Then and Now: The State of Critical Infrastructure Security

“Critical infrastructure — from the electric grid to public transportation — is under assault as cyber attackers gain a foothold in the United States.”

That’s what Raytheon Chief Technology Officer Michael Daly stated in an op-ed last fall. Dramatic? Sure. Accurate? It sure seems like it could be.

The topic of critical infrastructure came up several times during this month’s Rocky Mountain Information Security Conference (RMISC) in Denver. And while cybersecurity certainly isn’t a cakewalk for anyone, the challenges facing critical infrastructure sectors seem especially daunting.

So how did the industry get to where it is today? Where is it going from here? And most importantly, what are you supposed to do about the existing and future challenges?

Looking Back at Critical Infrastructure Cybersecurity

If you needed to pick a turning point in the state of critical infrastructure security, Stuxnet’s discovery in 2010 would be a pretty good one. This was the subject of Kim Zetter’s keynote at RMISC. The keynote also hit on some key trends that have defined the industry in recent history:

  1. Industrial control systems weren’t built with security in mind — similar to the development of today’s Internet of Things (IoT) technologies.
  2. Critical infrastructure has traditionally lagged behind other industries when it comes to implementing cybersecurity.

As Zetter specifically noted, programmable logic controllers (PLCs) weren’t able to monitor adequately for Stuxnet due to a lack of antivirus solutions, and fast forwarding a few years, the industry has only recently begun to embrace two-factor authentication.

The Current State of Protecting Critical Infrastructure

So that’s the industry’s first challenge: it already has a history of not keeping pace with modern cybersecurity tools. So how does that relate to the current status of the industry?

Essentially, the problem is now compounded. For example, at RMISC, Hank Leininger of KoreLogic described a penetration testing case study, in which a critical infrastructure facility hired the company. The facility was so risk-averse that, up until then, it did minimal hands-on testing of its production systems — a top target for hackers.

It’s understandable to a certain degree. No facility wants to inadvertently cause a major issue to its production systems, especially if there isn’t a current live threat.

So not only is it more likely that the facility is working with less mature technology; now there’s also the problem of incurring too much risk to even test the technology. As a result, it’s even more difficult for critical infrastructure facilities to fully understand the limitations and gaps in their environment.

The Future of Securing Critical Infrastructure

And as we look to the future, the stakes are only getting higher, with the critical infrastructure landscape becoming even more complicated to protect. As mentioned earlier, Zetter noted that IoT is following in the footsteps of critical infrastructure when it comes to developing technologies without security in mind. And many of these technologies are being designed specifically for critical infrastructure.

Of course, there certainly are potential benefits from these IoT devices. As recently highlighted by the Cybersecurity and Infrastructure Security Agency (CISA):

“IoT-enabled devices can provide numerous benefits to public safety … For example, a traffic accident response team could use the data collected from a variety of Internet-connected devices ― such as the involved vehicles (e.g., speed sensors, occupancy sensors), surrounding infrastructure (e.g., utilities, traffic lights), and victims (e.g., health monitors, activity trackers) ― to enhance their situational awareness and decision making before arriving on scene.”

So while the advantages are there, we can’t forget that traditional industrial control systems (ICSs) were already at risk, and they’re generally air-gapped. With technologies like these, critical infrastructure has more and more ICSs connecting to the Internet, so the threat landscape becomes much more diverse and easier to penetrate. And because the connecting technologies lack appropriate security measures, the risk increases even more.

Three Steps to Alleviate the Risk to Critical Infrastructure

Considering everything explored thus far, we are left with an industry with environments that:

  1. Have had a harder time keeping pace with cybersecurity advancements
  2. Are difficult to thoroughly test
  3. Will quickly become more connected to the outside than ever before

How do you overcome these obstacles? It’d be naïve to say, “Just update all of your organization’s legacy technologies and do thorough pen testing all the time!” Clearly, there are challenges (e.g., time, financial, and risk) standing in the way. Instead, let’s focus on some more manageable best practices:

1. Know the Limitations of Your Testing

Leininger mentioned that the organization he worked with was hesitant to do hands-on testing, but that doesn’t mean it totally ignored testing. Still, it’s no surprise that the tests faced many limitations, given the concerns around potentially impacting the production systems in some way.

This is reasonable; however, the company didn’t acknowledge those limitations, resulting in a false sense of security. So even if your team isn’t in the position to run a test that truly simulates a cyberattack, it’s still worthwhile to run some kind of test; simply acknowledge its limitations. This can go a far way in ensuring your team and your executive board don’t get complacent and develop a better understanding of the potential risks your environment could still face.

2. Assess Your Network Security

With air-gapped environments being the norm in critical infrastructure for so long, outbound network security hasn’t been much of a priority for critical infrastructure. But with more and more IoT technologies connecting to that infrastructure, that has to change — especially when there is so much concern around the security of those connecting technologies.

And even if your environment is currently air-gapped, it couldn’t hurt to double check and make sure it’s as closed as you think it is. As Leininger noted, the organization he worked with was air-gapped — but even then, it wasn’t totally closed. And though Stuxnet was distributed with USB sticks in an air-gapped facility, it still managed to find its way to connected computers and spread over the internet.

3. Understand Threats Specific to Critical Infrastructure

Certain industries are more susceptible to various threats or threat actors, and critical infrastructure is no different. Become familiar with the threats targeting your sector.

One good place to go for this information is MITRE; for example, the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix includes tactics, techniques, and procedures (TTPs) used by two specific groups that have a focus on critical infrastructure: TEMP.Veles and Dragonfly 2.0. LogRhythm customers should take note that our ATT&CK module features several rules designed to detect these specific TTPs automatically.

Another avenue for information gathering is the Industrial Control Systems Cyber Emergency Response Team, which distributes advisories as the organization becomes aware critical infrastructure-specific security issues.

As innovation within IoT continues, its impact on critical infrastructure will as well. And with any new technology comes new considerations — and new challenges. But even by implementing small changes in your organization’s cybersecurity approach, you can help alleviate risk.