Reports of a YouTube video purportedly produced by a local arm of a well know hactivist group singling out a major energy sector producer locally in Trinidad has been making the rounds since Friday.
Rather than comment directly on that, the important question that should be on our minds is how secure is our Critical Infrastructure from Cyber Security risks? The following looks Cyber Security risks in the context of UWI/T&TEC SmartGrid research project and current risks facing automation networks as highlighted by an expert brought down by a locally based energy company.
At the “Public Forum on Development of Trinidad & Tobago’s Smart Grid” on 6th Nov 2014, Dr. Sanjay Bahadoorsingh, (Lecturer, UWI) who has been working on a research project with T&TEC on SmartGrid technologies, updated the audience on the challenges and opportunities of same.
Smartgrid shifts the paradigm from unidirectional flow of electricity to a bidirectional flow which allow users, traditionally thought of solely as consumers, to also serve as generators of electricity. It also calls for advanced metering and control technologies to manage and regulate consumption/generation and billing/crediting accordingly.
The Research project website explains it here better than I. The electricity grid is a major component of our “critical infrastructure” resources, which are essentially that stock of industries and assets deemed critical to the running of the nation. Sectors where other components can be found include telecommunication, health, finance etc.
The information Systems within these components can therefore be termed Critical Informational Infrastructure. Given the importance of the electricity to the functioning of all other industries, if we are heading towards Smart Grid technology, Cyber security is a major concern. One only has to look at recent headlines out of the US to recognize the persistency with which attacks are carried out against energy grids. Fortunately, cyber security was identified as a challenge by Dr. Bahadoorsingh, however, in the Q&A portion; he revealed the current scope of this initial research did not delve deeply into this area.
We’re still a long way off from Smart Grid being implemented locally (legislative and technical issues to be overcome) but at least with this initial recognition from Dr. Bahadoorsingh and T&TEC representative I spoke to at the meeting, I hope that deeper examination of the issue will be prioritized as they move forward.
Exploring the same issues, the local chapter of the International Society of Automation hosted a “Technical Seminar on Process Control Environment Security” on 21st Nov 2014, presented by Mr Steve Mustard.
Mr Mustard is currently auditing assets of a major oil/gas entity in various countries (including Trinidad) to establish their InfoSec preparedness on their control and automation networks. His hour long presentation did not disappoint and he gave the attentive audience insights into the clear and present danger which cyber security risks pose to control networks such as Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks.
In our initial talk before the presentation got started, I related to Steve my own experiences of attempting to raise the level of awareness on InfoSec matters locally and we found some commonalities including hearing people putting up the “I have a firewall” defense as their response to InfoSec.
Two problems with this (i) myopic focus on hardware/software solutions without securing people and processes and (ii) as Steve highlighted in his presentation, poorly configured/maintained firewalls is an issue. But risks to control networks could potentially threaten our national economy given our heavy dependency on the energy sector. We looked at the need to protect our “critical infrastructure” elements in the SmartGrid section above.
These sectors/assets are supposed to be more protected than other areas and some of this protection is manifested in the proposed 2014 cybercrime bill via higher penalties. However, legislative controls can only serve as a deterrent. To improve on detection and prevention of attacks against these threats requires robust implementation of technical and procedural controls. So, just how do some of these risks manifest in the environment, see Steve’s diagrammatic representation below:
Steve also emphasized the point that internal users and contractors could potentially pose a more significant risk than external factors, such as external cybercriminal, which would typically get more attention due to media hype.
The intentional and unintentional ways by which internal actors can work against organizations with an emphasis on Social Engineering is one of the topic of focus in my Information Security Awareness Workshops which I am quite happy to say was recently delivered to over 100 employees of a major oil/gas entity as part of their Safety programme.
So it looks like more and more corporate TT is waking up to the realities of cyber security threats. However, would you say GoRTT has an appropriate response to these threats to critical infrastructure?
Shiva Bissessar is a frequent contributor to TechnewsTT on matters of Information Security including Digital Economy and Cyber Security and is currently doing a study on digital currencies in the Caribbean as commissioned by the UN group, Economic Commission of Latin America and the Caribbean, ECLAC.