Critical infrastructure fuels the modern economy by providing services essential to daily life, such as energy, food, water, transport, communications, health and financial services. Protecting these critical infrastructure networks is an essential component in developing national resilience, explains Gary Jackson, vice president for Asia-Pacific at Tenable.
Due to the wealth of information they hold, critical infrastructure has become a high-value target for cyber attacks.
These attacks have historically been physical and could be countered with tangible, physical defences. Fast forward to the present and the threats to critical infrastructure are both physical and digital.
The same view was echoed by the Australian government in a consultation paper, seeking views to shape the country’s 2020 cyber security strategy.
The government cautioned against the increasing threats from cyber criminals and state actors to critical infrastructure, with the energy, telecommunications and transport sectors called out as the most at risk of cyber attacks as they embrace the digital age.
Regardless of whether the threat is physical or digital, the intended result remains the same — a disruption to critical infrastructure and delivery of services could have serious physical, economic and societal consequences.
In today’s connected world, it’s now become integral to manage our critical infrastructure; here’s how.
An expanding attack surface
There are various challenges in protecting critical infrastructure. More often than not, critical infrastructure operates on operational technology (OT), much of which pre-date the internet.
These once-isolated “air-gapped” systems are becoming increasingly connected, leaving both OT and IT security teams faced with the challenge of defending an amorphous attack surface with devices from numerous vendors and multiple access points.
OT systems also have very long life cycles that weren’t designed with safety measures to protect them from the variety of security vulnerabilities that are present today.
Additionally, in order to check which known vulnerabilities impact an installed base, it’s key to first know exactly what the business has — which OT products, versions, security patches, hardware models, firmware models and more.
For some businesses, this can be incredibly complex — without having scratched the surface on patching the actual vulnerabilities.
It can also be a challenge, if not impossible, to patch such vulnerabilities in OT systems without disrupting or knocking mission-critical systems offline.
Cyber risk becomes crucial here — without complete visibility into all assets and vulnerabilities and new attack surfaces that may have emerged, security teams have no way to see, and ultimately mitigate, threats.
Evaluating cyber security risks
Protecting critical infrastructure requires an understanding of how secure and exposed systems are. In many environments, OT is rapidly converging with IT, but organisations lack the necessary visibility, security and control to manage OT related cyber risk.
To transform, organisations need to address the new attack surfaces and vectors associated with IT/OT convergence.
This can be done by adopting a unified view across the entire infrastructure, which requires gaining deep situational awareness of each and every asset, vulnerability and security alert. By understanding where an organisation is exposed and to what extent, security teams can get a clearer picture of what’s at risk.
This requires visibility of the entire attack surface – identifying the business operations and assets most vulnerable to cyber attacks, including IT, OT and IoT assets. Once the business has a grasp of the area being defended against and where the risk lies, a detailed threat intelligence analysis is needed to prioritise remediation efforts.
As the endless wave of threats continues, security teams don’t have the resources to guess which vulnerabilities need to be remediated first.
Calculating risk should be based on a combination of key factors including:
- Enterprise visibility, which should provide a more comprehensive view across the IT and OT environments;
- Asset tracking where you gain a comprehensive up-to-date inventory of all assets network including dormant devices. The inventory includes detailed information such as firmware, state, and Programmable Logic Controller (PLC) backplane configuration;
- Threat detection and mitigation that can monitor from a policy and anomaly perspective for both cyber threats and operational mistakes;
- By gaining deep situational analysis as to what specific devices are in the OT network, security teams will be able to gain information on the vulnerabilities that are specific to the devices in the network. Doing so will enable security teams to delve deeply into the risk factors in the network and prioritise mitigation steps; and
- Configuration control should provide a full inventory on all device configuration changes, whether it’s executed by a human user or by malware, whether over the network or physically on the device.
In evaluating risk, organisations should also measure and benchmark their cyber exposure, with comparisons both internally (business groups, geographies, asset classes) and externally against peers.
A holistic cyber security strategy for IT/OT
In the digital era, OT cyber security risk is a critical business risk. Enhancing security is the most fundamental component of critical infrastructure protection.
The increased convergence of IT and OT has expanded the attack surface and attack vectors and created a massive gap in an organisation’s ability to truly understand where it’s exposed.
Security leaders are frequently left blind to the IT and OT assets and vulnerabilities on their networks.
In today’s connected world, there is no substitute for a holistic cyber security strategy that emphasises visibility, security and control across the entire network while reducing unacceptable risk.
Ensuring every asset is inventoried and secured is now integral, which is why businesses must have sight into the entire modern attack surface, encompassing both the IT and OT networks.
This could be Windows PCs and servers, but also, industrial control systems (ICS) devices including PLCs.
To mitigate risk, businesses must ensure they have the most productive and comprehensive alerts.
This means monitoring both the network itself for traffic, while collecting information from the devices themselves for a complete picture.
It is imperative for businesses to leverage the latest threat intelligence to identify threats or their indicators as soon as they emerge in the OT infrastructure, combined with additional information collected from full audit trails, packet capture (PCAP) recordings and snapshots of controllers. Information from various sources help form an efficient incident response.
Ultimately, as the attack surface continues to expand, it’s clear that critical infrastructure is only going to continue to be a high-value target for cyber criminals. Attacks on such infrastructure, whether physical or digital, have the ability to massively disrupt day-to-day operations, for businesses and civilians. Managing cyber risk has never been so important in our connected world.
Gary Jackson is vice president for Asia-Pacific at Tenable — the Cyber Exposure company helping 30,000 organisations around the globe understand and reduce cyber risk.
Jackson joined Tenable to lead the Asia-Pacific region and build the reputation and coverage of Tenable in the risk-based vulnerability management space. His career spans more than 40 years in the technology industry. Prior to joining Tenable, Jackson held various regional vice president roles with Cisco Systems, EMC and Aruba Networks.