How vulnerable is our critical national infrastructure?

Considered the backbone of the nation’s economy, security and health; critical infrastructure provides power, water, transportation, and communications systems relied on to connect us with our friends and family to our communities.

Utility, oil and gas, manufacturing and alternative energy organizations are fending off cyber attacks on a daily basis. From activist groups to state-sponsored hackers, our nations’ critical infrastructures are targeted regularly in an attempt to disrupt services and cause havoc.

Information technology has evolved significantly in just the past decade, yet most critical infrastructure technology is based on embedded hardware and proprietary protocols that predate the Internet. Years ago, systems were largely isolated with operation managers onsite, as opposed to connecting in from remote offices or even while on the road – there was no need to connect to a corporate network or Internet and the security models of many of these systems reflects these simpler times.

In an attempt to streamline business, improve communication in the supply chain and stay current with technology trends, such as Big Data and the Internet of Things, these organizations have been and are connecting their critical control systems to open and often public networks.

Unfortunately the networks may not be as secure as believed, exposing companies to an abundance of cyber attacks and vulnerabilities. The once obscure proprietary protocols used by industrial control systems have been dissected and analyzed with the results spread across the Internet for any interested party to peruse, researchers (both those looking to help make the Internet more secure and those looking to defeat its security) are actively looking for vulnerabilities, and dedicated search engines like Shodan allow potential attackers to quickly find systems that are vulnerable to their latest exploit (even though Google often works in a pinch as well). Despite the well-publicized attacks (and the ones never made public) in recent years, security isn’t being seen as a priority for many of the organizations that form our critical infrastructure.

Cybercrime is forcing companies of all sizes in all sectors to take notice; the threat of a cyber attack has serious repercussions that reach far beyond the companies’ business to the individuals who rely on the services of these organizations for their day-to-day needs. A pair of research papers by Trend Micro show how common attacks on critical infrastructure systems have become, who is behind them, and the types of damage these attackers are willing to cause, even with no apparent motive.

In the extreme case, Stuxnet and its descendants have shown us the damage a motivated state attacker can cause. Thirty years ago, physical threats were the biggest concern to critical infrastructure, and today, a cyber attack that isn’t easily attributable to a specific actor poses the greatest threat. It is key that the critical infrastructure maintains reliable functioning.

How can critical infrastructure organizations manage to stay up to date with technology while protecting their company from a security breach?

Cyber security standards and guidelines already exist and in many cases, have been in place for years, yet reported attacks continue to grow and many could have been avoided. With the growing awareness globally of the threat of cyber attacks against critical infrastructure system, guidelines and framework are exactly that – guidelines and suggestions to follow, rather than legal requirements to comply with. In many cases these guidelines will only provide a bare minimum, failing to address the additional risks posed by a specific organization’s architectural design choices.

It still remains the responsibility of the industry to continuously monitor and control its own systems and IT environments. Additionally, due to how connected critical infrastructure systems have become to the broader corporate network, all employees, not just IT employees, need to be educated and trained to do everything possible to reduce the risk of a cyber attack.

Sitting tight and hoping for the best is not an option. The risk of a cyber attack isn’t going away and critical systems are not becoming less vulnerable to attack. To control the risk, an organization must understand the current risk exposure across all area of the business and focus on the critical areas.

To mitigate a security breach, reputation damage and financial loss – a detailed incident response plan is essential. A timely implementation of an incident response is imperative post breach, and having an in-house skilled security expert on call 24×7 may not be an option for many companies as there is a growing global skills shortage in this industry that will likely take years to improve. Many organizations outsource these critical functions, reassuring companies that their systems are monitored around the clock with security experts on hand providing crucial support when needed.

It’s clear that critical infrastructures are under scrutiny from both attackers and defenders. Organizations need to understand their cyber security efforts and where improvements can be made, allowing them to identify and fix the weaknesses in their infrastructure. The industry needs to take control of the issue and find ways to reduce the growing number of threats by building systems that bake in security as part of the design and thereby reduce the number of exploitable vulnerabilities. Until that day arrives, organizations need to remain attentive to protect its assets.

In order to reduce high-risk situations, these ten steps will help improve security controls:
1. Understand your risk – an annual risk assessment exercise should be conducted with an expert who has conducted similar technical risk assessments in order to identify the risks that baseline security and compliance standards don’t cover and determine what level of security is appropriate for a particular system.

2. Secure configuration – keep software and hardware up to date, persistence always pays off. Work with suppliers to ensure proprietary systems are maintained, and build an asset register with a focus on end-of-life/unsupported systems that will require extra protection.

3. Aim for real-time detection – continuously monitor all log data generated by the organization’s IT system to keep track of what strays from “normal” activity and be prepared to respond immediately to any perceived issue. This will likely include a combination of IPS, DLP, FIM, and SIEM solutions working together to provide deep visibility.

4. Educate and train your employees – make sure they really understand your policies, procedures, and incident response processes. Make it a priority to teach everyone at least the basics.

5. Check passwords on connected devices – make sure the devices aren’t using weak passwords that are easily hacked. Default passwords for even obscure products are well known and documented on the Internet, attackers will try these first. Commonly used or otherwise simple passwords aren’t much better.

6. Incident response – establish, produce and routinely test incident management plans to ensure that there is an effective response to maintain business continuity in the face of a breach.

7. Secure network – manage the external and internal network perimeters to filter out unauthorized access. It is key to understand what is on your network and what protocols traverse it. This can’t be accomplished if critical systems share a “flat” network with other unrelated systems with unrestricted internal access. When feasible, completely disconnect critical networks from the Internet and other networks to eliminate the possibility of remote attacks.

8. Malware protection – establish anti-malware defenses and continuously scan for malware. While this won’t stop every attack and shouldn’t be relied on it can provide an early warning of a sloppy attacker.

9. Test security – Regular penetration tests should be conducted in order to identify weaknesses and test the effectiveness of other security controls. These should go beyond basic vulnerability scans and include hands-on attempts to exploit vulnerabilities conducted by testers who are familiar with the techniques necessary to attack industrial control systems.

10. Pay attention to new threats – New vulnerabilities arise regularly, whether it is a simple exploit discovered in a particular product or an entirely new way of manipulating a common protocol that affects a wide range of products dating back years (as we have seen with a number of SSL vulnerabilities lately). All of the policies, procedures, risk assessments, and security controls should constantly be updated to address these latest threats as they are discovered rather than waiting until they are exploited when it is often too late.

As critical infrastructure companies become more connected to the Internet, they are placed under high scrutiny from cyber attackers. It is vital for organizations to recognize where they stand in their cyber security efforts and pinpoint where there are weaknesses in their infrastructure. It is extremely important for companies to be prepared for cyber threats and attacks, and aware of the repercussions, not only on them but also for those who rely on them on a daily basis.