The growing risk from critical infrastructure cyberthreats [Q&A]
The more reliant businesses become on technology the more risk they face from a range of cyberthreats. This is especially true when it comes to critical infrastructure as it's an attractive target for nation state and other attackers.
We spoke to James Carder, chief security officer and vice president of labs at SIEM platform LogRhythm to discover more about critical infrastructure threats and how to guard against them.
BN: Why has critical infrastructure cybersecurity become a major concern?
JC: Some critical infrastructure organizations have a history of not keeping pace with modern cybersecurity tools, and threat actors are increasing their attempts to hack into critical infrastructure at an exponential rate. The Florida water hack cast a bright light onto the vulnerable nature of our nation’s critical infrastructure. There is a great need for owners of these entities, such as utility, manufacturing, agriculture and banking, to up their awareness level for evolving threats and adopt technologies that offer proper protection.
Tools and technologies used in critical infrastructure have inherent capabilities that can be leveraged by attackers for malice just as they can be leveraged by employees to operate as intended. For example, the air gap methods deployed by some are beginning to erode as technologies that bridge assets to the corporate network or broader internet are increasingly being embraced. While CISOs and their security teams have predominantly been focused on traditional cybersecurity attack methods, it must be noted that attacks on critical infrastructure are usually more targeted and the tactics used are unique as a result. Additionally, operational risks to the business are starting to be more of a focus for CISOs than just cybersecurity risks as both can also be one in the same.
BN: Certain industries are more susceptible to various threats or threat actors, and critical infrastructure is no different. How can organizations become familiar with the threats targeting their sector?
JC: Speaking broadly, a good place to start is the MITRE ATT&CK framework for Industrial Control Systems (ICS), which classifies malicious cybersecurity events against an operational technology (OT) environment.
It is also important for companies to keep up with the Industrial Control Systems Cyber Emergency Response Team, which distributes advisories as the organization becomes aware of critical infrastructure-specific security issues, as well as the Cybersecurity and Infrastructure Security Agency (CISA), which issues important cybersecurity alerts and advisories as a part of Department of Homeland Security.
Most of the nation-state threat actors target critical infrastructure organizations (e.g. financial services, healthcare, etc.). While the above resources are great and should be a part of the education process, it is equally as important to seek out vertical-specific known threat intel from groups such as sector-specific Information Sharing and Analysis Centers (ISACs), which are designed to maximize the flow of information across the private sector critical infrastructures and the government.
Law enforcement entities such as the FBI are another great resource for determining and identifying cybercriminals targeting a certain industry.
BN: The need for water infrastructure cybersecurity has become a growing concern after the recent cyberattack on the water treatment plant in Florida made national headlines. What should these organizations be doing to better protect their assets?
JC: From a holistic standpoint, critical infrastructure attacks make up a small fraction of cyber hacks, but the impact can be absolutely catastrophic. Over the past 20 years, CISOs have largely neglected operational technology and operational risk by air gapping network security and physically isolating platforms from unsecured networks. This was not the case in Florida, as the water treatment facility's infrastructure was internet accessible and employed an outdated remote access software platform that was dormant for an extended period of time, and subsequently accessed.
Fortunately, this instance was caught quickly and a major crisis was averted, but this is a warning that all organizations should be looking into operational risk as this is a seriously overlooked attack vector. To remedy some of these threats, organizations must start treating operational risk like a cybersecurity risk. For example, there could be issues within the operations such as parts that failed to send the proper amount of chlorine or properly check the PH levels of the water or it could be a cyber attacker purposely changing what the operations are doing to put an entire population at risk. Organizations have to know quickly one way or the other. We saw this happen in January 2010 when it was believed that parts at a uranium enrichment plant in Iran were failing, but in reality it was actually an adversary using the computer worm STUXNET to purposely manipulate the plant's operations.
BN: Looking ahead, how will the stakes continue to rise for protecting critical infrastructure?
JC: It is very likely that the next world war will be fought through cyber means. The SolarWinds breach proved that Russians are capable of compromising our entire technology supply chain. It wasn't SolarWinds that was the target, it was the entire supply chain of a segment of critical infrastructure (technology) and how it is leveraged throughout the US.
As we look to the future, the stakes are only getting higher, with the critical infrastructure landscape becoming even more complicated to protect. Many IoT technologies are being designed specifically for critical infrastructure, and as innovation within IoT continues the new technology will introduce new considerations and new challenges.
Any organization leveraging technology to enable business operations needs to ensure proper protection protocols are established, ranging from threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes. All enterprises, particularly critical infrastructure, need to closely review security measures to ensure their assets are protected.