Cyberattacks Put Critical Infrastructure Under Fire
The growing number of cyberattacks has become one of the most serious economic and national security threats facing companies and governments. And while the headlines have focused on data breaches at organizations including Sony, the International Monetary Fund, Lockheed Martin, Google, Citigroup and the Arizona Department of Public Safety, U.S. infrastructure is also susceptible to attacks.
Critical infrastructure operators have to be on the offensive against cybercriminals no matter whether they oversee stock markets, power grids, railways, nuclear plants, water supplies, health care facilities, chemical plants, telecommunications or research laboratories. All are prime targets for hackers.
Sophisticated exploits such as Stuxnet, a computer worm that targeted nuclear power plant operators in the summer of 2010, and an April attack on Oak Ridge National Laboratory, a U.S. Energy Department facility that studies nuclear fusion and hosts one of the nation’s super computers, are just the tip of the iceberg. A recent survey conducted by McAfee and the Center for Strategic and International Studies revealed that 80% of critical infrastructure operators have faced threats ranging from denial-of-service attacks to extortion to advanced persistent attacks.
Government cybersecurity experts who testified in front of the House of Representatives’ Energy and Commerce Subcommittee on Oversight in July further highlighted the concern, asserting that the country is lagging in its effort to beef up IT security. According to witness statements by senior cyberdefense personnel from the Department of Homeland Security (DHS) and the Government Accountability Office, the government’s efforts to safeguard military and private-sector networks deemed to be part of the country’s critical infrastructure are far behind schedule. Only two of 24 recommendations from the Obama administration’s “Cyberspace Policy Review” have been implemented since its release in May 2009. Progress has been slow because federal agencies struggle to clearly define roles and responsibilities, according to the experts. Furthermore, DHS needs to improve its analysis and warning capabilities to be able to respond to threats.
In addition, the witnesses voiced their concerns about critical industrial systems being able to fend off Stuxnet. According to Sean McGurk, director of DHS’ National Cyber-security and Communications Integration Center, it was questionable if all of the approximately 300 companies using the Siemens systems that Stuxnet could compromise had implemented the recommended security precautions to guard against the worm. Others have similar fears. Within DHS, many worry that other attackers can use “increasingly public information” about the worm to launch variants that would target other industrial control systems.
Similar concerns came from U.S. Cyber Command head General Keith Alexander, who stated at his confirmation hearing that “the Department of Defense requires a focused approach to secure its own networks, given our military’s dependence on them for command and control, logistics and military operations.” Gen. Alexander emphasized that one of his priorities as the new head of the nation’s cyberdefense would be building the capacity, the capability and the critical partnerships required to secure operational networks. (See “Hacking the Military,” page 30).
With the re-emergence of “grey hat” hackers, a term that includes the high-profile groups LulzSec and Anonymous and describes those motivated by activism or an anti-security ideal, critical infrastructure providers are facing a far larger pool of combatants than they had to confront just 12 months ago. With the radicalization of the activist movement over the past few years, this group of hackers represents a serious threat to critical infrastructure providers. Anti-nuclear activists, for example, could attempt to disrupt a nuclear power plant to engender fear among citizens and exploit the ensuing media coverage for their own purposes.
Unscrupulous “black hat” hackers, which include organized cybercriminals, terrorists and state-sponsored attackers, still present a major threat. For instance, organized cybercriminals could attempt to manipulate the stock market or ask for ransom in exchange for not harming the provider’s infrastructure. There have been several unconfirmed reports of businesses and industry sectors being hit with extortion attempts.
The killing of Al Qaeda leader Osama bin Laden and subsequent release of intelligence data illustrated the sophistication and cyberwarfare capabilities of modern terrorist networks. Considering the fatal consequences a rapid shutdown of a nuclear plant could have for a whole region, these facilities are a very desirable target for terrorists.
Perhaps the most-publicized cyberthreats have come from state-sponsored attackers. Such actors may be driven by any number of tactical and strategic motives, including commercial, military and intelligence gathering. Internet security experts, Western governments and corporate America believe that the majority of cyberattacks originate from state actors, with China and North Korea being two of the countries most often involved in incidents.
Recently, McAfee discovered a long-running and wide-ranging hacking operation, known as “Operation Shady RAT,” which targeted government, commercial and nonprofit interests around the world. While the motivations of—and the damage done by—whoever carried out these stealth attacks remains unknown, it shows that the potential exists for hackers to create chaos, thereby forcing the target nation to divert attention and manpower to dealing with internal issues rather than an external conflict.
Securing Critical Infrastructure
The dilemma that critical infrastructure providers are facing is that traditional vulnerability controls are often unable to keep up with evolving exploits. Commonly, these security tools, which include perimeter intrusion detection, and signature-based malware and antivirus solutions, operate in silos and are unable to create a closed-loop process with continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack risk-based prioritization, whereby vulnerabilities and associated remediation actions are not based on the risk to the business.
Besides close collaboration with the DHS, infrastructure providers should consider overhauling their approach to counter cyberattacks and prevent data loss, unauthorized disclosure and data destruction.
Implementing an information security risk management program that integrates and interconnects components such as security event management, asset management, threat management, vulnerability management, security configuration management, security patch management and security incident response management will yield important benefits. (For more details, see the below sidebar, “Establishing an Information Security Risk Management Program.”)
First, it will reduce risk by making threats and vulnerabilities visible and actionable. This will enable organizations to prioritize and address high-risk security exposures before breaches occur. The program will also reduce costs by unifying solutions, streamlining processes, adding automation and reducing redundant, manual efforts. Response readiness will improve with greater understanding of existing exposures, testing response capabilities and reporting gaps. And by generating reports and metrics to demonstrate efficiency and effectiveness, the organization will be able to better assess and measure its risk profile
Establishing an information security Risk Management Program
1. Perform risk assessments to determine which systems have sensitive data and are therefore the most critical to protect.
2. Based on the results of the risk assessments, pinpoint the locations where sensitive data is stored. Then ensure that the most secure systems are isolated from any direct internet traffic.
3. Consider the sensitivity of any data from scanners, vulnerability feeds, patch management systems and configuration management systems—especially those with personally identifiable information. Be sure any critical assets are consolidated and moved to a better-protected location.
4. Identify all the vulnerabilities to these most-critical systems to understand the remaining risks the company faces and ensure that controls are put in place to counter these threats.
5. Create and track tickets to put controls and remediation actions in place to prioritize any vulnerabilities threatening these systems.
6. Manage workflows associated with all of the above processes.
7. Regularly report on risks, vulnerabilities and effectiveness of all remediation efforts.
8. Manage emergency response processes and procedures in the event that a data breach does occur in order to minimize any associated damages.