9 November 2022
The Role of Engineers in the Inevitable Reincarnation of Cybersecurity
“How?” Jeff wailed. He looked haggard and his hair was a mess. “We beefed up the network security, installed multi-factor authentication for all the users, did company-wide training on spotting fishy emails, and on and on. The whole nine yards — we did everything! And now this — Hacked! How the hell did this happen?”
Joseph Weiss has recorded more than 11 million control-system cyber incidents, which have, he says, “collectively resulted in tens of thousands of deaths and more than $90 billion in direct damage.”
Sven, the cybersecurity consultant checked his wristwatch and sent Jeff home. It had been a long, traumatic day. He packed up his notes, checked on the overnight team in the IT department, and headed for the exit himself. As he left the building, he glanced up at the security camera on the corner of the building, its black orb-like eye staring unblinkingly at the entrance in the dark. He walked over and inspected the camera.
“Crap,” he thought. He sighed, turned around, and went back into the building, headed for the building security office. When, Sven wondered, would people realize that cybersecurity went way beyond all the things Jeff had mentioned? The designers and engineers who create so-called “smart” systems and appliances needed to start incorporating device security into their designs too. Sven had a funny feeling about that darn camera . . .
The Insecure Camera
In September 2022, the ASME (American Society of Mechanical Engineers) released a white paper titled “Safeguarding Devices — Not Just Data — From Cyberattacks” (link below). This 3,500-word paper provides a chilling insight into the complications currently faced by the cybersecurity industry. Why “chilling”? Because hackers are moving well beyond extortion and the sale of stolen data and are increasingly targeting takeovers of physical equipment for much more insidious purposes, such as causing massive power blackouts, poisoning water systems, or other forms of death, destruction, and general mayhem.
Joseph Weiss, a managing partner at Applied Control Solutions in Cupertino, California, says, “In 2000, I started amassing a database of actual control system cyber incidents, both unintentional and malicious.” He has, since then, recorded more than 11 million control-system cyber incidents, which have, he says, “collectively resulted in tens of thousands of deaths and more than $90 billion in direct damage.”
The bottom line is that there is a distinct vulnerability to hijacking — by cybercriminals and rogue nation-states — of both operational technology (OT) and industrial control systems (ICS). As a result, CISA (Cybersecurity and Infrastructure Security Agency) now oversees 16 critical infrastructure sectors, “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” The 16 sectors they have earmarked are:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Bases
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
Examples of these types of malicious attacks unfortunately abound. Central Israel’s residential water supply came under attack in April of 2020, with two further attacks in June in Upper Galilee.
Back in 2015 and 2016, Russia's notorious Sandworm group struck the Ukrainian grid with its Win32/ Industroyer malware creating massive temporary blackouts.
“For mechanical engineers, I would say this is a major opportunity to make a difference not only to your career, but to civilization itself.” — Joseph Weiss
In December 2020, Oklahoma-based software company, SolarWinds, discovered they’d been breached in a massive Russian cyber-attack that left sensitive data from thousands of clients exposed — amongst them Microsoft® and top branches of the US government, including the Department of Homeland Security and the Treasury Department.
As in Israel, in February 2021 an unknown hacker gained access to the water treatment system for the city of Oldsmar, Florida, just west of Tampa. In this attack, the hacker increased the levels of sodium hydroxide — the main ingredient in liquid drain cleaner — in the water treatment system, exceeding safety levels by more than 100 times. Luckily, an operator was alerted to the intrusion — as the hacker accessed the system remotely — and was immediately able to reduce the sodium hydroxide to normal levels, thwarting the attack and avoiding serious injury to consumers.
All three of the Israeli attacks occurred via vulnerable cellular routers which allow an organization to remotely connect to its industrial systems. Following the attacks, the Israel Water Authority hired a cyber security firm to protect its water utilities from ICS and OT cyber-attacks on their machinery and equipment.
The Case of the Killer Coffee Pot
The 16 above-mentioned sectors of concern and reported ICS breaches are not, however, the only points of attack. Much less obvious, but no less vulnerable, is the endless array of “smart” devices, such as the “smart coffee pot” in a building or aboard a cruise ship or train. As stated in the white paper, “These are often very cheap devices, with little to no security.” On a train, for example, the “smart coffee pot” network access becomes a point of entry for hackers, who could then gain access to the signaling network.
A quick internet search revealed just how ubiquitous “smart” devices have become. From the coffee pot to the PA system, HVAC system, water systems, grow lights, wireless printers, point of sale systems, Bluetooth appliances, control and monitor systems, all the way down to that so-called smart security system on the outside of Jeff’s building. Smart devices are everywhere.
The truth is that hackers can access virtually any smart, web-connected device, at will, no matter how seemingly innocuous. Proving this point are Dutch researchers, Daan Keuper and Thijs Alkemade, who won the 2022 hacking championship in Miami by accessing the software that runs the world’s power grids, gas pipelines, and more. The duo described the challenge as their “easiest yet.” Keuper admitted, “In industrial control systems, there is still so much low-hanging fruit. The security is lagging behind badly.”
Trust Nobody, Trust Nothing
Yes, actions such as changing passwords, adopting two-factor authentication, and adding various security measures form one line of defense. But it’s not enough. Not anymore. To hold the bad guys at bay, we need the engineers to assess the bigger picture. And they need to holistically rethink and prioritize a multi-layered, integrated approach to security that shields devices and equipment from malevolent efforts to hijack and reprogram critical infrastructure networks.
Hackers are moving well beyond extortion and the sale of stolen data and are increasingly targeting takeovers of physical equipment for much more insidious purposes.
If you’re thinking, “It can’t be that bad,” we hate to burst your bubble, but it is. In 2019, leading cybersecurity firm, Tenable, partnered with the Ponemon Institute, specifically to investigate the state of OT cybersecurity. They surveyed over 700 IT and IT security decision-makers in the US, UK, Germany, Australia, Mexico, and Japan, all from the energy and utilities, industrial and manufacturing, health and pharmaceutical, and transportation sectors. The findings revealed that 90 percent of the respondents had at least one damaging OT or IT infrastructure security event in the preceding two years. Shockingly, 62 percent had experienced two or more attacks, and 23 percent were able to directly attribute the attack to a nation-state.
In 2022, in its annual Global Risks Report, the World Economic Forum stated that “cybersecurity threats (including against critical infrastructure) are growing and outpacing societies’ ability to effectively prevent or respond to them.”
Charles Henderson, head of X-Force at IBM Security, believes “the real-world repercussions of cyberattacks will usher in a security renaissance,” and that moving to “a Zero Trust model where everything and everyone is scrutinized and iteratively validated” is critical.
The US Department of Homeland Security offers several strategies to counter cyber intrusions into US critical infrastructure systems. These include reducing the attack surface area by isolating ICS networks from untrusted networks (especially the internet); limiting and securing remote network access; building defendable environments that limit damage from network perimeter breaches; segmenting networks into logical enclaves and restricting host-to-host communication paths.
Joseph Weiss does not disagree. “The grid and other critical infrastructure are, in fact, operable without IP networks,” he says. In the aftermath of the Ukrainian power grid attack, for example, the Ukrainians ran the grid manually for months, proving that it can be done. Weiss emphasizes that the continued approach of safeguarding critical infrastructure by securing the networks is “simply not working.” One of his biggest concerns is, “how many more people will die before control system cybersecurity is treated as a system engineering issue?”
Weiss suggests that “recognizing that problems can be induced in any feedback loop, whether networked or not, offers real possibilities to re-engineer and solve many control system vulnerabilities.”
Of course, there’s also a burning need for OT cybersecurity organizations to include the engineers responsible for the design and operation of ICS and the processes they monitor and control in the security process.
“Remember,” Weiss says, “the field control system equipment keeps the lights on and the water flowing, and for mechanical engineers, I would say this is a major opportunity to make a difference not only to your career, but to civilization itself.”
Those are strong words from a man with 40 years of experience in the industry.
CAD Support for Engineers
We know that AutoCAD® is popular with mechanical engineers and Axiom has a selection of productivity tools that can speed up and smooth out tasks such as importing Excel spreadsheets or Word docs, changing any block attribute text on thousands of files at a time, or getting perfect DGN and DWG conversions — done right the first time. If you’re not an AutoCAD user, MicroStation® tools are here and Revit® options are here. Either way, Axiom’s tools can virtually automate many of the repetitive, manual tasks that users find burdensome, saving time, money, and your mood.
To discuss your particular situation, please call a knowledgeable Service Consultant at 727-442-7774 or visit us on the web at AxiomInt.com.
If we can help you change your career and your contribution to civilization, we’ll back you every step of the wa