Commercial enterprises are putting our critical infrastructure at risk
By Sean Martin, a CISSP, the founder of imsmartin consulting
May 04, 2012 — Network World — Cybercriminals have already figured out how to hack into enterprise infrastructure, and the critical infrastructure that controls our nation's supply of water, gas, oil and electricity just might be next.
With so many connections and shared vulnerabilities between the two infrastructures, the inevitability of this is unsettling. If the critical infrastructure is successfully penetrated, electrical grids could be shut down, water supplies could be turned off, telecommunications channels could be severed, and transportation systems could come to a halt. Take the electrical grid offline and massive numbers of power-reliant entities could grind to a halt, including everything from banks to hospitals.
Each day brings media attention to yet another breach, but it seems we are unable to make headway on the security front. It's certainly not from a lack of resources; we have plenty of technology, standards, and regulations to draw upon.
It seems to boil down to the fact that we continue to do stupid things. We still write insecure code. We still don't patch our systems. We still don't control user rights properly. We still use the same usernames and passwords across multiple accounts throughout both our personal and business worlds. And, you guessed it -- these passwords we use aren't even managed well. It's no wonder corporations continue to get hacked.
But what we should be most concerned about is that our two infrastructures -- the private/commercial/enterprise infrastructure and the critical/industrial/utility infrastructure -- are interconnected in many ways, and security weaknesses within either therefore put both at risk.
Approximately 85% of the nation's critical infrastructure is owned by the private sector, according to the U.S. Government Accountability Office. And, with pressure to increase profits and reduce expenses, many utilities have combined their control system networks with their commercial business networks, according to Arjen Zwaag of Cisco speaking at a Pipeline Technology Conference.
By operating over a shared network, not only do the two environments now share the same vulnerabilities, but a hacker also now has a clear, direct and trusted path to get from one environment to the other.
Adding to this, these same business networks are also connected to other private and commercial networks designed to provide end-to-end business functions, including services such as telecommunications, research and development, IT help desk and support, and many more.
For hackers, this means even more shortcuts to the critical infrastructure. Many sophisticated and targeted attacks known as advanced persistent threats (APTs) don't go directly for the pot of gold; instead they tend to find more easily accessible initial points of entry within less secure systems, and then once they're in, strategically and unobtrusively work their way through chains of connected systems and networks to reach their end-targets.