Imagine suddenly having no to access to power – hackers have shut down the country’s power grid, leading to confusion, anger and in some cases, fatalities. This might seem like an extreme case, but the National Cyber Security Centre (NCSC) issued a warning earlier this year that hackers are targeting the UK’s energy sector, with the potential to take down services that could affect thousands of people within minutes, writes David Warburton, Senior Systems Engineer, Government and Defence, at F5 Networks, a cyber security product company.
Attacks on critical infrastructure are nothing new; a blackout that affected 225,000 people in western Ukraine in 2015 was revealed to be the result of a cyber-attack. In addition, data breaches were discovered only 62 per cent of the time by security teams in oil and gas companies, according to Accenture. While it is true that attacks are getting more sophisticated, the biggest data breaches are often exploiting old vulnerabilities in outdated software. In turn, this means that healthcare, transport networks, banks and nuclear plants could all be at a higher risk of attack by relying on this critical (outdated) infrastructure. We have already witnessed how hackers are finding new ways to disrupt these systems, such as the Stuxnet and Industroyer viruses, and the global disturbances caused by WannaCry. All are key examples of the potential for chaos if systems are left underprotected.
Infiltrating control systems
User convenience and reduced IT budgets are increasingly conspiring to reduce effective information security. This has led many organisations to combine the platforms running industrial control systems with the ones used to browse the web and check email. Breaching an industrial environment with its concrete walls, barbed wire fences and security guards sounds impossible, until you consider a simple email with a malicious attachment could bypass many existing cyber defences and take over an entire power plant.
Organisations that maintain good cyber defences for their own systems are still at risk from the supply chain. We trust our suppliers to act responsibly, to maintain their own cyber defences and we trust that the software that they supply to us is genuine. Consider what happens, as it did in 2014 when the Dragonfly group attacked UK based critical infrastructure, if your supplier of industrial control system (ICS) software is compromised. Attacking the supply chain is fast becoming a favourited method of attack for cyber criminals, since more organisations implicitly trust the software they purchase. From malware being spread via accounting software automatic updates to backdoored server management software, the key aspect is that the source is trusted. Once an attacker gains access, it becomes difficuly to spot their activity. Everything they do can appear to originate from this trusted source.
The use of cloud has allowed organisations to centralise management and control functions that were previously held in local facilities. The benefits of this include greater efficiencies, cost savings and a standardised system. However, enterprise networks can be left exposed in industrial environments they were not developed for, as organisations try to retro-fit security. Some organisations may also have a wide range of people responsible for protecting systems which can leave processes and systems exposed – as businesses become more global, there’s a bigger attack surface and entry points to the business, each one needing to be monitored and protected.
Oil and gas companies also tend to have large mobile workforces, so equipping staff with remote access is both a bandwidth and security challenge. Many workers will rely on remote access to communicate and gather real-time information to do their work, so IT departments need the ability to automate desktop and application management and improve data security by centralising the desktop environment. The use of reverse proxy tools to provide SSL acceleration and termination, as well as re-encryption to web servers, creates a secure environment for remote workers to operate in. With often thousands of staff needing to connect to a network remotely, using network traffic management tools allows them to automatically point users to the closest or highest-performing data centre.
Responding
Complacency surrounding threats to oil, gas, water and power cannot exist. There are already regulations to ensure buildings are physically secure, so why does nothing of this kind exist for cybersecurity or critical infrastructure? Europe and the UK should take a steer from the US government as it has made some progress in this area. Senators have proposed the ‘Internet of Things Cybersecurity Imprvement Act of 2017’ to ensure that all IoT devices supplied to government meet with a baseline of cyber security measures.
The motives of hackers range from stealing data and crippling businesses, to upsetting or threatening citizens and causing reputational damage to governments. Every facet of our lives could be at risk. The government and industry must prioritise the protection of our infrastructure to minimise the damage as much as possible, working together to defend against new threats. One of the first things to do is to get the word out as soon as attacks happen, alerting the authorities and others in the same industry in order to prevent further compromise. Initiatives such as NCSC’s Cyber Information Sharing Partnership (CiSP) are a fanstatic resource, though not widely known about and information needs to be shared in near real-time.
To defend against targeted attacks, organisations should deploy a risk based approach to information security and consider the impact of compromise. This approach would very likely show that, while some savings can be made in combining workstations for email use and control of industrial systems, the risks are too high to ignore.
Organisations need to work with vendors and penetration testers to discover vulnerabilities that may be open to being exploited and what technical measures can be used to mitigate them. While finding vulnerabilities helps organisations understand their exposure, they need the ability to react quickly upon breach discovery to further reduce the impact to the organisation and its customers. The longer a system remains vulnerable, the more likely it is to be compromised.
As enterprises continue to deploy web applications, network and security architects need visibility into who is attacking those applications, as well as a big-picture view of all violations to plan future attack mitigation. Administrators must be able to understand what they see to determine whether data flowing over the network is valid or an attack that requires cyber defences – which truly understand how to differentiate between good or bad traffic. Our critical infrastructure is at risk and such cyber attacks are no longer conceptual. The frequency of attacks is increasing as the armoury of cybercriminals evolves. Companies and governments need to work together to design cyber strategies that protect infrastructure and citizens from these complex threats.
