Old thinking about critical infrastructure won’t stop new risks
Heightened cybercriminal activity is making IoT, SCADA and other IIoT investments riskier than ever; are you protecting your IT and OT infrastructure well enough?
Developers of critical infrastructure systems never intended to build insecure operational technology (OT) systems to manage them – but that is exactly what they’ve created as utilities, manufacturers and other process-reliant companies face the challenge of protecting legacy systems that were often built on the assumption they would never be targeted by hackers.
With nation-state attacks on the rise and all manner of industrial systems being connected to the Internet, quite the opposite has happened. Between 2016 and 2017 alone, the Australian Cyber Security Centre (ACSC) reported that Australia’s Computer Emergency Response Team (CERT) dealt with 734 incidents where critical infrastructure providers and systems of national interest had been targeted in cybersecurity attacks.
One incident, highlighted by the Australian Cyber Security Centre (ACSC), spawned warnings that up to 400 Australian businesses had been targeted by Russian state-sponsored attacks. Previous attacks have targeted power stations and an airport in the Ukraine, a nuclear power station in the US state of Kansas, and many more sites.
“The ACSC continues to assess that a cyber attack against Australia would most likely be aimed at high value targets such as critical infrastructure, government networks or military capabilities,” the agency wrote.
The Internet of threats
Growth in adoption of Internet of Things (IoT) technology has compounded the problem. Businesses of all kinds are embracing IoT and its promise of always-connected sensors, cameras, actuators, pumps, and other equipment, and IoT’s promise for industrial environments is so great that the industry has even created its own acronym – Industrial IoT, or IIoT – to describe those applications.
With IoT and IIoT projects maturing from proofs of concept into actual deployments, IDC has predicted that spending on IoT devices will grow 13.6 percent annually through 2022 – at which point businesses will spend $US1.2 trillion ($A1.66t) on IoT equipment alone.
That’s a lot of networked devices, and increasing reliance on them for mission-critical industrial and smart-city applications is certain to attract new attention from cybercriminals keen on disrupting the operations of businesses or entire regional economies.
The active connectivity of IoT devices is different than the passive, segregated networks on which industrial control system (ICS) equipment used to run. Such systems, managed by dedicated OT applications, often implemented security through air gaps that left them physically isolated from other networked systems.
This approach may have provided some measure of security in the past, but with today’s ICS environments relying on remote access and frequently connected to the Internet, their defences are regularly being tested.
Yet conventional IT security technologies can’t provide the necessary visibility into OT networks and the SCADA devices and protocols they support. When companies continue investing in perimeter defences, these technological differences leave them exposed and struggling to introduce comprehensive network security infrastructure based on ideas such as zero-trust networking.
Combined with the inherent weaknesses of IoT and IIoT devices – which are often being designed based on insecure kernels, default passwords or authentication processes that are being exploited with regularity – it is incumbent on industrial and non-industrial organisations to deal proactively with the changed security environment that IoT has presented.
Potentially affected organisations should consider the four pillars of OT security – detecting, securing, managing, and protecting against threats – to address the risks that OT poses.
This includes reviewing policies around password management; multifactor authentication; access control lists; network port security; firewalls; secure integration of wireless and wired networks; active patch management and vulnerability management programs; and securing of profile and access methods.
Fighting the new threats
The recent passage of Australia’s Security of Critical Infrastructure Act 2018 marks the highest-level response yet to the cybersecurity threats posed to critical infrastructure of all kinds. Authorities now have the ability to compel infrastructure operators to share information about potential and existing threats to their infrastructure, and to take certain actions to protect against compromise.
It’s a clear indicator of the level to which concerns about infrastructure threats have risen, and reinforces the need for businesses of all kinds to follow the government’s lead. A ransomware attack on critical infrastructure could hold an entire state hostage, and a similar attack on an unprepared business could shut down critical operations and – as with the Wannacry and Petya attacks that imposed nine-figure damage bills on numerous victims – cause untold damages.
NTT Security’s 2018 Global Threat Intelligence Report identified the extent of the growing threat, with ransomware detection increasing more than 350 percent over the past year – growing from 1 percent of global malware to 7 percent.
The finance sector, in particular, was targeted by attackers with 26 percent of analysed attacks – up from 14 percent of attacks in the previous year. Yet IDC’s projections put insurance and government organisations among the vanguard of IoT adoption, with insurance companies expected to account for 17.5 percent of IoT investments and government, 16.1 percent.
An effective security defence requires evaluation of both outside threats and insider threats, with appropriate network-level protections put in place to control protection of data and access to that data.
This requires visibility of network resources and centralised control of all users – and, importantly, all IoT, SCADA and other IIoT devices – to ensure that infrastructure security offers the same robust protections whether the business is running a major power plant or a tiny branch office.
By sticking to our old security habits, businesses risk introducing new security vulnerabilities into the environments they rely on every day. These countering dynamics will both create and perpetuate cybersecurity vulnerabilities, leaving business and industrial complexes more exposed than they can afford to be. But if you address modern cybersecurity threats with modern cybersecurity responses, you’ve already won half the battle.
Learn more about NTT Communications’ cybersecurity solutions and services.