Proactive Cyber Defense: Recognizing Cyber Intrusions for Critical Infrastructure System Operators

By Terri Khalil

Leveraging Guidance from the Electric & Water Sectors and Broadening for all Critical Infrastructure. In an era marked by rapid digital transformation and increasing cyber threats, whether electric, water and wastewater systems, chemical, or any other of the critical infrastructure sectors, it is imperative for control system operators to be well-versed in recognizing and responding to cyber intrusions.

The National Security Memo 22 on Critical Infrastructure Security and Resilience (NSM-22) , published in March this year and the National Cybersecurity Strategy (NCS) published last year (including the associated fact sheet, and part of a series of efforts providing increasing emphasis in critical infrastructure cybersecurity) provide insights and guidelines that can significantly enhance an organization's cybersecurity posture. This blog aims to distill key points from these documents to help system operators identify potential cyber intrusions so that the threat can be effectively mitigated.

Understanding the Threat Landscape

The National Security Strategy (NSS) published in October 2022 emphasizes that cyber threats are a top national security priority. Nation-state actors, cybercriminals, and other malicious entities continually evolve their tactics, techniques, and procedures (TTPs) to exploit vulnerabilities. The NSS highlights the increasing sophistication of cyber-attacks, which often aim to disrupt critical infrastructure, steal sensitive data, and undermine public trust. NSM-22 further elaborates on the need for a proactive and adaptive cybersecurity approach. It stresses the importance of real-time threat intelligence and collaboration between public and private sectors to stay ahead of adversaries.

Key Indicators of Cyber Intrusions

Guidance for the electric sector, updated in March last year by the North American Electric Reliability Corporation (NERC): Reliability Guideline: Cyber Intrusion Guide for System Operators, Version 2 emphasizes the unique position of system operators to recognize cyber threats.

From the guideline:

“System Operators are uniquely positioned to recognize cyber threats to the BES [Bulk Electric System]. Through direct access to Cyber Assets, and direct contact with field personnel, System Operators may be the first to recognize real-time threats to system security. They may also be targets of social engineering attempts. System Operators are potentially the first to be able to recognize early indicators of malicious cyber activity, and the last to be able to detect such activity before impacts to operations occur.”

The guideline (it's a quick read) could easily be applied to many critical infrastructure sectors, or even more broadly to most Industrial Control Systems (ICS). The information is straightforward to incorporate into existing operator training, security awareness training, and/or incident response training, especially within "Chapter 1: Could this be a sign of an attack?"

Extract from the guideline (verbatim):

Examples of anomalies that may require attention:

  • Observing unusual or unexplained behavior on workstations. For example:

    • Workstation unexpectedly locked out or displaying a message indicating password has been changed

    • Pointer or mouse cursor moving by itself in an intentional manner (i.e., to perform a task with the cursor, not simply random movement)

    • Files / messages flashing / suspicious pop-ups appear on the screen

    • New applications or icons appearing, or expected applications or icons disappearing from the desktop or start menu

    • System is unusually slow or unresponsive, or has unusual hard disk or network activity

  • Observing unusual system activity or alarms from Cyber Assets. For example:

    • Coincident loss of multiple components of Energy Management System (EMS) or Supervisory Control and Data Acquisition (SCADA) systems supporting Real-time operations, e.g. alarming, ICCP connectivity, state estimation, or contingency analysis

    • Unexplainable power system operations such as breaker operations, transformer tap changes, or AGC set points, inconsistent with system conditions, e.g. multiple breaker operations during a non-storm event

    • Unexplainable manual operations or settings changes

    • Multiple perceived suspicious telemetry point values, inconsistent with system conditions and other apparently normal point values

    • Telephone or email requests for information about technical systems or operational procedures, or for remote access (social engineering attempts)

    • Unexpected system shutdown or reboot

    • Complete loss of SCADA capabilities that support Real-time operations.

    • Erratic EMS/SCADA system equipment behavior, messages/alarms, or degradation of performance, especially when more than one device exhibits the same behavior

    • Anti-malware application alerts on System Operator Human Machine Interface(s)

    • User account authentication requests at atypical times or systems, account lockouts, or change in user privileges

    • Calls from data partners (other entities who see your data) to verify suspicious data being received via communication associations/exchange

  • Other unusual occurrences such as:

    • Coincident loss of operational support systems, e.g., Heating, Ventilation, and Air Conditioning (HVAC), Fire Suppression, phone/communications, Physical Access Control Systems (PACS) at control centers

    • Discovering unauthorized (e.g., USB sticks or wireless access points) or recognizing missing equipment from control centers

An example of another critical infrastructure sector that has sector-specific guidance for cyber incident handling is the Water & Wastewater Sector (WWS).  Some of the WWS resources include an Incident Action Checklist and an Incident Response Guide.

  • The Environmental Protection Agency (EPA) Incident Action Checklist – Cybersecurity includes a list of potential impacts that may include but are not limited to:

    • Interruption of treatment, distribution or conveyance processes from opening and closing valves, overriding alarms or disabling pumps or other equipment

    • Theft of customers’ personal data such as credit card information and social security numbers stored in on-line billing systems

    • Defacement of the utility’s website or compromise of the email system

    • Damage to system components

    • Loss of use of industrial control systems (e.g., SCADA system) for remote monitoring of automated treatment and distribution processes

  • The Incident Response Guide: Water and Wastewater Sector, developed by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the EPA also has incorporated some signs that an organization may be experiencing a malicious cyber incident (in section 2.2.1):

    • Unusual System Behavior: If a system is running slower than usual, crashing frequently, or displaying excessive pop-ups.

    • Unfamiliar Network Activity: Network activity or traffic shows unusual or unexpected data transfers, connections to unknown IP addresses, or unauthorized access attempts.

    • Unexplained Data Loss or Modification: Files suddenly disappear, become corrupted, or their contents are modified without authorization.

    • Security Software Alerts: The utility’s anti-malware or firewall software sends warnings.

    • Phishing Attempts: Suspicious emails, messages, or phone calls asking for personal information or login credentials come into the utility.

    • Unusual Networks or Systems: Unknown devices or unauthorized access points start appearing on system networks.

This content from these resources can easily be incorporated into a poster or other materials for in-house cybersecurity awareness and/or training, and furthermore, easily modified to fit your critical infrastructure sector or your industrial control systems industry.   While it's very detailed (and usually far too much content for a poster), I suggest including all the points that are applicable for your environment, verbatim if relevant, and also create a 2nd poster with a one-liner to call attention to something like "See Something - Say Something" and who to report the suspicious activity to, as well as a cool graphic.  These can be posted in pairs in several areas within the relevant control centers/rooms.  We’ve actually done this for you if you’d like to utilize the poster set.

Furthermore, incorporating content from this guideline can help critical infrastructure to meet the CISA Cross-Sector Cyber Performance Goals (CPGs), which are unique from other control frameworks as they consider not only the practices for IT and OT that address and prioritize risk to individual entities, but also the aggregate risk to the nation.

In addition, note that one of the first objectives included within the National Cybersecurity Strategy Implementation Plan v2 is,

"Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety", which includes:

1.1.1 "cyber regulatory harmonization",

1.2.1 "existing authorities to establish cyber requirements that mitigate risk in their sector, account for sector-specific needs, identify gaps in authorities, and develop proposals to close them." and

1.1.3 "Regulations should be performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance – including the Cybersecurity and Infrastructure Security Agency (CISA)'s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity."

 

What does that mean?  Word on the street has it that either the CPGs or NIST Cybersecurity Framework (CSF), or both, will likely become part of the regulations.

As a reminder, and the recent NSM-22 confirmed, the critical infrastructure sectors and their associated Sector Risk Management Agency are:

In addition to being able to identify and possibly prevent a cyberattack through system operator training and awareness, why not get ahead of some of these guidelines and potential regulations?  The posters and leveraging the additional information regarding incidents in the NERC reliability guideline or the WWS Incident Response guide or your sector-specific materials in your company and sector can help meet the following CPGs:

  • IDENTIFY 1.D Improve IT and OT Cyber Relationships (e.g., discuss and validate the content for the awareness material leveraging NERC reliability guideline)

  • PROTECT 2.J OT Cybersecurity Training

  • PROTECT 2.S Incident Response Plan (e.g., include the potential cyber intrusion content as part of a drill/exercise)

 

For those of you in the electric sector, the Cybersecurity Baselines for Electric Distribution Systems and DER, jointly developed by the National Association of Regulatory Utility Commissioners (NARUC) and Department of Energy (DOE) also include these same requirements, based on the CISA CPGs (as well as being the first of the CISA Sector Specific Goals (SSGs).

We'll leave you with these two items:

  1. A poster set (intended to be posted together in multiple areas such as a control room) based on the reliability guideline and slightly broadened to be applicable to any control system .  NOTE:  If you have feedback that should be incorporated into the poster to improve the content across multiple sectors, please email:  contact@ampyxcyber.com

  2. How and where else can the critical infrastructure sectors collaborate?  And, most importantly, how can YOU collaborate?

 

Featured Posts

Patrick Miller