Critical infrastructure IoT security: Going back to basics
In this interview with Help Net Security, James Carder, CSO & VP of Labs at LogRhythm, talks about critical infrastructure IoT security, the vulnerabilities that are plaguing this type of technology, and how to tackle the growing number of cybersecurity threats.
We are witnessing numerous and damaging attacks on critical infrastructure lately. What is the main cause that makes them susceptible to these attacks?
Over recent years, attacks on critical infrastructure have grown from moderate risk to major headline-grabbing news and attackers’ capabilities have also continued to develop.
Criminal organizations and nation state threat actors have continued to ramp up attacks on critical infrastructure entities, with major attacks on the Colonial Pipeline, SolarWinds, and the California and Florida water systems to name a few.
The critical infrastructure sector is vital to the successful functioning of modern society and economies. Whether it’s electricity generation, oil and gas, telecom or water, the services these organizations provide are essential to everyday life, and for businesses to operate effectively.
Due to the vital role these organizations play, they are attractive targets for threat actors wanting to cause serious disruption through cyberattacks. Motivation for doing so varies from hacktivists with political motivations, hostile nation-states wanting to cause economic damage or criminals seeking to extort money.
Traditionally, critical infrastructure lags behind in its investments in cybersecurity or cybersecurity is not seen as a core business priority. When you combine an easy target with high impact to the business and their customers, and the means to pay, you’ve got the prime target for a cyberattack.
Is the IoT technology that powers critical infrastructure really that vulnerable and what can be done to mitigate the risks?
The number of connected devices has grown exponentially over the past few years, and we are seeing this technology being implemented more and more frequently within critical infrastructure. IoT has many uses and can be applied in sectors such as power grids, communication networks and financial services. The increased adoption of operational technology (OT) and information technology in general, has expanded the attack surface and made the critical infrastructure networks more exposed.
Ultimately, IoT devices weren’t built with security in mind. The vast amount of IoT devices tend to be poorly secured, often functioning with out-of-date software or using default security configurations which makes it a vulnerable target for threat actors. The fact is that until the last 5 or 10 years, security wasn’t even something considered as a part of developing OT. It’s not like a hospital buys a new MRI machine every year, so that 10-year-old MRI machine in the hospital is still highly vulnerable since it was built in a time when security wasn’t important or thought of.
It is unsurprising that the vulnerability of IoT and the critical infrastructure landscape as a whole to cyberattacks is becoming a growing concern within the security landscape and recent attacks on the sector have proven the need to ramp up security efforts.
Even though IoT is becoming an increasing target, the focus on many recent attacks is on OT infrastructure. For that reason, the critical infrastructure industry must take a security-first stance to security their operations. To mitigate this increasingly complex threat landscape, the critical infrastructure industry needs to modernize quickly and leverage the security tools and technologies and methodologies available today to ensure they have a secure operation and aren’t seen as low hanging fruit by the attacker.
Monitoring, detection, and response are just one part of this. I think of critical capabilities like multifactor authentication, endpoint detection and response, heuristics based AV (modern AV), basic backups, behaviour analytics and patching for the operating systems and applications powering the IoT and OT, and then monitoring, detection, and response. I’d even go with implementing zero trust as being a necessity as indicated in the recent executive orders in the US.
What are the main techniques cybercriminals use to compromise the IoT technology?
We are seeing a large increase of cyberattacks on the IoT and OT environment. For example, the attacks we have witnessed on the South African Department of Justice, Microsoft’s Power Apps and JBS. Many attacks this year have occurred as a result of common vulnerabilities such as weak passwords and insecure web interfaces or exposed APIs, insecure network services and backdoor access often used for maintenance and management.
The combination of these factors creates the perfect storm for increasingly severe cyber threats. IoT and the greater OT landscape is vulnerable to attacks from ransomware, botnets, denial of service (DoS) attacks, and general control of these systems by nation state threat actors and other criminal groups. These threats have the potential to shut the infrastructure down, cause a disaster, or a myriad of consequences once IoT in critical infrastructure has been compromised, at scale.
What does it mean for organizations to go back to basics to bolster their security posture? Does this apply to critical infrastructure too?
Tackling the growing number of cyberattacks involves going back to basics. Organizations should start by analyzing the current state of their critical systems, applications and data by undergoing a threat modelling exercise to understand what their attack surface is, who is interested, and the attacks they do. Having a system and application inventory is important as you can’t protect what you don’t know about.
This is a practice that can be largely applied to the critical infrastructure industry. Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks.
As a result, critical infrastructure operations are ripe with opportunities for bad actors to target and take down their systems. Many hacks occur because even the most basic security practice of changing credentials and turning off access after an employee has left are not followed.
To avoid being seen as low-hanging fruit by threat actors, organizations must analyze the current threat landscape and take a security-first approach in which the organization puts security as the core foundation of its strategy and operations to safeguard their networks and ensure future resilience and operational performance. This involves EDR, next gen AV (heuristics based), multi-factor authentication, and tools like SIEM and UEBA with integrations to things like threat intel.
These are all the basics of a security operation. I would even go far as to say that zero trust needs to be implemented and that also adds privileged access management, orchestration, automation, and response. The understanding of workloads from user to system, to application to system, to system and application to application all should be included in an organization’s threat model.
What will the future of critical infrastructure IoT look like? Do you predict many changes impacting this technology?
The critical infrastructure industry has seen a massive leap to digitalization and I predict that this will be a trend that will continue to build in momentum. Smart city IoT infrastructure is rapidly growing with innovation in urban planning and energy consumption being optimized to reduce inefficiencies.
The potential is not just in enabling the interconnection of billions of devices at the same time but also harnessing the huge amount of actionable data which can transform infrastructure processes to enable an automated future.
Whilst we wait for this maturation of the industry, and prepare for an expanded IoT environment, we need to ensure reliable security solutions are in place to prevent potentially devastating cyber threats. With the right security foundation in place, critical infrastructure organizations can protect themselves against the inevitable risk of attack while continuing to evolve their operations.