CybersecurityFinding the Origins of a Hacker
Industrial control systems run utilities that provide the electricity to keep the lights on or that deliver the water that people expect to gush out when they turn on a tap. Today those systems can be attacked via malicious code that an adversary inserts into the normal operating instructions.
Sarah Freeman works on puzzles. It’s part of her job at Idaho National Laboratory(INL).
But the puzzles Freeman solves aren’t fun and games. They are serious; sometimes deadly serious. What’s more, the need to solve those puzzles is growing daily.
Freeman is a senior industrial control systems cybersecurity analyst. Within that mouthful of a title are clues about the importance of what Freeman and others at INL and elsewhere do. Industrial control systems, for instance, run utilities that provide the electricity to keep the lights on or that deliver the water that people expect to gush out when they turn on a tap.
Today those systems can be attacked via malicious code that an adversary inserts into the normal operating instructions. So, the cybersecurity analyst part of Freeman’s job title means that she looks at aspects of such cyberthreats – with an emphasis on which targets are involved.
“The focus is on critical infrastructure protection,” Freeman said.
Within this category lie power and water utilities, along with pipelines, transportation networks and other infrastructure critical to the everyday functioning of modern society. The list of possible attack points is long.
As part of her work, with seed funding from INL’s Lab Directed Research & Development program, Freeman solves the puzzle of who launched a cyberassault. Determining who is behind an attack is of keen interest to government analysts because of the potential to take some sort of action against perpetrators. Nongovernment analysts, in contrast, focus more on mechanisms, the “how” of an attack. Figuring out the “who” involves putting together a series of clues.
In solving the mystery of who did it, analysts keep in mind some key characteristics regarding industrial control systems. Such systems are examples of operational technology or OT. Unlike IT or information technology, OT controls physical space, and so can have a physical outcome. Having an industrial control system speed up and slow down a water pump, for instance, may damage and eventually destroy the pump or damage downstream water delivery.
Assessing just what malware code was meant to do requires carefully considering what infrastructure an industrial control system manages and what that infrastructure or equipment impacts. Such an evaluation can provide answers to some basic questions about the attacker.
“What were they doing? What was their intention?” Freeman said.
