Enterprises and organizations cannot fight today's digital terrorists or cyber criminals with yesterday's defensively-focused security best practices. The primary problem with defensively-focused security solutions is that they do not provide a deterrent or countermeasure to stop repetitive or future attacks. The simple fact remains that a defender has to get it right every time but an attacker has to get it right just once.
In the United States and other countries, power outages affecting a substantial geographic area have occurred, often the problem is traced back to a single component, such as a relay, lightening strike, or a bird-induced short circuit. The outage is caused when one overloaded segment shuts down to protect itself from damage. The resulting shutdown adds to the burden on other segments which, in turn, become overloaded and shut down. While these are known vulnerabilities that power grid operators are striving to address, the hardening of the power grid requires a significant investment in time and other resources. However, such defenses are built with past events in mind and address the failure of a single component. Defenses against an actual attack, that may attack multiple components, multiple times, are a continuing concern.
The truth is that nowadays security best practices and digital strategies have the shelf-life of a little over two weeks. Security professionals cannot detect or produce antidotes fast enough to keep up with the rate at which cyber criminals are evolving.
Utilizing non-connected devices, devices networked only to other trusted devices, or devices with no connection to public networks (e.g., the Internet) may help reduce the opportunity for malicious software (malware) but it also denies the efficiency and features that may be gained from legitimate information gathering and control access. Non-connected devices may still be compromised if a bad actor has physical access to the device, which is often the case with electricity meters.
Even non-connected devices are subject to risk as a user may install compromised computer media within a private network or even an individual device. “Social engineering” exploits human actions and/or inactions to infect a network. For example, a user may attach media to a computer and, knowingly or unknowingly, infect a network. As one notable example, Stuxnet was launch for the purpose of infiltrating an isolated computer network to cause uranium enrichment centrifuges to operate in a manner that was predicted to cause physical damage to the centrifuges. Before executing the code, Stuxnet would spread from device to device. Devices that were not targeted, were either unaffected or, if possible, used to continue the search for the target devices. Once Stuxnet found its target, namely programmable logic controllers (PLCs) controlling the centrifuges, it would prepare for the attack. Stuxnet would first enter a listen mode to learn the normal operating parameters of the centrifuges. Then, upon being triggered, the attack would be launched and cause the PLCs to operate the centrifuges in a manner calculated to damage the centrifuges while reporting the learned, normal operating parameters, even while the centrifuges were operating well outside of their normal parameters.
Stuxnet was most likely brought into the isolated network via social engineering, for example, a USB drive or CD-ROM that appeared to be dropped in a parking lot or other conspicuous location. An unsuspecting individual inserts the media to a computer and, while all appears normal to the user, Stuxnet entered the network. Stuxnet has since escaped its original target and is now out in the public domain, which includes bad actors. These bad actors may leverage Stuxnet as a base platform to launch their own attack. Stuxnet-based malware is only one example. Other attacks may be based on prior attacks or entirely new or enter via a previously unknown vulnerability (e.g., zero-day attack).
So the question remains, how do grid operators and security professionals combat against an enemy that's continuously innovating their digital attacks? To proactively address this security challenge, organizations must adopt and practice an offensively-focused digital security policy.