Posted inNews
Posted inNews

Four myths of critical infrastructure security that we must lay to rest

In May, in a statement to the UN Security Council Arria-formula Meeting on Cyberattacks on Critical Infrastructure, Her Excellency Lana Nusseibeh, the United Arab Emirate’s Ambassador and Permanent Representative to the United Nations, confirmed that the nation’s critical infrastructure — the FSI, government, and health sectors — had been targeted by non-state cyberthreat actors (including terrorist groups) with DDoS, ransomware, and phishing attacks. Whether for money, political advantage, or other, the reason is less important than the intent. The goal is to disrupt, disable, or destroy the technological parts of our society on which we rely most.

Industrial control systems (ICS) sit at the heart of these parts, overseeing their efficient operation and making economies possible. Their importance calls loudly for protection, but unfortunately this is where things get complicated. Cybersecurity as it relates to ICS is obscured by myths, four of which we explore here. We explore them so decision makers will be armed for a fight that we, as a society, must win.

Air-gapping brings absolute security

Picture in your mind a fictional security team facing a threat they cannot stop. The movie move is to pull the plug, to rip the server from the wall. In the real world, a similar, somewhat famous tactic springs to mind when trying to solve the problem of immunizing critical infrastructure from cyberattacks. Absolute isolation. Air-gapped equipment cannot possibly be infiltrated, right? A disconnected environment offers no paths to anywhere, let alone anywhere valuable. You may be surprised to learn that this is a misconception.

In truth, even air-gapped systems are susceptible to attack. This is because not all vectors require Internet-facing assets. Any physical access to air-gapped systems could deliver a dangerous payload. This access could either take the form of malicious insider activity or unwitting participation by an innocent authorized individual. The latter could have been compromised as part of a supply-chain attack and may subsequently use trusted removable media like USB drives, unaware that they have been stealthily infected by malicious code.

SIS is the last word

Safety Instrumented System (SIS) solutions are widely touted as the last word in ICS security — impenetrable. It is tempting to run towards a panacea, but panaceas have a long history of being exposed as snake oil. The truth is the value of SIS has been grossly oversimplified. In the modern threat landscape, malicious actors have become so sophisticated that cyber-maturity can be a source of denial if it does not include constant vigilance.

If we need convincing, we should remember the TRITON malware attack of 2017, which went after the SIS itself at a petrochemical plant in Saudi Arabia. The TRITON attackers tried to take control of industrial safety systems through an advanced persistent threat (APT) attack. APTs are the nightmare scenario for those tasked with protecting critical infrastructure. Stealth is their top priority, as they sow the seeds of doom. The rise in their incidence has led to industry-wide reimaginings of SIS architecture. While SIS will likely remain a keystone in critical infrastructure defense strategies, we must remember it is not a deploy-and-forget solution.

Our adversary is that kid from ‘War Games’

Again, Hollywood movies instill a sense of the world that is not quite right. In 1983’s “War Games”, Matthew Broderick portrayed a youngster who almost set the world on fire using his pre-Windows PC. The image persists to this day of lone wolves taking down critical systems, and while our modern imaginings may be slightly more sinister than the homely Mr. Broderick, they are no more accurate.

External, shadowy figures in faraway basements are, of course, sometimes the source of ICS assaults. But insider threats can be just as impactful. Indeed, the fact that they are often overlooked can make them even more damaging than remote attacks. In 2000, in Australia, a disaffected former employee of a sewage treatment plant in Maroochy Shire, Queensland, manipulated a SCADA system to cause an extensive sewage leak across several local areas, lasting two months.

Antivirus engines can save the day

Despite some suggestions to the contrary, antivirus software is not a relic. What is antiquated, though, is the notion that if you bundle a few antivirus solutions together it will be enough. Even a handful of the industry’s top-tier antivirus offerings will not withstand the sophisticated countermeasure-ducking threats that skulk beyond our walls. You need way more than that. Some studies show that increasing the number of engines can increase detection coverage. One report suggests that if an organization goes beyond 30 installed engines, detection accuracy rates can reach 99%, but the same report notes that just 3% of organizations reach this level. Even if your organization were one of the 3%, would you have the staff to pursue your findings?

Myth busting for beginners

Our myths inform our actions. They help us make decisions. But when those decisions lead us into false senses of security, we are in trouble. And when a false sense of security mixes with critical infrastructure, we could be courting disaster. Defense of our most precious systems should be multifaceted and driven by experts who know the difference between fact and fiction. They will understand the risks, having undergone continuous training. They will be steeped in industry wisdom and have experience of effective, defense-in-depth strategies. With the right knowledge and a diverse array of security tools and approaches, we can have the safe ecosystem of which we have always dreamt.