Security Think Tank: CNI operators must focus on core issues

This month I am writing about the threats and associated risks faced by computerised industrial systems and other control technology, particularly given the recently publicised attacks on critical national infrastructure (CNI), for example at the Oldsmar, Florida water treatment plant.

These threats, of course, are uninvited intrusions into an organisation’s IT systems and infrastructure which, in turn, could give access to industrial control systems (ICS) – robots on a production line, for example.

Those threats could emanate from internet-based hacking activity, social engineering (a spear-phishing email that caused the release of malware), a call from someone masquerading as “IT support”, a USB stick left in the car park or reception area, or insider activity, such as an employee with a gambling or drug problem.

The risks, of course, are to an organisation’s reputation, regulatory fines for customer data loss, but such attacks can be a major source of disruption to a company’s production facility, for example the subtle changing of the operation of production-line robots may, in turn, impact product quality. And there are parallels to be drawn from the disruption of parts of the CNI, say electricity or the banking system, and the disruption of a production facility. 

What can an organisation do to protect itself? First up, of course, are the bread-and-butter issues of maintaining any and all software to the latest supported releases and ensuring that security patches are applied in a timely way. This statement does not only apply to the control technology itself, but the whole IT infrastructure, from the interfaces to any and all external networks (firewalls, routers, and so forth) to the network Ethernet switches, load balancers, application servers, printers, and so on.

It should not be forgotten that many systems and infrastructure components now utilise virtualisation techniques, so any virtualisation software needs to be maintained just as much as any server or application software. 

Don’t neglect the BIOS (basic input/output system) in your various systems, or the firmware that drives many infrastructure attached devices, such as video cameras, building access control, printers and air-handling equipment. These areas need maintenance just as much as your IT infrastructure. 

What else can a CNI owner do besides this work? Not in any priority order, but I suggest:

• Staff skills maintenance (training, education and awareness).
• Regular health checks of the IT infrastructure and all the attached components (similar to penetration testing and often carried out in the same time).
• Regular penetration testing of all external network interfaces, not just the internet connection.
• Depending on a company’s size and IT complexity, running a security event management (SIEM) or security orchestration and event management (SOAR) system to identify anomalous events that could be a precursor to a security incident. Read, study and understand the output of these systems – it could be a life-saver.
• Ensure that all staff and contractors in an organisation and all directors (both executive and non-executive) are given regular security awareness briefings.
• Ensure that the very top of a company understands the importance of good security, support it and promulgate it down through the organisation.
• Get help from the business in putting together budgets for IT and IT security. It’s no good saying you need “x” pounds to do the very important “y” project – you need to be able to articulate what the project does in business terms and, equally if not more importantly, the potential costs of not doing the project.  

To quote Mark Twain: “It is easier to fool people than to convince them that they have been fooled.” Apply this to an organisation and its security. The board and senior management must 100% support good, well-funded security. Without it, the organisation’s future can be at stake.