Maksim Kabakou - Fotolia
Security Think Tank: Back to square one – ground-up CNI protection
In the light of increasing cyber attacks on critical national infrastructure, what are the immediate risks to industrial control systems and other operational technology, and what steps can be taken to address them?
In the wake of successful or thwarted security incidents that have made the news, similar patterns of response can be seen time and again. More so when it comes to state infrastructures, critical systems, or companies with global visibility.
Politicians demand stricter regulations and stronger audits, operators of these systems demand more money, and software suppliers present new and extended components from their range of security systems, often combined with new concepts and many three to five-letter abbreviations.
But cyber security didn’t just start a few years ago; rather, technologies, concepts and common-sense approaches to implementing those have existed in many cases for decades and have been successfully deployed in many organisations for just as long.
Certainly, better auditing and more money for cyber security (if used wisely) can surely help. But the root causes of the security incidents that have occurred in recent months reveal blatant conceptual weaknesses. It is by no means a matter of technically complex avoidance of highly sophisticated attack vectors; rather, it is often a matter of implementing the most basic security measures.
The undesirable access to the water treatment plant hacked in the US state of Florida was gained via an unmaintained operating system version (Windows 7) from Microsoft, which was not protected by a firewall. Remote maintenance software was left installed on this system, which was accessible based on username and password. The password in question was known to all employees.
This description of the overall circumstances almost sounds like an invitation to intrusion. The question of whether access could have been gained by guessing/trying out passwords or was done by a malicious employee or ex-employee is already irrelevant in such a case.
This highlights the fact that the most important steps that need to be taken now to protect critical systems are the same steps that should have been implemented comprehensively and continuously for years. Commonly applied in enterprises already, there is often still a need for action in critical national infrastructure (CNI) and its underlying operational technology (OT).
Safeguard from the ground up
Figuratively speaking, it is not primarily a matter of repainting the house and erecting yet another fence. Instead, it’s cleaning out the basement, securing the doors well, changing all the locks, and finally making appropriate use of the existing alarm systems that were purchased (and ignored) years ago. Employ a security guard service if necessary.
Let’s start with the basic requirement that all software components, including the underlying operating system, are deployed in the latest version with all necessary patches and are configured and operated securely.
Wherever reasonable, firewalls and appropriately granular network segmentation are a mandatory requirement for securing critical systems. This also includes identifying remote maintenance systems or instances of SSH access that are no longer in use or are only weakly protected. Protect all systems.
A server classified as non-critical, resulting in low access barriers, often falls victim to being exploited for lateral movement and thus for the compromise of more critical systems. Monitoring of all accesses, legitimate as well as illegitimate, and the evaluation of this information by an intelligent security information and event management (SIEM) system is a reasonable next step.
If systems are protected by strong passwords and multifactor authentication, the risk associated with the use of passwords is significantly reduced. Sensitive access to technical systems must be protected by privileged access management. This ensures that every authorised user must request and be approved for access, that sessions can be monitored and recorded, and that sensitive credentials never end up directly in the hands of users and administrators.
Comprehensive fundamentals such as user lifecycle processes and access management are essential. This ensures that users who are no longer with the company, or contractors who are no longer involved in maintenance tasks, do not have formerly valid system access.
The use of up-to-date virus scanners and tools for detecting and preventing malware should not really need to be mentioned, but experience shows that many systems in OT do not even have such basic protection mechanisms.
Finally, end-user training and regular measures to increase cyber security awareness for every staff member, external and internal, who deals with critical systems are essential building blocks that can also be started today.
Admittedly, the measures mentioned require money and effort, but they constitute baseline cyber hygiene and there is just no alternative. Without them, there is a risk of loss of reputation, non-fulfilment of compliance requirements, and even the danger of human injury.
Only when such fundamental measures have been successfully implemented are investments in more sophisticated cyber security concepts – user behaviour analytics, privileged user behaviour analytics, zero trust architectures, use of threat intelligence – worthwhile and promising.