Across many different sectors, security professionals are playing catch up now that they've realized there are too many easy targets out there. Whether they are motivated by money or political passions, criminals are taking advantage of the fact that for many years security has been an oversight.
The first attack of a power grid using Black Energy malware has awoken many security professionals in the energy sector to the capabilities of bad actors. The reality now is that more people are hacking in to other systems. "There are systems being compromised. People are going to start hacking in and turning off services," said Tyler Reguly, manager of security research, Tripwire.
"The culprit," said Reguly, "is the devices. Many of these systems have been in place for a long time, and the communications being used are very old and not up to modern standards. Authentication and encryption are non-existent."
Devices are a weak spot in the overall system, and the biggest weakness is in the systems that are directly connected to the Internet. "It’s amazing to see how many businesses still plug devices in and give it a public IP address. That should be step one of cyber security hygiene," said Reguly.
Across sectors one best practice that will strengthen security is to make certain that nothing has a public IP address. "Devices shouldn’t be sitting directly connected to the Internet. That is probably the number one point on my list. Those devices need to be removed," said Reguly.
Both security professionals and criminals know of sites like Shodan that list every device on a port. Removing those devices minimizes risk, which means that if you are part of a security team, you need to know your devices.
"Knowing your devices is a great first step," said Reguly, "and while asset management seems like something everyone would just do, a lot of people don’t know what is on their network."
Because security can often be overlooked, criminals have found simple ways to get in. For those who are new to security, you can catch up and even surpass the capabilities of attackers.
There are two ways of looking at what is on your network. First, you need to know what is connected to your internal network. "Identify what is accessible. From what point in the network can I get to other points in the network? There is no reason for someone in payroll to gain access to industrial devices," said Reguly.
This lesson is critical and pertains to security professionals across sectors, not only those within the energy field. "You don’t want malware to be able to propagate to your critical systems," said Reguly.
A second takeaway for those who are learning under fire, be sure you know what assets are publicly connected. "Be aware of your public IP addresses—if you’re worried some systems might crash—then you need to start worrying even more. Once you know what is out there, you can put proper networking segmentation in place," Reguly said.
Some of these tips might sound familiar to you, as they certainly did to me. The reason, Reguly said, is that security doesn’t change much between sectors. "The basics are always going to be the same. If it applies to health care, banking, the enterprise, or any other sector, it applies to energy."
Sure, there are custom built security tools for different industrial control devices, but the building blocks of security are the same. Know your devices, know what devices are publicly connected, know the crown jewels that you are protecting, know your company, and know the real threats to your organization. Defend against those threats by updating your infrastructure and system controls, segmenting the network, and focusing on security best practices.
This article is published as part of the IDG Contributor Network. Want to Join?