Critical infrastructure systems and services such as electric grid, communications, banking, health care, transportation, and others keep the society humming. Their absence can bring life to a standstill by resulting in contamination of the water supply, loss of power across major cities causing everything from ATMs to traffic lights to go dark. Consequently, their inability to perform can exert a draining impact on national security, economic security, public health, and safety. To clearly emphasize this gravity of Critical infrastructure systems, National Cyber Security Awareness Month has finalized on Safeguarding the Nation’s Critical Infrastructure as its last week’s theme.
Earlier, critical infrastructure systems solely used to rely on computer-based controls, software, and data communication. Today, in an era of technological exponentials, critical systems are becoming increasingly pervasive and interconnected. Acting as a loophole, this hyperconnectivity is making critical systems vulnerable to cyber attacks. And there are enough real-life examples of it. Saudi Aramco, which produces 12% of the world’s oil output, faced the severe brunt of cyber attacks in 2012. A scam email containing a link that downloaded a piece of malware known as “Shamoon” tricked the computer technician. The virus swiftly proliferated through the company’s network and partially destroyed 35,000 computer workstations. For five months, the company was in a recovery phase. The similar threat was replicated in the form of Stuxnet virus, go visit leohamel.com which spread to 14 industrial sites and destroyed 1,000 centrifuges at an Iran nuclear facility in 2010.
Fortunately, America hasn’t gone through such calamity yet. But there is always a possibility, especially when the modes of cyber attacks have become more diverse and sophisticated. Government is aware of this lurking danger. In 2013, then-President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for an updated and overarching national framework led by the Department of Homeland Security (DHS) for coordinating protection, detection, mitigation of and recovery from cyber incidents. The Trump administration has continued the emphasis on increasing cybersecurity with a new executive order that builds upon the previous one, and among other things, makes use of the NIST Cyber Security Framework mandatory for federal agencies. Government is leaving no stone unturned in cyber-securing the critical infrastructure. But no effort is actually “big enough” in weeding out the cyber threat nettle. It indeed needs a holistic and 360-degree approach. The following listing is an effort to put a foot in that direction.
A) Detecting Vulnerabilities:
Most of the organization’s exposure to vulnerabilities is much beyond the areas stereotypically highlighted in media headlines. More than patches, the identified vulnerabilities need solutions such as complex configuration updates. Use of security software and Automated Vulnerability Remediation (AVR), which has evolved to meet the needs of administrators, thus, should become a norm.
Even after vulnerabilities get identified, network admins should try to fix them like a thorough. RSA believes that governments should view their security needs as three-fold:
- keeping threats from getting in through the network
- controlling access to information once people are on the network
- protecting data at rest in systems within the network
It then calls for a mixture of authentication, access management, intrusion detection, and anti-virus solutions. Even though each has a role to play, no single component can secure critical infrastructure on its own.
B) Reducing the Cyber Hygiene Gap:
The biggest hurdle in safeguarding nation’s critical infrastructure is the lack of clear understanding of basic cyber hygiene among IT and security staff. The government officials haven’t been trained properly. Furthermore, there is a lot of confusion and misconceptions regarding appropriate methods to protect systems. For example, cybersecurity governance frameworks like NIST, ISO, and IEEE are comprehensive. But what renders them less useful is their generality – leaving critical implementation details to each organization. Organizations, more than often, fail prey to the marketing ploy of cyber tool vendors who claim to provide a silver bullet to all the cyber threat issues. First and foremost, it must be realized that the problem of cybersecurity is much more complex than can be solved by any single tool.
C) Securing IoT Platforms:
With more and more devices getting connected to networks, today’s IT infrastructure is incomplete without IoT. As a flip side of its enhanced connectivity level, IoT poses a substantial risk to communications and infrastructure platforms. It comes with several layers that need to be protected along with reducing misuse of data in IoT platforms. Note that Brickerbot has already successfully “bricked” 5,000 IoT devices at an unnamed university in the US. Its spread into government organizations can permanently cripple critical infrastructure. Here are a few examples of security threats on IoT platforms that need to be prevented:
- DDoS Attacks: Distributed denial of service (DDoS) is by far the biggest risk today with attacks taking down sites and making them unavailable. Admins must try to mitigate critical web application security risks including SQL injection, cross-site scripting, illegal resource access, remote file inclusion, and others.
- Web Threats: To nullify web threats, it’s necessary to analyze customizable security rules, level 1 PCI-certification, low false positive alerts, and crowdsourced threat information.
- Data Theft: To maintain uncompromised data, Infrastructure protection for subnets and individual IPs is mandatory. It allows inspection and filtering of incoming network traffic, and thereby submission of legitimate traffic to the enterprise network via GRE tunneling.
D) Tying Up with The Private Sector:
It may sound surprising, but 85% of our nation’s critical infrastructure is owned and operated by the private sector. Without undermining government’s leadership and coordination role, the private sector, thus, becomes an essential cog in the wheel of safeguarding nation’s critical infrastructure. Information exchange and cooperation among them can allow both sides to address awareness, training, technological improvements, vulnerability remediation, and recovery operations.
Many companies are helping crucial agencies and departments within U.S. local, state and federal governments. Through Dynamic Threat Protection framework, they are combining security intelligence and technology to protect against known and unknown attacks. Generally, they provide protection, including:
- Protection engine to drive Intrusion Protection and Vulnerability Detection agents across the network, server, desktop, and application
- SiteProtector as a management platform to provide centralized control, command and event management
- Fusion which provides attack pattern recognition and impacts analysis to minimize false alarms