Organizations of all types today face an evolving threatscape and growing pressure to rethink security strategies for long-term sustainability. Critical infrastructure industries, and the communities and economies they serve, face not only particularly damaging outcomes from successful cybersecurity attacks, but also need to deal with significant complexity due to the scale of their operations.
Fortinet’s Daniel Cole discusses the issues and trends affecting the critical infrastructure organizations today.
Q&A with Daniel Cole
What’s top of mind for critical infrastructure organizations?
Over the past several years, security has become a primary focus for utility companies, transportation groups, natural resource producers, and more. Research indicates that these organizations are under a state of constant cyberattack, with incidents increasing in sophistication. Operators are concerned about resolving security gaps that are growing wider over time.
What are the underlying issues leading to security gaps?
The machines and technology used to manage and run hydropower dams, oil and gas companies, and other infrastructures were never designed to be connected to remote or public networks. Security was a given because these systems were isolated, and physical access was often restricted. They used proprietary equipment that was often custom built and limited in terms of communications protocols, which meant that even if a cyberattacker could somehow gain access, none of his or her tools would be of any use. But with Industry 4.0 – or the fourth industrial revolution – these environments now have interconnected machines and open standards, and use off-the-shelf hardware and software. As with any other IT network, the benefits of cost savings and efficiency that these changes provide also come with increased vulnerability. This means industrial control systems (ICS) now have a wider footprint for attack.
Also, many people used to think that creating an “air gap” between ICS and all other networks could ensure security. But as more and more of today’s ICS operational technology (OT) components rely on software updates and periodic patching from IT, it’s now virtually impossible to avoid at least occasional data transfer into the ICS. Even in environments without permanent network connections (or those employing only unidirectional devices, such as optical data diodes), there are vulnerabilities. Employees may introduce infected PCs or storage devices, such as USB drives, into that environment, which then ultimately affects the network.
What are the threats these organizations need to be on the lookout for?
Before an organization can accurately assess what threats are out there, it first needs to consider why someone would want to attack them. Most cyber criminals or malicious organizations are seeking financial gain. But in ICS environments, attacks can also be motivated by political or terrorist agendas, including a desire to destroy equipment, threaten national security, and endanger human life. Critical infrastructure organizations have become attractive targets for cyberterrorist attacks. And the types of attacks have become more sophisticated.
While organizations can’t predict every threat, they need to focus on what they can control. Here are questions to help assess operational technology (OT) vulnerabilities:
- What’s critical that needs to be protected? Identifying those elements critical to continued operation is the first step.
- What are the protocols for permission management, or access to controls? Most systems were previously isolated. Now that IT and OT are interconnected, they need to keep pace with OT security best practices. In addition, determining the appropriate privileges for authorized users is just as important as blocking unauthorized access.
- Have hardware and software operating systems been updated recently? Some hardware and software systems pre-date the very notion of cybersecurity. Organizations need to be sure they’re compatible with standard modern defenses such as anti-virus software or threat scanning technologies.
- How often does the organization update and patch? Most operations can’t afford the down-time and cost associated with patching. However, deferred updates lead to wider security gaps.
- Are there large numbers of simple, unsecured, and IP-enabled telemetry devices, such as sensors and pressure gauges? The data on these devices can be manipulated, which then impacts the safety and reliability of the overall system.
- Does the organization employ the best practices of modern coding? Using embedded and often custom-built software written with little attention to recommended security techniques leaves OT systems open to attack.
- Do operators follow a standard procedure for logging events? Organizations that establish a process for noting and reporting system events can use this data to detect irregularities and implement security measures.
- What’s the process for regulating component manufacturing and the supply chain? Without proper monitoring and governance, equipment may be compromised before it’s even installed.
- Is the network appropriately segmented? Many operations have not yet partitioned their networks into functional segments (while remaining fully interconnected). Without proper segmentation, infected data and applications can overlap from one segment to another, and attackers who manage to breach perimeter defenses can easily move undetected across the network.
- How experienced are security engineers? Understanding operations technology is not enough. Security personnel need both industry expertise as well as proficiency in OT security best practices.
- Is there a plan for operational recovery? In the unfortunate event of a disaster, every organization needs a documented procedure to assess damage, repair systems and machines, and restore operations. Regular security drills also help operators implement recovery quickly and efficiently when it’s needed most.
What’s something these organizations may not yet know?
While the threats from cyber criminals and terrorist organizations are real and concerning, unintentional internal issues account for 80 percent of industrial security incidents [RISI]. In critical infrastructure organizations, software misconfigurations from human error, malfunctioning network protocols, and device behavior are issues to keep an eye on.
A holistic security approach can protect against intentional targeted attacks as well as human error from internal sources. Solving ICS security issues requires a solution that unifies the best of current OT network security capabilities with an extensive understanding of ICS processes and protocols.