Jen notes that utilities should be following the National Institute for Standards and Technology’s Cybersecurity Framework to identify what is connected to their IT and OT systems.
“Do we even know what is on the system, what is connected, who is using it?” he says. “Do we have the security controls? Are they configured and implemented properly? Do you have any real-time situational awareness to be able to detect real threats?”
No matter how sophisticated a cyberattack, Jen says, utilities also need the ability to respond and recover from attacks. “This is critical for OT systems,” Jen says. “They run on physical processes that, oftentimes, they don’t have the luxury of doing a system reboot.”
RELATED: Learn how to protect operational technology in smart cities.
New IT Security Tools for Utilities
To address these concerns, the CYPRESS lab developed three new cybersecurity capabilities for utilities. Jen notes that APL and his group in particular is “really proud of the work” its scientists and engineers do to provide cyber resiliency solutions.
One is dubbed Out-of-Band over Existing Communication (OBEC), which “detects whether an adversary has changed the values, even when the expected values continue to be displayed to the operator,” APL notes.
OBEC allows utilities to have a “very inexpensive way of maintaining what we call positive control,” Jen says. Essentially, it gives utility operators the “ground truth” of what is happening in their systems, no matter what an indicator is flashing. The tool then allows the operator to maintain positive control of the cyber-physical systems. In In the Oldsmar, Fla., water plant hack, Halla notes, a plant operator was watching as the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million.
“If he had not been watching and then went back, would he have noticed the change?” Halla says. “OBEC is a secondary channel. It sends an alert on a secondary system and would show there was a change out of normal parameters.”
The second solution is called Network Deception and Response Toolkit (Network DART), which “diverts an intruder to a high-quality decoy, protecting critical equipment while gathering intelligence about that intruder,” according to APL.
“It will be able to smartly divert an attacker to essentially an alternate reality, so that from an attacker’s point of view, they are continuing to exercise the controls on the operational system,” Jen says. “In reality, they are in this Network DART system, and we can observe their behavior and can identify forensic patterns and so forth.”
Halla calls it a “very, very advanced honeypot.”
EXPLORE: What are the risk preparedness lessons government can take from the Oldsmar hack?
The third is known as Mitigating Incidents with Mock Industrial Control Systems (MIMICS), which, APL says, “transfers control of critical processes from an industrial controller to a virtual instance to maintain continuity of operations if the industrial control system is attacked.”
MIMICS “provides a very affordable and low-cost redundancy,” Jen says, noting that it enables a “real-time switchover if your primary systems gets compromised” so that service is not interrupted.
Halla notes that “a well done cyberattack will look like a maintenance failure.” If a utility’s main systems fail, MIMICS creates another system that can be used to maintain operations, acting as virtual machine version of ICS.
APL would be “very excited” to take the solutions and partner with private utility operators, government entities and other organizations on deploying the new tools, according to Jen.
“Our goal is to make the infrastructure more robust,” he says. “We would be excited to look for ways to pilot and test out these solutions.”
