Q&A: Why critical infrastructure security requires special attention

Threats to critical infrastructure can disrupt communication, transport, oil & gas, power and critical manufacturing industries.

As more and more aspects of our lives become cyber-dependent, we offer a greater and potentially more dangerous attack surface to cyber criminals. It’s therefore clear that critical infrastructure needs special attention.

We recently met with Kirill Slavin, managing director for the UK & Ireland at Kaspersky Lab, to discuss the security threats critical networks are facing and how they can be protected against.

1. Just how serious is the security threat to critical networks and are some countries more at risk than others?

The world is not ready for cyber-attacks on critical infrastructure. Governments are not ready, law enforcement isn’t ready, the facilities themselves are not ready, and the people who design, build and operate them are often the least ready of all. Unfortunately, the criminals are very ready indeed.

The world needs to wake up to the vulnerability of critical infrastructures to cyber-attack and to respond, emphatically, with Government regulation, industry-wide collaboration, education and deep, tailored protection. This threat is global. Known victims to date include power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals, among others.

And those are just the organisations that both spotted an attack and publically acknowledged it. Many of those hit do neither. This means that robust data on the number and impact of attacks can be hard to come by, hampering risk assessment and response.

2. What types of attacks are they coming up against most often?

Most attacks target industrial systems, production lines, transport and telecommunications networks, hacking into SCADA systems, sometimes through basic tactics such as spear-phishing or malware, before spreading out to manipulate or even disable the infrastructure.

However, infrastructure attacks can be categorised into two main groups: some are so sophisticated that they can only be backed by nation-states intent on cyber-sabotage and cyber-terrorism; while others, implemented by criminals, are purely about theft.

3. Is critical infrastructure getting the attention it deserves in terms of cyber security?

After many years of working with clients trying to protect industrial systems - from oil refineries to railway systems – one thing is clear: critical infrastructure needs special attention. Like all companies, industrial facilities depend on computers and software, but the range of technological solutions used is very different from a typical office. You can find ten-year-old machines still working as though they are as good as new, and operators that are not worried about the cost of replacement. In fact, it’s not uncommon to find ten-year old machines, some of which are running outdated operating systems such as Windows XP.

It’s not a question of laziness, neglect or even a question of the cost of replacing the legacy systems. The real issue is that industrial operators face million-dollar losses from downtime on one side and compliance failure fines ranging from $1K to $1M per day on the other. The pressure to replace or update the IT infrastructure is not the same as in a normal business either. This is because in an industrial setting, many of the tasks that computers are asked to perform are quite basic and require very little processing power. They don’t need the latest and greatest kit.

4. Do governments have a bigger role to play in ensuring our critical networks remain secure?

There should be urgency for addressing these potential dangers, as the more advanced and software-controlled critical infrastructure becomes, the more vulnerable it will be to attack, and the higher the impact – not just in terms of economic performance but in risk to human life.

However, a complication is that the computer management systems running the critical infrastructure are rarely checked with the rigour and regularity applied to physical components due to a lack of Government regulation. Partner networks and education and training all supporting an advanced security solutions play a critical role in protecting critical infrastructures, but Governments must importantly step up too.

Critical infrastructure is about national security; about global security and the global economy, and Governments should play the leading role. They need to introduce regulation for the cyber-systems that manage critical infrastructures.

5. What can traditional businesses learn from the issues facing critical infrastructure operators?

There are positive examples of critical infrastructure specifics that may be adopted by traditional businesses right away. These include:

Observability mode: Security solutions are deployed extremely carefully in critical industrial environments. Solutions should be able to monitor activity and detect threats, but leave the decision to block an attack to the operator. Industrial systems rely upon customised software, so even the potential conflict between a security solution and, for instance, operations of a railway system, cannot be allowed. For a typical IT infrastructure, this provides us with a good example of the careful deployment of a new feature – such as application control. Run it in the background, collect all of the stats, analyse and refine, and only then – roll out full functionality.

Security assessment: Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for security of those two entities is challenging. An independent look by security experts proficient in both industrial systems and general IT helps to identify potential weaknesses usually found at the meeting point between two systems. This is also true for any traditional IT infrastructure. In fact, the variety of endpoints, mobile devices, on-site servers and cloud services is no less complicated than a power plant.

Exploit prevention: Technologies designed to identify attacks using previously unknown vulnerabilities is one level above traditional anti-malware systems. As we learned from Stuxnet, critical infrastructure may be targeted with the most advanced cyber weapons. Unlike traditional malware, targeted and advanced attacks require special tools. As we know, targeted attacks put businesses in danger even more than industrial facilities.

The best takeaway from mission-critical experience is the need to have the right attitude. When you know that the wrong software update can cause an hour’s outage and losses of thousands of dollars per minute, you have to alter your approach.

Traditional IT is usually more relaxed, although it is possible to lose an estimated £10.5 billion per year due to downtime from a security incident. Given this, adopting a ‘critical’ attitude when thinking about IT security seems to be a wise choice.

Image source: Shutterstock/Imfoto