Critical infrastructure is the backbone of any country. Today, governments are acutely aware of the threat that terrorists, state-sponsored hackers, cybercriminals and hacktivists pose to control systems within a critical environment. As a result, protection (rightly) lies at the heart of every governmental cyberstrategy.
The number of cyberattacks launched against critical infrastructures worldwide is constantly growing. And while the security levels of these systems are often poor, the attacks launched against them have grown increasingly complex. In some cases, an attack on a supervisory control and data acquisition (SCADA) system doesn't require specific skills — the availability of automated tools for scanning and exploitation of known vulnerabilities, the absence of defense systems and overall poorly configured systems all enable attackers to do their worst.
Identifying Main Cyberthreats
According to Techworld, Infracritical security experts Bob Radvanovsky and Jacob Brodsky, in collaboration with the Department of Homeland Security, carried out a vulnerability assessment of 500,000 SCADA/ICS systems deployed in some of the United States' critical infrastructure. The results of their research are disconcerting, initially finding that many devices were exposed online without proper security defenses and were protected by poor authentication mechanisms based on default passwords. The two specialists wrote a series of scripts to conduct automated searches on Shodan — a tool that allows users to enumerate Internet-facing critical devices — and were able to retrieve information that would be particularly useful to hackers, such as a device's geographic location and the version of the operating system installed on it.
Around 10 percent of the US's infrastructure is under attack in some regard — whether via malware-based or spear-phishing attacks, according to a report issued this past May by US Congressmen Ed Markey and Henry Waxman. The report includes an economic evaluation of the impact of grid vulnerabilities, estimating that power outages and related damages cost the US economy between $119 to $188 billion per year and a single successful cyberattack can cause losses upwards of $10 billion. And the bad news doesn't stop there: According to The Federal Government's Track Record on Cybersecurity and Critical Infrastructure, more than 48,000 cyberattacks violated the US government's systems in fiscal year 2012. These attacks were caused by the failure to employ very basic security measures such as patching and updating software, utilizing strong passwords and upholding otherwise strong security standards.
Early this year, the US Government issued the Framework for Improving Critical Infrastructure Security in response to Executive Order 13636, which states that "[i]t is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." The intent of this framework is to improve security for IT and SCADA networks deployed in sensitive industries such as energy, water and financial services. It shares information on cyberthreats and outlines and defines the best practices that are vital for mitigation.
Considered to be a living document, this framework is designed to grow as government agencies and private entities contribute. Over time, their contributions will create a part-proactive, part-reactive dynamic environment that will mitigate existing threats and help design solutions for the future protection of critical systems. According to the framework, to increase a control system's level of security, it is recommended that organizations:
- Use secure channels (such as VPNs) for remote access to critical systems
- Implement account-lockout strategies to neutralize brute-force attacks
- Avoid usage of default system accounts and adopt strong password policies
- Monitor the creation and usage of administrative accounts by third-party vendors
- Implement protections against data leaks
Source: National Institute of Standards and Technology
Protecting against data leaks is what brings the cybersecurity discussion around to addressing software vulnerabilities. Web-accessible applications are now the number-one attack vector for successful breaches, according to the Verizon DBIR. As mentioned above, Radvanovsky and Brodsky's research showed many devices were exposed online. Over the last decade, critical infrastructure technology has evolved from isolated and proprietary systems into highly interconnected open architectures and standard technologies that use numerous third-party and open source components during development. Software vulnerabilities in these components can put data at risk, so performing routine software assurance assessments is the foundation of a strong defense against cyberthreats. Implementing these assessments at an operational level, as implied by the framework, requires a systematic approach to developing secure software.
Photo Source: Flickr