NIST Experiments with Critical Infrastructure Protections

Lumppini/Shutterstock.com

Over in the IT world, this is fairly basic stuff, though it has rarely been tried for operation technology.

For a few years now, experts have been predicting a massive cyberattack against our nation’s critical infrastructure. This includes segments that rely on a lot of operational technology such as electrical and water utilities as well as manufacturing industries whose loss or disruption would harm our economy, or be outright dangerous. So far none of those predictions have come true. Back in 2015, I wrote about several factors working in our favor that were likely preventing attacks—factors that unfortunately are rapidly eroding as more infrastructure modernizes and standardizes.

The heart of the problem with utilities and most manufacturing sectors is the use of operational technology, which is often abbreviated as simply OT, to differentiate it from the more well-known information technology (IT) we all use every day. But many factories and most of the utility sector does not run on Windows PCs. They run on specialized equipment designed to perform very limited functions, such as opening or closing a valve.

Originally, most OT wasn’t even networked. If you needed to change the power distribution at an electrical substation or divert water to a different pipe at a water treatment plant, someone had to drive out there and throw a bunch of manual switches. Most of those OT devices were eventually networked, tied together by something like a supervisory control and data acquisition (SCADA) control center. But they were primitive by IT standards. Normally, you had to provide a new communications channel for each remote outpost being monitored and controlled. So if you were controlling 10 substations, you would have 10 dedicated lines linking the SCADA control to each one of them. That meant that hackers still needed physical access to the control panel, which was not a viable option for most attackers.

Over the years though, OT has started to become more and more like IT. There are a lot of reasons for this, with one of the main ones being a reduction in utility and manufacturing workers as the old guard retires and few young people want to enter fields that are more labor-intensive, and probably pay a bit less, than might be offered over in the technology realm. As such, networking utilities and manufacturing facilities using IT or IT-like methods, including remote monitoring and control of hundreds or even thousands of systems, leads to higher efficiency with fewer people. But it also makes those systems much more vulnerable to the kinds of attacks that plague IT.

Perhaps one of the most dangerous situations is one where OT systems remain in place but are connected using IT. That means attackers can sometimes hack their way into an OT system through the IT backbone. Once there, most OT systems have little or no intelligence, so they accept whatever commands are given. Earlier this year, the Russian government was caught breaking into systems like that in both the utility and manufacturing sectors, which lead to a United States Computer Emergency Readiness Team warning, and an FBI investigation.

The US-CERT warning detailed the patterns and techniques used by the attackers and explained how to prevent the specific kind of intrusion used by the Russians, who were thankfully just probing defenses this time around. But beyond preventing the Russians from coming back later, at least using the exact same techniques, it did little to address the critical vulnerabilities in either the industries that underpin our economy or the utilities that provide basic services.

That is where NIST is picking up the slack. They just released the draft of NIST Internal Report 8219, entitled “Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection.” The report is a huge tome but makes for fascinating reading. NIST is trying to add anomaly and malicious user detection to OT networks. They even built a testbed with a variety of environments including one with robotic arms and another that mimicked an assembly line to test various security methods. Because most OT networks have little intelligence, the proposed solution involves adding a hypervisor that can create virtual machines to monitor the OT. NIST also tried to use commercially available products and services in their testing, though of course, the team did so without endorsing specific programs.

The report describes several factors and anomalies that the security hypervisor could detect in the test OT networks. This includes some preventative help, such as identifying OT devices with plaintext passwords that needed changed. It also was able to detect and count incidents of user authentication failures, data exfiltration, unusual connectivity between previously isolated devices, and new devices popping up on a previously static OT network. Some advanced features included detecting orders for unusual manufacturing processes and changes in the overall environment where the OT devices were located.

Over in the IT world, this is fairly basic stuff, though it has rarely been tried for OT. Given the comparatively simple nature of OT, these basic protections might be more than enough to ensure that any new intrusions are quickly identified, or perhaps prevented in the first place. I really hope it works. I don’t want to ever have to write about the Great American Blackout, assuming I could find some electricity to work with during the cyberattack. A serious effort to protect OT is sorely needed. The 8219 report and the work NIST is doing goes a long way toward that effort, helping to ensure that our critical infrastructure remains functioning and secure.

If you have any experience working with or protecting OT, comments on the draft report are open until December.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.