Assessing Threats Against Critical Infrastructure: AEP’s Doug Washington Shares His Insight
In the last two months there’s been more than the usual amount of interest and commentary on the security and integrity of critical infrastructure operations in the United States and abroad. With the discovery of malware on computers at the Gundremmingen Nuclear Power Plant in Germany, with more information revealed about the attack against power substations in Ukraine, and the confirmation that Brussels-based ISIS cells were planning attacks against critical infrastructure in Europe, it’s time to talk about the safety and security of critical infrastructure and industrial control systems.
We reached out to Doug Washington, Nuclear Cyber Security Manager at American Electric Power (AEP), to talk about best practices in securing critical infrastructure operations against both simple and sophisticated threat vectors. Here’s what Doug had to say:
The Access Granted (TAG): Cyber attacks against critical infrastructure operations have been part of the news cycle for more than a decade. Is the attention warranted?
Doug Washington (DW): The attention is warranted, but perhaps not always in the ways that the media would want us to believe. The stories are factual, but there’s a lot of hype – from speculation about who, or what, caused an outage to the extent of the damage that could be done. The threats to critical infrastructure – especially power plants – are very real, but those of us charged with protecting the systems that keep our country and economy running are well-versed both in terms of threats and defenses. Keeping ahead of threat vectors is one of the most important parts of my role at AEP. Malicious actors are very creative and benefit from sharing malware and other information on dark networks, which makes my work interesting.
However, while those types of attacks are headline grabbers, they are few and far between and a lot of my work is focused on safeguarding against far more common threats like internal errors and what we call human performance errors. Understanding these mistakes and remediating appropriately to make certain that the mistake is not repeatable and that it hasn’t impacted integrity and availability of systems and data is one of the most important things I do. Left unchecked these are the types of issues that could be exploited far more easily than a unique attack on a power plant launched from the outside.
TAG: Why do nuclear power plants feature so prominently in discussions of cyber attacks, when there are relatively few of them in comparison to other critical infrastructure installations both in the U.S. and globally?
DW: A large part of it has to do with the perception of nuclear power. From the opening sequence of The Simpsons to Chernobyl, nuclear power is seen as dangerous, where, in fact, with the amount of training personnel receive, with the controls that are in place, and the coordination between physical security teams and cyber security teams, not to mention regulations from external organizations it’s a tightly controlled environment.
For example, employees and contractors are screened carefully before being allowed inside the physical plant, while third parties simply don’t have access to networks and remote access is not permitted. Business networks and operational networks are physically separate and systems are air gapped to prevent cross-over.
If you look at the 2014 attack against the nuclear power plant in South Korea, for example, the government and the plant operator were very clear about the fact that the systems that were hacked were not the plant systems that are closed and separate. And it was the same for the situation in Bavaria; it was business systems that were compromised by malware and not the industrial control systems (ICS). However, those business networks must be protected with as much vigilance as the ICS environment since they contain critical data about customers and employees that are part of the holistic security of a power generation facility.
The biggest challenges come from expecting things from networks that they weren’t originally designed to do. There’s no denying that our infrastructure is older and it was built at a time where security was not baked in. So, my team keeps that front of mind when we re-design or retrofit infrastructure; layering security and putting controls around infrastructure is always a priority.
TAG: Do compliance and governance mandates help with ensuring security?
DW: Regrettably, without some compliance and governance mandates I think many companies wouldn’t implement adequate cyber defenses until it was too late. While the attitude towards security spend has improved in the last 10 to 15 years, especially after the Target breach, being in compliance with a mandate from a government agency or other regulatory body helps focus attention.
Where I think these requirements often fall down, though, is that they are too prescriptive and because of this, they can’t keep pace with the changing threat landscape. But where they work is in creating common ground, or a framework on which to base your organization’s activities.
Because of the heightened concerns in the nuclear power industry and because we provide an essential service, we’re not hesitant about spending on security for all systems, because the industry is invested in doing the right thing to maintain public trust. However, if you have to spend money to meet regulations, rather than on what will make your plant secure, the regulations miss the point.
Want to learn more about how to protect industrial control systems and other critical infrastructure? You can read our three tips here…