Three Key Steps to Help Protect National InfrastructureAttacks on the national critical infrastructure are on the rise. Now it’s time for their security maturity rise to the challenge. By: Hadi Hosn
A “cyber-Pearl Harbor.” The warning from then Secretary of State Leon Panetta was stark. America was increasingly vulnerable to cyber-attacks from aggressor nation states and extremist groups and the consequences could be disastrous.
It's now six years since Panetta issued his caution, and it's clear that it's not just the U.S.'s critical infrastructure that is at risk. In the past twelve years cyber attackers have:
- Compromised the Ukrainian power grid in 2015 with the Black Energy Trojan, targeting the IT infrastructure of three energy distribution companies and temporarily disrupting supply to consumers for several hours
- Once again hit the Ukrainian power grid in 2016 with Industroyer, malware that this time was able to communicate directly with systems in the operational technology environment
- Caused considerable damage to Iran's nuclear program in 2009 with Stuxnet
- Used Shamoon to attack systems at Aramco, Saudi Arabia's national oil company in 2012 and on several further occasions since then
- Attacked critical safety systems for industrial control units at a Saudi oil and gas company in 2017 using Triton, the first time an attack was specifically targeted at systems designed to protect both human operators and physical systems
- Used malware attacks on the SWIFT network to attack banks in Latin America and Asia from 2015 onwards
- Held Britain's NHS hostage with the Wannacry ransomware attack in 2017
- Hit energy and transport organizations in Europe, the U.S., Russia and Ukraine in 2017 with NotPetya malware
- Targeted SCADA systems, particularly in Ukraine, with VPNFilter malware in 2018.
In most of these cases the attackers, methods used, and motives were different. Attackers may target either IT or operational technology environments. But in nearly every case, the attacks caused considerable and costly disruption. Of course, it's important for peace of mind to remember that this is not Hollywood. Many of these systems have processes that are not cyber available and are designed to act as fail-safes to prevent disaster scenarios. Nonetheless, disruption of service is costly and inconvenient and can cause major damage.
As Panetta's comments show, many governments are well aware of the dangers that attacks on national critical infrastructure, be it food supply, water, financial services, energy, and government can pose. In the U.K., the National Cyber Security Strategy 2016 to 2021 sets out the government's plan to make Britain and its national critical infrastructure secure and resilient in cyberspace. In the U.S., Presidential Policy Directive 21 (PPD-21), a directive that aims to strengthen and secure the country's critical infrastructure, released in 2013, states the federal government has a responsibility to strengthen the security and resilience of its own critical infrastructure against both physical and cyber threats. Many other countries, in NATO and elsewhere, have similar national cybersecurity strategies in place.
As the British strategy document puts it, “A successful cyber-attack … would have the severest impact on the country's national security … a bearing on the lives of UK citizens, the stability and strength of the UK economy, or the UK's international standing and reputation.”
It's unfortunate then that many of these nationally critical organizations are not managing their cyber risk as well as they might. The U.K. government, in its publication National Cyber Security Strategy 2016-2021, stated:
5.4.2. More needs to be done to protect these vital parts of our economy and support the organisations that heavily influence others. Our CNI – in both the private and public sector – continues to be a target for attack. Across these and many other priority sectors cyber risk is still not properly understood or managed, even as the threat continues to diversify and increase.
Secureworks' experience backs up this position. In early 2018, Secureworks™ surveyed 350 organizations across multiple sectors to find out how they respond to cyber threats and how mature their security posture is.
Here are just a few of our findings amongst organizations in nationally critical sectors:
- The energy, utilities and manufacturing sector has the lowest proportion of security staff as a percentage of overall IT staff of any sector.
- It spends the least on security as a percentage of the overall IT budget.
- It is the sector the least likely to have advanced endpoint security measures in place
- It's also least likely to use continuous risk assessment to drive cloud security strategy.
Tackling the Problem
Governments are now translating their security strategies into regulatory requirements. In Europe, the NIS (Network and Information Systems) Directive, which came into force in May 2018, provides legal measures to boost the overall level of cybersecurity in national critical infrastructure industries across the E.U.
In the U.S., the NIST Framework for Improving Critical Infrastructure Cybersecurity contains standards, guidelines, and best practices to manage cybersecurity-related risk. It is mandatory for federal agencies and is a requirement in many procurement processes. It is also becoming law for small businesses working with government entities. It is however very early in the regulatory compliance process, and it will take many years for widespread compliance but organizations operating in nationally critical sectors should not use that as a reason to delay improving their security programs and maturity.
As a priority, there are some key steps for people working in those industries to take. But first, here are a few points that are important to understand.
Firstly, critical infrastructure organizations can't eliminate cyber risk entirely since the business needs to grow and innovate and do things that create cyber risk, such as adopt new technologies, expand into new markets, or carry out mergers and acquisitions. But the security teams in these organizations can monitor and manage cyber and ensure that they have the right prediction, prevention, detection and response controls in place, especially as they increasingly operate in the new world of the Industrial Internet.
Secondly, in these sectors, sharing information about threats and attacks is particularly important to reduce risk for everyone and stop attacks before they spread. The resources exist to set up the formal information sharing partnerships and groups that will help keep these critical industries one step ahead of attackers.
Thirdly, educating people within the organization and external business partners about cybersecurity hygiene is vital. Many of these events started with someone opening a malicious email attachment or clicking a malicious link in an email. And let's not forget business partners and other third parties – the risks of the supply chain are extreme.
As an industry, we must focus on spreading the message about security awareness and carrying out day to day work activities securely. Until that message is received and acted on people are still the biggest risk.
- The first key step for any organization in this sector to improve its security is to understand and map what its critical processes and data are and the architecture of its systems. It also needs to know what threats it faces and who might attack them and why.
- Once they have developed a basic understanding of potential exposure, organizations can begin to move forward with a plan for bringing the right people and skills together to build a successful program. There are frameworks to use for this, be it one of the national frameworks I've discussed above or an industry framework such as the Secureworks Security Maturity Model. And once an organization has chosen this framework, it should assess its security capabilities against it on an ongoing basis. It should also prepare for a cybersecurity incident. That means having incident response plans in place and investing in the right people to ensure that the plans can be put into action.
- The final key step is to find the right trusted security partner to support the organization develop and implement the framework controls. It is neither simple, nor advisable to attempt to isolate the organization in security terms and it is particularly regrettable that our research showed that critical infrastructure organizations are more likely to do this than many other sectors.
The threats to critical infrastructure are growing and they are not going away. Governments worldwide are actively promoting a culture of improved security for relevant organizations but even where compliance is not yet required, there are steps that organizations should take to protect themselves according to the risk they face. And they should not hesitate to reach out to take advantage of the support available to help them take those steps.