A couple of months ago I was discussing data center security with a panel of IT managers from critical infrastructure providers. One representative from a major energy provider said that he had no intention of segmenting his network. When I asked him how he monitors his network looking for attacks that have breached his perimeter, he told me, “That’s the FBI’s job.”
I wish I could say this was unusual.
Historically, the security strategy of many critical infrastructure companies was to simply not connect them to the public Internet. For years, sometimes decades, they built their internal architectures around that notion. When a user or contractor needed access, it was provided manually. So now, when they are interconnected to a web of users, suppliers, contractors, and peer organizations, implementing a pervasive security strategy is a significant challenge. Instead, what many organizations in this circumstance tend to do is simply keep building a bigger and stronger front door to keep the bad stuff out. Which, of course, is a recipe for disaster.
A number of things need to happen to fix this problem. First, governments need to legislate that critical infrastructure industries need to meet basic security standards. And this legislation needs to have teeth. Fines are often absorbed as the cost of doing business as usual, and often get passed on to consumers. As we have seen with publicly traded companies in the US, however, holding board members and corporate executives personally, financially, and legally liable for failure to implement appropriate security goes a long way towards motivating organizations to overcome whatever inertia is preventing them from properly securing their networks.
Of course, because some of these industries come directly under government control, they will need to be funded. Given the current political climate, this can be challenging. But the last things that any government wants is a nuclear power plant meltdown, or the release of toxic chemicals, or the contamination of water supplies, or energy grids taken offline that can be traced back to a cyberattack.
Next, these organizations need to understand that perimeter security is no guarantee. Even the best firewalls in the world, according to numerous studies, are only about 98% effective. If you have a boat with a hundred holes in the bottom, and you only plug 98 of them, what happens to the boat? The compromise of critical infrastructure networks is a matter of when, not if. And frankly, based on forensic evidence from a number of breaches, I can tell you that the only thing standing between us and disaster has been serendipity.
There are also dozens of sector-based Information Sharing and Analysis Centers (ISACs) that organizations in these industries need to participate in. If the recent cyberattack on the power grid in the Ukraine hadn’t been an isolated incident, but part of a larger cyberterrorism strategy, it would have been essential that other energy providers around the world knew the details of this breach immediately, rather than a piece at a time, ferreted out over weeks and months.
From a functional perspective, a security game plan needs to be developed on a site-by-site basis. The most important first step that any organization in this sort of circumstance can take is to hire security professionals to assess their current state, develop a get-well plan, and prioritize implementation. From a general perspective, this needs to include a number of key security strategies.
- Don’t just start with where you are, but consider where you are going. A security plan needs to be able to adapt as you grow. If you are planning to add remote offices, or enable mobile users or build a virtualized data center, include that in your plan now. And select security tools that are future proof.
- Strategically segment your network. This is perhaps the easiest and most critical step in any security strategy. For example, keep your access network separate from your production network. Then actively monitor traffic that passes between segments. Segmentation allows you to detect threats that have bypassed your perimeter defenses, isolate infected devices and malware to one place in your network, contain the spread of threats, and maintain the integrity of your intellectual property.
- Keep it simple. As much as possible, build a strategy that provides consistent security across physical, virtual, cloud, access, and mobility networks. Security siloes mean that policies get enforced differently in different parts of your network. Sophisticated cyberattacks will exploit these inconsistencies.
- Don’t just bolt on security. Tools that work together are better than those that don’t. You need to select security tools that can share threat intelligence and provide a coordinated response. An isolated security tool, no matter what it can do, is only effective when an attack passes through it, and nowhere else. These sorts of security tools quickly become chokepoints in the network, and pretty soon time-sensitive traffic will be routed around them.
- Visibility is essential. Security teams manage an average of 14 different security consoles, and sometimes many more. And they still have to hand-correlate log files and threat data to discover a threat, and manually coordinate a response to an attack. Which is why Gartner estimates that over 70% of cybersecurity breaches take months to discover. And according to Ponemon, it takes an organization an average of 256 days to detect a malicious attack. As much as possible, implement a single pane of glass management strategy for centralized visibility and orchestration.
- Finally, slow is broken. Security will simply not be used if it gets in the way of time-sensitive traffic. Oh, you might have policies, but the reality is that when you have to process flight information or reroute rush hour traffic or respond to an energy grid failure RIGHT NOW, you can’t afford to wait for an overloaded firewall to decrypt and analyze your files. And whatever performance requirements you have today are likely to be a drop in the bucket compared to tomorrow. So plan ahead.
The reality is that as we transition to a digital economy, critical infrastructures will become increasingly vulnerable. Expanded attack surfaces, new applications and devices, and the need to dynamically share critical information simply expands exposure to risk. Those industries that are essential to the health and well being of both people and national economies have got to step up and address this challenge. Lives actually depend on it.