Cyber Security Month: After 20 Years – What Has Changed Since the First OT Cyber Attack?
This article is part of ATS’s four-part series highlighting the importance of Cyber Security Month – in previous pieces, we explored best practices in cyber security today and highlighted some of the most notorious cyber crime cases from the past year.
Here, we’ll take a look at the world of cyber security regulations – from the first widely publicized case of a cyber attack in 1988 to the first OT cyber attack that happened 20 years ago in Australia. Measures and policies have changed over the course of the past few decades, attempting to keep up with the continuously evolving landscape of cyber threats for OT systems.
Early Cyber Attack Examples
The Morris worm represents one of the earliest examples of a large cyber attack on an IT system that happened in 1988. Following the development of malware and industrial operational technology, it took several more years for cyber attacks on OT environments to become reality.
An early example of a devastating attack on an OT system was the Maroochy water system hack more than 20 years ago, in Australia. In March of 2000, following a series of malfunctions, both in physical equipment and the network system, an engineer discovered an RF (radio frequency) signal used to control wastewater pumping stations was being tampered with.
While the infiltration seemed, at first, to have only affected the sewage pumps (which stopped operating) the alarms never reported the transgression to the central computer. Furthermore, there was a total communications breakdown between various pumping stations and the central computer.
When the perpetrator Vitek Boden was caught and arrested, it was discovered that he had used a laptop and Supervisory Control and Data Acquisition (SCADA) equipment to tamper with and affect the work of around 150 local sewage pumping stations. Over the course of several months, millions of gallons of sewage were released into waterways and local parks, posing immense danger on public health and creating a local environmental crisis.
“Marine life died, the creek water turned black and the stench was unbearable for residents,” a representative of the Australian Environmental Protection Agency is quoted to have said at the time.
The aftermath of the attack saw the SCADA systems re-evaluated and vulnerabilities were discovered. Additionally, it became clear that one of the reasons why the attack wasn’t noticed and stopped sooner, was that the Maroochy water system had no cyber security policies or procedures in place. Not even the fundamentals, like user access control or identifying and authenticating users.
This incident sparked a flame of a wider recognition of the importance of having industrial cyber security regulations. New bills and pieces of legislation were introduced to take into consideration critical administrative, supply chain, and physical vulnerabilities. That notwithstanding, in the two decades that followed, we have seen a significant rise in the number, and types, of malware programs that target industrial OT.
A wider recognition of the importance of industrial cyber security regulations began rising in the wake of the Maroochy incident. New bills were introduced to take into consideration critical physical, administrative, and supply chain vulnerabilities.
Legislative Response
In 2001 the Australian legislative framework was updated with a brand new Cybercrime Act of 2001. The Cybercrime Act sought to regulate computer offences – in all shapes and sizes – but also to utilize certain useful provisions of previous pieces of legislation that provided help in curbing cyber crime.
In addition to that, the Australian Department of Communications, Information Technology and the Arts had launched an effort to convince senior management staff members of potential risks to SCADA systems, which has included a number of logical, physical, and administrative controls for risk management.
In addition to that, Australia has its own CERT – aptly named AusCERT – and the Australian Government has its own Australian Cyber Security Centre, which is part of the larger Australian Signals Directorate, which is itself run by the Minister of Defence.
However, more than 20 years has passed since – and we have seen a significant rise in the number and variety of malware targeting industrial OT, with yet no established singular global framework designed to combat this problem. The current state of cyber security regulation is instead unique for each country, with many lawmakers striving to shape their own defences. This is especially evident in the case of the current cyber protection policy situation in the US.
Cyber Security Regulation in the United States
While some organizations have sought to create a unified system of cyber security measures, like the European Union, the US has no unified federal law that regulates cyber security and all connected issues. Instead, individual states have their own cyber security bills, along with data breach notification laws.
This huge, sometimes disharmonic, legislative landscape spanning all 50 states can present a strong challenge for companies and organizations that seek to do business country-wide.
In addition to this already confusing web of individual policies, the numbers of new proposed legislations keep rising. Fighting to keep up with the changing times, the US senate has introduced or considered more than 280 cyber security bills or resolutions in 2020 alone, discussing the increase of penalties for cybercriminals, regulation through insurance, creating cyber security task forces, and security training implementation.
Some of these new bills include important federal policies such as the Internet of Things (IoT) Cybersecurity Improvement Act and the State and Local Cybersecurity Improvement Act.
INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT
This act became law last December, and it dictated the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to develop and issue standardized guidelines, policies and principles for US governmental agencies in terms of appropriate use and management of IoT technologies.
We’re yet to see what these sets of standards entail, and how a nation-wide implementation will be handled, but the law is a promising sign of the growing importance of IoT network security.
State and Local Cybersecurity Improvement Act
One more initiative centered on cyber protection of government entities was the State and Local Cybersecurity Improvement Act, which granted $400 million of funding to the Department of Homeland Security. This act also mandated the Department of Homeland Security and Infrastructure Security Agency (CISA) to create a defense in depth strategy in order to strengthen the defense of all governmental entities – whether local, state, territorial, or tribal.
In Conclusion
The growing number of cyber security regulations in recent years has fragmented policies across the USA, and created a complex web of compliance requirements, forcing each enterprise to seek out and conform to individualized standards that apply only to their own industry sector.
An escalating number of regulations also places a significant amount of responsibility on organizations to be liable for the actions of their vendors. This is why more and more enterprises turn to cyber security solutions that are guaranteed to provide regular reports and ensure compliance.
The patchwork of legislation regarding information security, cyber security and data privacy has obviously posed a challenge to handle in the past years.
All this is expected to soon change, however. In May this year, after a particularly impactful cyber attack on Colonial Pipeline which prompted a regional state of emergency in 17 US states, President Joe Biden issued an executive order to increase the protection of government networks.
This order, as per the White House’s press release, included the demands to:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Establish a cybersecurity safety review board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cyber security incidents on federal government networks
- Improve investigative and remediation capabilities.
This push toward a more unified system of defence in the US government will, as many predict, have a trickle-down effect. As manufacturers and vendors will strive to meet the federal standards, it will motivate other, non-US-based companies to do the same in order to compete on the global market – building a more standardized defence approach worldwide.