Critical infrastructure systems are the backbone for controlling and managing essential services for industries including oil and gas, utilities, healthcare and public sector, says Craig Hockley, regional director for South Africa and sub-Saharan Africa, McAfee.
Any of these sectors could be targets of security attacks; anything from Supervisory Control and Data Acquisition (SCADA) systems and/or Industrial Control Systems (ICS), to hospital heart monitors, transportation, digital meters, lights and appliances, could also be at risk.
Without the proper security controls and strategies in place, critical infrastructures could experience operational failures, security breaches, regulatory penalties, and in some cases, even life and death situations.
Cybercriminals are constantly in search of new targets of attack, and critical infrastructures are no exception. In fact, critical infrastructures are often a prime target because of their broad reach, interconnectedness and use of embedded systems – not to mention that many of them function by a combination of legacy and more modern equipment.
In the past, critical infrastructure was overseen by several technology domains that were physically separated by “air gaps” with no direct connection to each other. These domains usually included an organisation’s IT network, ICS and SCADA systems. Today, data delivery across these once-separate domains have now become commonplace.
Yet while open communications between business and control systems has resulted in creating better efficiencies, it has also opened the door to security vulnerabilities where an attacker could potentially gain access into all three domains by breaking into any one of them.
With multiple ways of entering the network, organisations and their IT executives need to be made aware of the threats that exist and know what security solutions and strategies can be implemented to safeguard them.
One of the biggest challenges facing organisations and their critical infrastructures is being prepared for the types of threats that exist. Most attacks can be categorised into one of three areas: espionage, extortion and sabotage. While threats take on various forms, the motives behind them often remain the same: financial gain, data theft, or shutting down facilities.
Advanced persistent threats, and other security vulnerabilities to endpoints such as mobile devices and social media channels also present an element of risk and must be protected against.
In the past five years alone, McAfee has seen an increase in both volumes and sophistication of attacks, in addition to the number of groups that are spearheading them.
While spear phishing, attacks that are directed at specific individuals or companies, and SQL injections, attacks that target databases through a Web site, are two of the most commonly used forms of attack, other threats still exist and need to be protected against.
Not all attacks are easily evident though. In fact, many cyber-threats are often subtle and go unnoticed. One example of a recent stealth attack, is Night Dragon, which began in 2009 as a series of targeted attacks against global energy, oil and petrochemical companies.
Disguised as everyday system administrative tools, this virus was able to gain access to desktop PCs, servers and extranets and captured usernames and passwords with the intent to steal sensitive proprietary data.
The Stuxnet worm is another example of a targeted attack, which gained widespread media and public attention in 2010, when it attacked several facilities around the world, including Iran’s nuclear enrichment infrastructure.
Not only did the Stuxnet worm target SCADA systems, but it also spread throughout infrastructures through removable media devices such as USB drives. Since it was discovered, additional variants of the malware have also been reported around the world — proving that organisations, regardless of their locations, must continually assess and enforce security policies and best practices.
There are several precautions organisations must consider to better protect their systems, data and their people. In addition to utilising security solutions such as anti-virus, firewalls and encryption, McAfee has provided this list of best practices and recommendations for how organisations can better counter these threats.
Organisations need visibility into what assets they are protecting, know what their functions are, who has access to them and what counter measures are currently in place. Since data passes through all technology domains in critical infrastructure environments, having situational awareness is key to achieving increased network security and makes it easier for IT to manage, monitor and report across zones.
Dynamic blacklisting and whitelisting techniques ensure that only trusted applications are allowed to run on devices. By essentially mandating the “who, how, when and what” security risk levels are lessened.
Security firewalls and intrusion prevention systems (IPS) offer protection between zones by providing perimeter protection to the networks. Corporate IT Must Play a Larger Role: An organisation’s IT department shouldn’t be treated as a separate entity from its business counterpart.
Instead, more collaboration is required in order to achieve better communication and visibility results.
An awareness and adoption of the proper security solutions, best practices and policies that span across organisations, will help reduce the risks of critical infrastructures being attacked and compromised and furthermore, will also protect our systems and the services on which we are so dependent.