NIST Experiments with Critical Infrastructure Protections

For a few years now, experts have been predicting a massive cyberattack against our nation’s critical infrastructure. This includes segments that rely on a lot of operational technology such as electrical and water utilities as well as manufacturing industries whose loss or disruption would harm our economy, or be outright dangerous. So far none of those predictions have come true. Back in 2015, I wrote about several factors working in our favor that were likely preventing attacks—factors that unfortunately are rapidly eroding as more infrastructure modernizes and standardizes.

The heart of the problem with utilities and most manufacturing sectors is the use of operational technology, which is often abbreviated as simply OT, to differentiate it from the more well-known information technology (IT) we all use every day. But many factories and most of the utility sector does not run on Windows PCs. They run on specialized equipment designed to perform very limited functions, such as opening or closing a valve.

Originally, most OT wasn’t even networked. If you needed to change the power distribution at an electrical substation or divert water to a different pipe at a water treatment plant, someone had to drive out there and throw a bunch of manual switches. Most of those OT devices were eventually networked, tied together by something like a supervisory control and data acquisition (SCADA) control center. But they were primitive by IT standards. Normally, you had to provide a new communications channel for each remote outpost being monitored and controlled. So if you were controlling 10 substations, you would have 10 dedicated lines linking the SCADA control to each one of them. That meant that hackers still needed physical access to the control panel, which was not a viable option for most attackers.

Over the years though, OT has started to become more and more like IT. There are a lot of reasons for this, with one of the main ones being a reduction in utility and manufacturing workers as the old guard retires and few young people want to enter fields that are more labor-intensive, and probably pay a bit less, than might be offered over in the technology realm. As such, networking utilities and manufacturing facilities using IT or IT-like methods, including remote monitoring and control of hundreds or even thousands of systems, leads to higher efficiency with fewer people. But it also makes those systems much more vulnerable to the kinds of attacks that plague IT.

Perhaps one of the most dangerous situations is one where OT systems remain in place but are connected using IT. That means attackers can sometimes hack their way into an OT system through the IT backbone. Once there, most OT systems have little or no intelligence, so they accept whatever commands are given. Earlier this year, the Russian government was caught breaking into systems like that in both the utility and manufacturing sectors, which lead to a United States Computer Emergency Readiness Team warning, and an FBI investigation.

The US-CERT warning detailed the patterns and techniques used by the attackers and explained how to prevent the specific kind of intrusion used by the Russians, who were thankfully just probing defenses this time around. But beyond preventing the Russians from coming back later, at least using the exact same techniques, it did little to address the critical vulnerabilities in either the industries that underpin our economy or the utilities that provide basic services.

That is where NIST is picking up the slack. They just released the draft of NIST Internal Report 8219, entitled “Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection.” The report is a huge tome but makes for fascinating reading. NIST is trying to add anomaly and malicious user detection to OT networks. They even built a testbed with a variety of environments including one with robotic arms and another that mimicked an assembly line to test various security methods. Because most OT networks have little intelligence, the proposed solution involves adding a hypervisor that can create virtual machines to monitor the OT. NIST also tried to use commercially available products and services in their testing, though of course, the team did so without endorsing specific programs.

The report describes several factors and anomalies that the security hypervisor could detect in the test OT networks. This includes some preventative help, such as identifying OT devices with plaintext passwords that needed changed. It also was able to detect and count incidents of user authentication failures, data exfiltration, unusual connectivity between previously isolated devices, and new devices popping up on a previously static OT network. Some advanced features included detecting orders for unusual manufacturing processes and changes in the overall environment where the OT devices were located.

Over in the IT world, this is fairly basic stuff, though it has rarely been tried for OT. Given the comparatively simple nature of OT, these basic protections might be more than enough to ensure that any new intrusions are quickly identified, or perhaps prevented in the first place. I really hope it works. I don’t want to ever have to write about the Great American Blackout, assuming I could find some electricity to work with during the cyberattack. A serious effort to protect OT is sorely needed. The 8219 report and the work NIST is doing goes a long way toward that effort, helping to ensure that our critical infrastructure remains functioning and secure.

If you have any experience working with or protecting OT, comments on the draft report are open until December.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys