Defending against critical infrastructure attacks [Q&A]
Critical infrastructure is a prime target for cybercriminals and nation state actors. It often operates on legacy operational technologies (OT) which have vulnerabilities that can't be fixed easily or directly.
We spoke to John Moran, technical director, business development at Tufin, to discuss how organizations can protect themselves. John is a former incident response consultant and is a cybercrime forensics expert.
BN: Why have we seen a spike in this kind of attack in recent years?
JM: Critical infrastructure is an attractive target for both cybercriminals and nation-state actors for the same reason that public places with large numbers of people or significant importance are targets for physical terrorism. They have high potential for wide-spread economic, safety and psychological impact. Indeed, cyberattacks on critical infrastructure are a form of terrorism.
The impact of an attack on a non-critical infrastructure target is serious for that target. However, in many cases the type of business or service which is substantial enough to be the target of such an attack is also resilient enough to weather the short-term effects (that may even mean a loss of trade for days). The impact is limited to the customer base or user group, it is a major inconvenience and a hit to their brand equity. But in these scenarios, lives and/or national security are not on the line.
A successful attack on a critical infrastructure target is headline news because it will seriously impact the health, safety and economic well being of an entire region or nation. Even in cases where the immediate impact is minimal, the long-term psychological impact can be devastating. For cybercriminals who are financially driven, the threat of significant impact to the physical, economic and psychological well-being of the population can demand much larger ransom or extortion payments. For cybercriminals who are driven by politics, hacktivism or recognition, an attack on critical infrastructure generates mass media coverage and wide-spread visibility.
Attacks on critical infrastructure targets are equally valuable for nation state actors as strategic instruments or weapons of war. Successful attacks can have a material impact on a nation's short-term and long-term capabilities or technological advancements. They can also be extremely intimidating and demoralizing, weakening the resolve of the government, the morale and willpower of military troops, and the support of the population.
BN: How will new technologies like IoT devices and 5G change the threat landscape?
JM: The rapid growth in the number of connected IoT devices has significantly expanded the attack surface. The problem is more than just sheer volume; many of these devices have serious security flaws which often remain unpatched. IT and Security teams often have very little visibility into the IoT devices on the network, compared to more traditional computing platforms there are relatively few solutions available to monitor these devices for potential threats. We even see 'smart devices' connected to the network without corporate permission or knowledge.
5G's ability to deliver high speed wireless connectivity to distributed IoT devices at scale is allowing organizations to leverage connected devices in ways that were not previously possible. As 5G networks continue to be rolled out and organizations begin to take advantage of the opportunities they provide, we will see a dramatic increase in the number of connected IoT devices. In addition, IT and Security teams will also be tasked with delivering secure access and communication over 5G networks -- comprised of largely wireless systems over which they have little visibility or control.
BN: What's the importance of context in prioritizing vulnerabilities?
JM: Context is everything. Context allows teams to turn raw data into actionable intelligence that can be leveraged to improve the organization's overall security posture in some way. That can be proactively identifying or mitigating threats or responding to a security incident more quickly. Furthermore, context allows organizations to utilize this actionable intelligence to determine where investing their limited security resources will have the largest impact. This is especially important in the vulnerability management domain, where organizations must choose which vulnerabilities must be mitigated and which can be accepted as incremental risk.
Today, the challenge is not a lack of data; the ever-increasing stack of IT and security technologies provide massive quantities of data. The challenge is finding scalable methods to correlate that data in a way that provides the context required to turn raw data into actionable intelligence. Achieving this repeatedly and consistently at scale most often requires automation and can be significantly enhanced with machine learning.
BN: What needs to change in order to respond to incidents more effectively?
JM: The best response is preparedness. When attacks against critical infrastructure result in outages, the risks to health, safety and the economy can be immediate. Critical infrastructure needs to be secured in a way that ensures all mission critical networks and systems are fortified against all but the most sophisticated persistent attackers. If an initial compromise is successful, it is essential that processes and systems are in place to immediately detect the activity and respond to mitigate the threat. There are additional aspects, such as data backups, physically redundant systems, emergency action plans, and even government emergency assistance, that could play a role in critical infrastructure preparedness, although those are probably outside the scope of this overview.
Being prepared requires a comprehensive understanding of your risk exposure and maintaining that insight as risk changes over time. It is not sufficient to simply understand that a potential risk (for example, a vulnerability) exists -- the complete context is necessary to accurately determine how that potential risk translates to real risk to the network. This holistic understanding of risk allows security teams to focus their limited resources on activities which will have the greatest impact on the ability to prevent, detect, and respond to security events.
Being prepared also requires that organizations leverage this holistic understanding of risk to build security guardrails to ensure that the network remains secure as individual devices, vendors, business requirements and administrators change. The basis for these security guardrails may be industry regulations, best practices such as zero trust, insurance requirements, or some combination of these. Whatever the source of these guardrails, some type of automation is usually required to ensure that they are applied consistently and uniformly without impacting operations.
BN: How much of a role do governments need to play?
JM: When it comes to something as essential to the health and safety of the population as critical infrastructure, governments have a duty to ensure that these resources remain secure and available. Often, conversations around a government’s role in cybersecurity focus on regulation. While some regulations seem to achieve the intended effect of increasing security and reducing risk, that's not always the case. Why is that? Regulations that focus on prescriptive solutions (for example, 'you must have a firewall') are well-intentioned but tend to be less effective. This kind of 'tickbox' security attempts to provide a one-size-fits-all approach through high-level best practices, but often fails to achieve the intended goals. The most positive impact occurs when regulations focus on outcomes; an autonomous approach can be adopted, this allows each regulated entity to determine the solutions to best achieve the needed outcomes.
To maximize their impact on critical infrastructure security, governments need to be much more than regulatory bodies; they need to become cyber security partners. Governments can also galvanize security through grants and other incentives; providing a 'carrot' to augment the regulatory ‘stick’. One way in which governments partner with critical infrastructure is to provide research and analysis, education, and various resources to industry partners. For example, private Information Sharing and Analysis Centers (ISACs) have been formed across the different critical infrastructure centers, and here in the US, the Cybersecurity and Infrastructure Security Agency (CISA) works closely with them. I believe the UK Security Agency also has CISP, the Cybersecurity Information Sharing Partnership. There are several different collaboration efforts between public and private entities that multiply the impact of both prevention and rapid response.