When we think of national critical infrastructure, its common to immediately consider nuclear power plants, and the electric grid. Through presidential directive (HSPD-7), however, we have outlined a far bigger set of critical infrastructure sectors, and upon some inspection, its important to consider why. In our interconnected world, there is scarcely a single organization that doesn’t have its own critical infrastructure, and most importantly, infrastructure that is globally interconnected via operations and IT networks.
If you are forging steel with computer controlled furnaces or regulating toothpaste quantity being injected into a tube, you probably consider downtime in those systems as critical to company success. Critical infrastructure in the context of national security is important both as the lifeblood to various companies, and as the support framework that keeps us safe, moves us around, and provides us our standard of living. Safe water in the sink, the power to turn on the lights, but also safe pharmaceuticals, tracking of restricted chemicals, and integrity of core systems that manage our digital transactions.
These various types of critical infrastructure have unique requirements for both functionality and uptime, but they were not built from the ground up to be security focused. At the time that many of these critical systems were being built, cyberterrorism, corporate cyberespionage, and global interconnectivity simply weren’t issues of the day. Today is a far different story. Theft, corruption, or outright destruction of these systems can have a crippling effect on human safety, financial stability, and standard of living.
- 1)An attacker purchases a fairly inexpensive off-the-shelf root kit with well-established signature detection avoidance features, a command-and-control communication model, and a noise engine.
- 2)With some effort, the attacker repurposes some of the features of this kit to make it unique to their specific purposes, but also unique upon each installation.
- 3)The attacker establishes a new command-and-control architecture using throw-away domains, dynamic DNS, and anonymous hosting services at additional cost.
- 4)Or, the attacker utilizes the criminal ecosystem to rent access to a well-maintained and well-hidden command-and-control infrastructure.
- 5)Instead of deploying the weaponized kit on his or her own, the attacker pays to have yet another established partner install the kit throughout the target organization’s network using a phishing campaign.
- 6)Even a single installation of this kit within the target organization establishes a foothold from which to expand to other systems to gather information.
- 7)While directed by the controlling attacker, the compromise jumps from host to host, using new variants upon each new installation, new command-and-control domains, erasing records of its existence, and exfiltrating interesting data.
- 8)The attacker finally lands on a host with a copy of a “SCADA_Network_Diagram” file. This host also appears to be running a read-only SCADA Dashboard application.
Cyber attacks on critical infrastructure don’t always start as direct hacking or penetration into critical systems. It is much more common that these complex attacks are insidious progressions of compromise. They start as run of the mill botnets, or adware on an employee computer, but progress in severity over weeks or even months. All is not lost however. There are many steps that can be taken to prevent a breach, when the initial infection prevention has failed.
“But nobody is interested in our Industrial network. We just make widgets.”
Well exactly. If you have the world’s most efficient process to manufacture, package and ship widgets, I’m sure you have a foreign competitor interested in stealing it. Though it is rarely spoken out loud, there still exists a culture at many organizations that shrugs off security concerns, either because their industrial network hasn’t been considered critical by presidential directive, or because they haven’t yet suffered the pain of Intellectual Property theft or system sabotage. One important thing that Information security leadership can do is regularly educate the business unit leaders about the threats they face, and why critical infrastructure isn’t just for the power grid. Political will to shift the necessary resources into network security can have a lasting impact on malware escalating from infection nuisance to corporate damage.
It iss still quite likely that the Operations Technology (OT) folks have had limited cross-training in information security. The reverse is equally true. Establish some sort of rotational cross-training program between the operations teams and information security team. Get external training through any number of Infosec training groups, or the US ICS-CERT. http://ics-cert.us-cert.gov/
One of the simplest ways to sneak into any business network is to look around for mistakes. Holes poked in the firewall, misconfigured VLANs or routing, and Internet-facing servers that have yet to be hardened. These gaps exist in the SCADA and Control networks as well. One of the best tools to combat this is an integrated and most importantly audited network map that outlines both the IT and OT networks, all of their interconnection points and intended data being shared across these alleged security boundaries.
Follow the riskiest threats
Since there is no way to absolutely know which threats, actors, or malware pose the most risk, we have to make some assumptions. It seems likely that the advanced threats are those from which you can’t prevent an infection with any regularity. If the advanced ones are the hardest to prevent, then they are probably also the riskiest. This means that infection detection should be taking center stage for the information security team. Intrusion Detection Systems (IDS) arguably have 10 years of broken promises in this department, but we need to give infection detection a closer look. Improvement in predictive analytics, and big data may help shift power back to the defenders.