Reducing the Cyber Attack Surface for Critical Infrastructure
November 17, 2015 | Security and Risk | Alex Leemon
Our CEO Udi Mokady was on Mad Money last week talking with Host Jim Cramer about the cyber security market and the proactive measures companies take to secure the inside of their networks. Our products are sold globally and across many industries. Noting our growing and diverse customer base, Jim asked, “What is manufacturing worried about?” Udi explained that they want to protect intellectual property and personally identifiable information about employees, customers and suppliers.
It’s a good reminder that people traditionally associate cyber security and breaches with financial services companies, but cyber security threats are now horizontal for a variety of reasons.
Not only do companies have to rethink what hackers view as valuable – money is not the only motivation, they also need to understand there are many threat actors including nation states, non-nation states, hacktivists, malicious insiders, vendor/supply chain access and terrorists. There are hackers for hire, and there is a market for them.
While the most intrusive breaches primarily target the IT/Corporate environment, serious actors increasingly target industrial control systems. They are stealthily surveying systems and building the capabilities to execute attacks in the long term. (Keep in mind, attackers often have more than 200 days on a network before being discovered.)
Risks associated with our critical infrastructure continue to increase as companies adopt new technologies. According to a Chatham House Report issued in September 2015, “there is a rise in factors that make nuclear facilities more vulnerable to cyber attack, with facilities increasingly adopting digital systems, making use of commercial off-the-shelf software, and connecting to the internet. All of these offer considerable cost savings but are easier to hack.”
New realities and use of technology require rethinking processes, security measures and interactions. For example, there has to be better coordination and communications between IT security and OT. As pointed out in a recent article by the InfoSec Institute, “OT engineers have to report any activity that has been conducted at the equipment and any suspicious activity they have noticed. Every modification to one of the components in the nuclear facility could potentially open the doors to cyber threats, so the IT engineers have to monitor carefully the “evolution” of the plant. Face-to-face contact between IT engineers and IT personnel is a key factor to sustain mutual understanding between the two cultures so close, but so different.”
November is Critical Infrastructure Security and Resilience month, so it’s a good time to highlight related security threats, trends and mitigation best practices. I recently shared 5 IT Best Practices that also Mitigate Cyber Security Vulnerabilities in OT.
I would also like to share a few of the trends in OT security that were highlighted at NERC’s annual Grid Security Conference (GridSecCon):
- System and component complexity is increasing. Advances in technology (i.e. system on a chip) and the hyper-connectivity of sensors significantly increase the complexity of systems. “Smart” infrastructure is a hot trend, but there are security implications to be addressed.
- There is an increasing number of entry points into OT. Commercial-off-the-shelf (COTS) equipment continues to penetrate the OT environment, and OT systems are increasingly connected to business systems and the outside of the organization (through vendor access and supply chain). As a result, the number of entry points into critical assets increases along with the threat landscape.
- Security is strategically significant in the C-suite. Awareness of the impact of a cyber attack on operations has put security on the C-Suite radar. Companies recognize the need to implement comprehensive risk management programs, rather than simply meet minimal regulatory compliance. This is encouraging news.
IT and OT security experts agree that companies can mitigate a significant amount of risk by proactively implementing best practices and security programs that reduce the attack surface. Some things to keep in mind:
- Phishing and other social engineering techniques are still a prevalent entry point into the organization. Continue to foster a culture of security through social engineering awareness and training.
- Operate as if you’ve been compromised. Perimeter security often cannot stop Advanced Persistent Threats (APTs). A determined attacker will get in, and that’s why security inside the network security is crucial, especially as it relates to privileged users (including vendors).
- Lock down credentials and implement a credential-management program.
- Monitor vendor access. Ensure that vendors only access the systems they’re authorized to access for a limited amount of time (i.e. no more idling sessions for 2 weeks).
Speaking of monitoring vendor access, you might be interested in watching one of our webinars, “Securing Remote Vendor Access with Privileged Account Security.”