Industrial control systems are as a whole, a set of technologies that the majority of people do not understand. However, they play a crucial role in many Critical National Infrastructure (CNI) facilities, which enable us to live our lives with our basic needs satisfied. From oil refineries to water treatment works and even nuclear power stations, these industrial control systems are the brains that control critical physical processes which can affect hundreds of thousands or even millions of people at a time. But ever since 2010’s infamous Stuxnet attack, one of the world’s most terrifying cyber-attacks so far which saw a virus infiltrate Iran’s Natanz nuclear facility, highlighted just what could be done with a well-placed cyber-attack on critical infrastructure, these systems have become a ticking security time bomb. Into 2017, as hackers continue to grow in numbers and expertise, as well as increasingly targeting higher value industries, including CNI firms, this bomb could be about to explode with a potentially life-threatening impact on everyday citizens.
This is an increasingly urgent reason why businesses, and in particular those of us concerned with the IT and Security departments, need to improve real-time collaboration between security and service desk teams. It is vital that steps are taken sooner rather than later to give them the tools they need to manage and mitigate growing endpoint risks - anything less than this and we give the “bad guys” a very dangerous advantage.
From Stuxnet to Georgia
Attacks against CNI facilities are nothing new. After all, critical infrastructure spans across a huge number of industries and private sector organisations – from healthcare to financial services to the public sector. But, in the past, attacks were mainly the preserve of well-funded operations – usually lead by bodies within nation states – and focused in the main on data theft and reconnaissance work. There are exceptions, of course, such as the high-profile attacks on Ukrainian infrastructure which left tens of thousands without power in December 2015 and 2016.
Some industrial systems are particularly vulnerable to attack as they have been historically poorly protected. These systems often aren’t air-gapped (or isolated) from the public-facing internet, and sometimes run on outdated, legacy computer platforms. The mission criticality of these systems makes patching incredibly problematic, meaning many are wide open to potentially very dangerous exploits.
It is important to note that things are changing, and very rapidly at that. Increasingly the concern is that financially motivated cybercrime gangs are looking to exploit these weaknesses themselves in a bid to drive profits. CNI firms represent a lucrative target as they are far more willing to pay up if their systems are taken down by hackers than other kinds of businesses, or so the theory goes. The figures would seem to back up this assumption. Researchers at the Georgia Institute of Technology estimated there to be a worrying 1,400 Programmable Logic Controllers (PLCs) directly accessible from the public internet, which could be compromised via a new type of attack. Assuming that there was a 50 per cent success rate and a $10,000 (£8,000) ransom, a campaign could yield $7m (£5.6m) on this one type of PLCs alone. There is no doubt that cyber-crime is increasingly a very lucrative trade.
NHS under fire
Ransomware, one of the most feared types of malware in 2017, could be the biggest threat to CNI firms today. It’s already brought hospitals in the UK, Los Angeles, Germany and beyond to a shuddering halt after taking key systems offline. So far, luckily, there has only been a minor impact on patient care. But as unsecured smart devices, from mobile phones to smart fridges, increasingly creep into CNI firms, the risks escalate. It’s already been claimed from FOI (Freedom of Information) requests that nearly half of the NHS has suffered a ransomware outbreak over the past year. That figure could easily rise and spread to other CNI sectors as attacks snowball. Critical infrastructure is also inter-connected, so an attack on one part could quite easily bring down another. Just imagine if an outage affecting TfL’s IT systems caused mass transportation disruption in London. That would leave health workers stranded and hospitals dangerously understaffed, with potentially fatal consequences. One can only imagine the chaos that would ensue.
If we know one thing about the black hats it’s that they have no regard for anything beyond their own profits, with the protection of human life being placed very low on their agenda if money is in question. With these attacks we’re going way beyond data theft, financial penalties and brand damage. Companies and their boards could be accused of criminal negligence if it’s thought an underinvestment in cybersecurity ultimately led to an outage resulting in loss of life.
It’s vital we formulate a more sophisticated response. And that will require close collaboration between IT security and service management teams, and a unified, automated endpoint security and management platform. Automation is vital given the huge IoT-driven growth in endpoints – Gartner predicts businesses will use 3.1 billion of them in 2017 alone. It’s the only way to ensure security policies are pushed out to each and every endpoint.
Automated patching is particularly important: it can eliminate many of the attack vectors used to initiate an attack on an environment in one fell swoop by reducing your attacks surface. Add in app whitelisting and privilege management and you’ve effectively reduced the surface attack area of your endpoints by 85 per cent or better. This layered approach to security must also manage risks like removable media and ensure any mobile devices connecting to the corporate network aren’t also providing a gateway into your systems for hackers. This provides protection from Zero Day Threats, user targeted threats, and Ransomware.
Arming your Service Management process with these security controls provides all-important real-time visibility into what’s going on in your network. Service Management is the best place to report and monitor on on-going performance – to keep you fortified against attacks going forward. But make sure they share key information with security teams and vice versa. That way you’ll have IT performing as it was always intended to – keeping threats at bay and systems running smoothly with zero impact on the business.
Steve Daly, President and CEO, Ivanti
Image Credit: ESB Professional / Shutterstock