As Online Threats Grow, Security Teams Turn to Cyber Ranges
As a former U.S. Army colonel and NSA commander, Eric Toler knows a thing or two about the volatility of the internet. Digital technology now touches almost every aspect of our lives — from personal finance to the electrical grid — and it’s people like Toler who understand just how vulnerable we are to its myriad weaknesses.
“[We’re] seeing an increase in the competency and capability of criminals, and the nexus between criminal organizations and nation states that want to do the U.S. and our allies harm,” said Toler, who now works as Executive Director of the Georgia Cyber Center, a state-owned education and training facility for private- and public-sector cybersecurity professionals in Augusta, GA.
Toler pointed to U.S. trade negotiations with China and its termination of the Iran nuclear deal as specific contributors to a generally heightened state of geopolitical instability.
“There are entities out there that do have the capability to do harm to our critical infrastructure,” Toler said. “I don’t think they quite have the intent yet. But if those intentions start matching up with their capabilities, we’re potentially going to see some significant damage.”
With Connectivity Comes Vulnerability
As the Internet of Things has proliferated throughout the economy, so too have potential vulnerabilities to attack. Consider oil extraction and refinery facilities, essential pieces of national infrastructure that are increasingly infused with IoT applications. While the technology has prompted advances in automation, wireless connectivity and real-time metrics, it also brings exposure to a wider array of cyber threats.
“Many of these systems — these digital environments — are in remote regions of the world,” said Jim Guinn II, who leads cybersecurity efforts in the energy, utilities, chemicals and mining industries for global tech consultancy firm Accenture in Houston. “They’re out in the ocean or in deserts in the middle of nowhere. They’re logistically difficult to get to, and they have network connections back to the mothership that are highly unreliable.”
“Down time of even a few seconds could be severely detrimental...”
For cybersecurity professionals protecting industrial control systems hooked into the internet, the critical nature of these systems poses yet another significant hurdle.
“You can’t just take systems like these down and install patches, because they have to be up all the time,” said David Raymond, an Army veteran and former West Point computer science professor who now works as a Director at the Virginia Cyber Range, another state-based education and training facility. “Down time of even a few seconds could be severely detrimental to a power network, for example.”
Taken together, these issues represent a major challenge for businesses managing industrial control systems: increasingly sophisticated attacks against remote, difficult-to-protect IoT systems that are so critical to daily life that taking them offline to test against cyberthreats is virtually unfeasible.
For governments and businesses operating in an era of increasingly sophisticated digital threats, one solution is to simulate their systems — and the threats arrayed against them — using a cyber range.
A cyber range is a virtual environment designed to simulate systems and the conditions in which they operate. Here, cybersecurity professionals can test security postures against different types of attacks and use the experience to mitigate vulnerabilities. And because it’s a simulation, businesses aren’t jeopardizing real-world operations in the process.
“It’s a much better way to test known bads against commercially acceptable tools and technologies, as well as cybersecurity solutions that are designed to detect them,” said Guinn, who recently supervised the construction of three new Accenture cyber ranges in Houston, Washington, D.C. and Essen, Germany. The facilities cater to the specific needs of oil and gas exploration, extraction and refinery operations; chemical production facilities; and utilities and electric distribution networks.
“Cybersecurity professionals need the ability to explain what the risks are, potential mitigations and residual risks, and then let the business leaders make the business decisions.”
“This isn’t about testing a specific device input and output,” Guinn said. “It’s about testing a series of assets in a string that all communicate back to a central distributed control system or supervisory control and data acquisition (SCADA) system.”
For Accenture, the need to simulate highly individualized systems means having every possible tool on the metaphorical shelf, including programmable logic controllers, distributed control systems, SCADA systems, remote terminal units, human-machine interfaces and more. Guinn said this level of customization gives Accenture the ability to simulate uniquely configured industrial control systems and run any number of tests to find weak points.
Testing The Arsenal
Accenture uses its cyber ranges to test industrial control systems in a number of ways. Recently, an oil and gas company wanted to see if Accenture’s so-called “red teams” — groups of white hat hackers who uncover system vulnerabilities — could penetrate and initiate a command and control takeover of its production assets.
Once a red team had penetrated the system, they then moved the attack to a cyber range simulation to see how much damage an intruder could inflict. Guinn said Accenture had performed this test for several of the world’s largest oil and gas companies and at least one of North America’s largest integrated utilities systems.
Guinn added that Accenture also deploys incident response teams to remote corners of the world in the event of a cyberattack or security compromise on a client’s system.
“In doing so, you get unique exposure to the indicators of compromise and the actual malware that might’ve been launched,” he said. “We can see what that particular threat was trying to accomplish.”
“It’s a good way to see the pros and cons of each piece of equipment or configuration.”
Guinn said these “black bags and boots” teams are then able to capture the code — essentially trapping it in the wild — and deploy it on a cyber range to figure out how to rebuff such an attack or detect the presence of intruders in a system in the future.
Accenture clients — especially chemical manufacturers, said Guinn — also leverage cyber range technology to test and evaluate different system configurations and equipment.
“It’s a good way to see the pros and cons of each piece of equipment or configuration, then make a business-versus-risk decision on what they would like to acquire,” Guinn said.
For David Raymond and his students in Virginia, these business-versus-risk insights are an especially important outcome of cyber range testing.
“Besides the hands-on technical skills that you build, cybersecurity professionals need the ability to explain what the risks are, potential mitigations and residual risks, and then let the business leaders make the business decisions,” he said.
A Place For Mistakes
One of the most significant business cases cybersecurity professionals can make to leadership is to invest in a cyber range in the first place.
“These industrial control systems are very expensive,” Toler said. “If you can replicate that on a range, it allows you to train a much wider audience at a much more affordable cost.”
Cyber ranges are an important piece of a larger cybersecurity puzzle. For Accenture, its network of cyber ranges work in tandem with threat intelligence professionals, red teams, cybersecurity trend-watchers, incident response teams and research and development divisions, all connected through its Cyber Fusion Center in Washington, D.C. Guinn said the company plans to open a second fusion center in Houston this year, which will focus exclusively on the field assets that comprise industrial control systems.
“Most of the cybersecurity industry is focused on IT stuff,” Guinn said. “Very, very few — a cottage industry, really — focus on industrial assets cybersecurity. The amount of money that’s spent on R&D is disproportionately weighted on the IT side, because that’s where the security wave began.
“This could potentially have catastrophic implications as more and more automation gets deployed in the field,” he added.
As for cyber ranges themselves, Toler said the most constructive element they add to an organization’s preparedness is the ability to make errors, conduct reviews and try again.
“It’s a place where you almost want to make mistakes, because that is how you learn,” he said.