Securing the digital transformation of our critical infrastructure

We must ask how to better protect the critical systems we all rely on.

intel cybersecurity bg 1920

Earlier this year, a massive breach on American and European power companies was uncovered. It began in 2015 as part of a large-scale cyber espionage campaign that targeted nuclear and energy systems in the United States, Turkey and Switzerland. The attacks, which used spearphishing to trick users into opening malicious emails, allowed hackers to harvest their credentials and gain remote access to machines—meaning the bad guys had control over nuclear and energy systems.

The number of attacks on critical infrastructure worldwide has drastically increased over the past several months. In August, hackers compromised Ireland’s state-owned power grid company. About a month prior, there was a digital assault on U.S. energy companies.

As cyber attacks increase in complexity and critical infrastructure networks continue to age, we must ask how to better protect the critical systems we all rely on.

Critical infrastructure is burdened with vulnerabilities

The rapid evolution in technology has forced change across industries, not just in the way they operate, but also how they protect information. When it comes to critical infrastructure, we’ve seen several hurdles that have prevented companies and government agencies from properly securing critical networks.

Historically, critical infrastructure leaders and engineers have not had to think seriously about security requirements. And though this is changing, many companies are starting from behind, operating on outdated IT systems that lack the support and necessary security patches for today’s digital environment.

With little focus on security and a “don’t fix it unless it’s broken” mentality, the confidentiality and integrity of critical infrastructure networks are more likely to be compromised.

Complexity is the barrier to control

Frederick the Great said, “He who defends everything, defends nothing.” That statement rings true when it comes to cybersecurity where the challenge often lies is in figuring out what to protect.

In April, PricewaterhouseCoopers’ Cloud Hopper Report found that hackers use credential mining and privileged credentials frequently in the propagation of cloud attacks. In most situations, privileged credentials give bad actors the ability to infiltrate and expand their attack.

To break the mold of traditional security and plan for newer, more sophisticated attacks, critical infrastructure companies can use a technique called “attack path mapping.” This approach examines the likely ways an attacker would steal information from a network and provides security teams with the ability to separate serious targets from less likely ones.

One of the United Kingdom’s largest gas distribution companies, has had success using this approach and has found that a commonality among paths of attacks is privileged credentials.

Since it was impossible to secure every aspect of IT infrastructure, using attack path mapping allows companies to better understand the most vulnerable access points in their network and to proactively control those areas and monitor activities performed by privileged accounts.

This approach has helped critical infrastructure agencies overcome complexity and see where vulnerabilities exist across the massive networks of infrastructure they manage.

Digital transformation is changing critical infrastructure

According to the 2017 Verizon Data Breach Investigations Report, 38 percent of the attacks on energy and utility providers come from web applications.

Many infrastructure experts agree that the industry is built with reliability and safety in mind due to the frequency of natural interruptions, like hurricanes and snowstorms. While the way the industry has thought about safety hasn’t typically included cybersecurity, industrial engineers can approach cyberattacks like they would any other disruption by going offline to manual operations.

The problem is that manual processes are not a long-term solution. Adversaries are learning more about industrial systems from an IT and industrial engineering standpoint. Thanks to digital transformation, our industrial infrastructure is changing, which has opened the door for new vulnerabilities that are susceptible to cyberattacks, especially from web-based applications.

Privileged access controls the transformation

As our critical infrastructure control systems have become more digitally connected; companies now can monitor everything from nuclear reactors to small building meters remotely. These remote access points are a go-to entry point for hackers. The gaps between advanced remote access points and older IT assets provide vulnerable entry points for adversaries that can wreak havoc on our critical infrastructure control systems.

Further, the number of privileged users has increased exponentially. Engineers who have had access to the physical knobs and buttons of critical infrastructure systems in the past now have a digital fingerprint that allows them access to the networks of infrastructure systems—and hackers know that this shift is happening.

The problem has gotten serious enough that the White House issued a report in August that said cyber attacks are as much of a threat to critical infrastructure as physical attacks and that not enough is being done to address the threat.

The President’s National Infrastructure Advisory Council (NIAC) puts it’s in the bluntest terms possible: “Today, we’re falling short.” And the price of falling short could have devastating consequences.

The challenge before us, then, with attacks on critical infrastructure control systems becoming more likely, is how do we provide the right access to the right resources at the right time and, when necessary, monitor access to prevent privilege abuse.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.