Jun 07 2021

New Cybersecurity Tools Could Help Utilities Bolster Defenses

Researchers at the Johns Hopkins University Applied Physics Laboratory have developed solutions to enhance IT security capabilities for critical infrastructure providers.

In February, it was a water treatment plant. In May, it was a vital energy pipeline. Just last week, it was the world’s largest meat processor.

Every few weeks it seems that another element of critical infrastructure has been struck by a cyberattack. The attacks have garnered the attention of the Biden administration and its Department of Homeland Security, at a time when the administration is seeking more funding for federal cybersecurity and critical infrastructure cybersecurity is garnering more attention.

Amid all of the Sturm und Drang around cybersecurity for utilities and other critical infrastructure operators, researchers at the Johns Hopkins University Applied Physics Laboratory have been developing solutions that could ease the burden on such entities.

APL announced last month that research conducted at its water treatment test bed in the CYber Physical REsilient Systems Solutions (CYPRESS) laboratory demonstrated cybersecurity solutions that “were successful in prevention, detection and mitigation of cyberattacks on industrial control systems.”

The lab was used for a DHS-funded pilot of research technologies designed and developed by APL to demonstrate a resilient industrial control system (ICS).

Tao Jen, critical infrastructure protection group supervisor at APL, tells StateTech that the recent spate of cyberattacks against critical infrastructure is likely to increase in both frequency and variety. “We do have to look at those types of threats holistically,” he says. “We need to understand the interdependencies between IT and operational technology, and between different critical infrastructure systems — water, electricity, transportation.”

The Cybersecurity Threat to Critical Infrastructure

In the past, most operational technology (OT) systems were closed, says David Halla, a senior adviser in the critical infrastructure protection group at APL. Then, to gain efficiencies, business and utilities started connecting OT to business networks, billing systems and monitoring system.

When that happened, Halla notes, cybersecurity wasn’t as big of an issue, and IT security wasn’t a huge factor when those the connections were made. IT managers did not really consider how each side of the network would be impacted if the other were to be affected. Those risk factors were not assessed properly, Halla says.

The challenge now is getting organizations’ leaders to understand the monetary impact of an OT system that is connected to an IT system being compromised, according to Halla. “The risks could have this dollar figure on the business if it could be compromised,” he says.

Jen says it is important not to think of cyberattacks on critical infrastructure as solely an IT and OT issue, and that assumptions often made about each could lead to even more security problems. Instead, he argues, the issue needs to be treated holistically, with utilities focused on getting a better view of their environments as well as their vulnerabilities.

David Halla, Senior Adviser, Critical Infrastructure Protection Group, Johns Hopkins University Applied Physics Laboratory
A well done cyberattack will look like a maintenance failure.”

David Halla Senior Adviser, Critical Infrastructure Protection Group, Johns Hopkins University Applied Physics Laboratory

Jen notes that utilities should be following the National Institute for Standards and Technology’s Cybersecurity Framework to identify what is connected to their IT and OT systems.

“Do we even know what is on the system, what is connected, who is using it?” he says. “Do we have the security controls? Are they configured and implemented properly? Do you have any real-time situational awareness to be able to detect real threats?”

No matter how sophisticated a cyberattack, Jen says, utilities also need the ability to respond and recover from attacks. “This is critical for OT systems,” Jen says. “They run on physical processes that, oftentimes, they don’t have the luxury of doing a system reboot.”

RELATED: Learn how to protect operational technology in smart cities.

New IT Security Tools for Utilities

To address these concerns, the CYPRESS lab developed three new cybersecurity capabilities for utilities. Jen notes that APL and his group in particular is “really proud of the work” its scientists and engineers do to provide cyber resiliency solutions.

One is dubbed Out-of-Band over Existing Communication (OBEC), which “detects whether an adversary has changed the values, even when the expected values continue to be displayed to the operator,” APL notes.

OBEC allows utilities to have a “very inexpensive way of maintaining what we call positive control,” Jen says. Essentially, it gives utility operators the “ground truth” of what is happening in their systems, no matter what an indicator is flashing. The tool then allows the operator to maintain positive control of the cyber-physical systems. In In the Oldsmar, Fla., water plant hack, Halla notes, a plant operator was watching as the attacker took over a computer and changed the amount of sodium hydroxide in the water from 100 parts per million to 1,100 parts per million.

“If he had not been watching and then went back, would he have noticed the change?” Halla says. “OBEC is a secondary channel. It sends an alert on a secondary system and would show there was a change out of normal parameters.”

The second solution is called Network Deception and Response Toolkit (Network DART), which “diverts an intruder to a high-quality decoy, protecting critical equipment while gathering intelligence about that intruder,” according to APL.

“It will be able to smartly divert an attacker to essentially an alternate reality, so that from an attacker’s point of view, they are continuing to exercise the controls on the operational system,” Jen says. “In reality, they are in this Network DART system, and we can observe their behavior and can identify forensic patterns and so forth.”

Halla calls it a “very, very advanced honeypot.”

EXPLORE: What are the risk preparedness lessons government can take from the Oldsmar hack? 

The third is known as Mitigating Incidents with Mock Industrial Control Systems (MIMICS), which, APL says, “transfers control of critical processes from an industrial controller to a virtual instance to maintain continuity of operations if the industrial control system is attacked.”

MIMICS “provides a very affordable and low-cost redundancy,” Jen says, noting that it enables a “real-time switchover if your primary systems gets compromised” so that service is not interrupted.

Halla notes that “a well done cyberattack will look like a maintenance failure.” If a utility’s main systems fail, MIMICS creates another system that can be used to maintain operations, acting as virtual machine version of ICS.

APL would be “very excited” to take the solutions and partner with private utility operators, government entities and other organizations on deploying the new tools, according to Jen.

“Our goal is to make the infrastructure more robust,” he says. “We would be excited to look for ways to pilot and test out these solutions.”

yangna/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT