functioning correctly. These systems include the supervisory control and data acquisition (SCADA) technology and human-machine interfaces (HMI) that are at the very heart of cyber-physical systems. From a cyber security perspective, the challenge is that, unlike business systems, IACSs are actually designed to facilitate ease of access from different networks. Moreover, cyber-attacks on IT and OT systems tend to have different consequences. Cyber-attacks on IT have almost exclusively economic effects, while cyber-attacks on critical infrastructure can impact the environment, damage equipment, or even threaten public health and lives.

Protecting SCADA systems

Protecting SCADA systems, which are used to oversee electric grids, as well as machinery in industrial installations, often relies on “security by obscurity”, which reflects an ingrained mindset that since no one knows or cares about their communications systems or their data, they do not need to protect it. However, SCADA systems can now have widespread communication networks increasingly reaching directly or indirectly into thousands of facilities, with increasing threats (both deliberate and inadvertent) potentially causing serious harm to people and to equipment. Therefore, the retrofitting of appropriate and effective security measures has become quite difficult for these SCADA systems.

In the world of IT, for example, intrusion detection and prevention systems (IDPSs), are on the frontline of defence against malware. IDPSs are usually software applications that eavesdrop on network traffic. Depending on how they are configured, IDPSs can do everything from reporting intrusions to taking actions aimed at preventing or mitigating the impact of breaches. The challenge with SCADA systems is how to distinguish between normal data and data that could cause harm. Indeed, if the intruder uses well-formed protocol messages, the IDPS may not even recognize it as an intrusion.

The best solution is for SCADA systems to use security with their communication protocols. Security does not necessarily mean encrypting messages, but at least adding authentication and authorization, as well as data integrity checking, while still allowing packet inspection of the messages themselves which can help IDPSs to determine if invalid data is being passed.

Cyber-attacks on cyber-physical systems

Critical infrastructure has been targeted on a number of occasions. In 2014, for instance, a steel mill in Germany suffered heavy damage after hackers gained access to the mill’s control systems via a spear phishing campaign — targeted e-mails that appear to come from a trusted source and trick recipients into opening a malicious attachment or clicking on a malicious link. The hackers stole the login names and passwords they needed to gain access to the mill’s office network, and from there crossed over to its production system.Probably the best-known incident was in Ukraine in 2015, when hackers successfully infiltrated the electric utility’s SCADA system. Key circuit breakers were tripped, and the SCADA system was turned into a “brick”, causing a system-wide power blackout. It left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours.

More recently, in October 2019, reports from India confirmed that hackers had infiltrated the country’s biggest nuclear power station, at Kudankulam in the southern state of Tamil Nadu. According to the virus scanning website VirusTotal, the hackers had managed to infect at least one computer with malware before the breach was detected. In 2020, a series of cyber-attacks targeted Israeli water systems, including pumping stations, sewer systems and wastewater plants. Cyber-terrorists reportedly exploited vulnerabilities in outdated ICSto gain access. Fortunately, the attacks failed to disrupt the water supply but it is believed the hackers were attempting to increase chemicals such as chlorine in the water to harmful levels. These are only a few examples, but the clear message is that more must be done to protect critical infrastructure.

A holistic approach

An essential international report on industrial cybersecurity by the International Electrotechnical Commission (IEC) — one of the three worldwide standards development organizations, with ISO and ITU — recommends prioritizing resilience over other more traditional cyber defence approaches. The report says that achieving resilience is chiefly about understanding and mitigating risks, as well as being able to detect and cope with security events when they happen. Of course, there is no way to prevent them completely. Even secure-by-design systems, although safer, require continuous and pervasive monitoring. IEC standards for cyber security emphasize the importance of applying the right protection at the appropriate points in the system while paying attention to safety, security and the reliability of processes.

It is vital that this process is closely aligned with organizational goals because decisions about what steps to take to mitigate the impact of an attack can have operational implications. “Resilience is not just a technical issue,” warns the IEC report, “but must involve an overall business approach that combines cybersecurity techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions”.

International standards

International standards provide solutions to many of these challenges based on global best practices. For example, IEC 62443, is designed to keep OT systems running. It can be applied to any industrial environment, including critical infrastructure.  

The industrial cyber security programme of the IECEE — the IECSystem for Conformity Assessment Schemes for Electrotechnical Equipment andComponents — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.

In an ideal world, power stations and other critical infrastructure would be secure-by-design. In addition to security standards for key communication protocols, IEC 62351 provides guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. The thinking is that trying to patch on security after the fact can at best be only a quick fix and at worst comes too late to prevent the damage from being done.


Created by

Mike Mullane

Mike is an advocate for international standards with a background in broadcasting and communications. He writes about AI, cybersecurity and digital transformation.







Related Articles