What was the one event, other that the democratisation of the internet, that gave cyber-criminals the edge in targeting critical national infrastructure (CNI)?
It is the integration of information technology (IT) systems used for data-centric computing with operational technology (OT). Simply put, the convergence of OT and IT, according to the industry leaders who spoke at the Infosecurity Europe conference in London today (4 June).
The UK government’s Centre for Protection of National Infrastructure defines CNI as those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends.
"Historically, we were protected because we had separations between these networks," said Raj Samani, chief scientist at McAfee. "It was sparations like these that prevented attacks like Shamoon. That no longer exists due to a number of reasons".
Business concerns and profitability stood first in the list of reasons, widening the surface for possible breaches. Linking the internet provided an outsider with access to these critical network, from either a linked non-critical network or an external location.
Even worse was the case of an employee linking to an unsafe portal on the internet from within the critical network. Samani cited the experience of Joel Langill, known in the industry as SCADAhacker. A professional penetration tester of critical infrastructure facilities, he found an employee in the base of a central utility facility downloading songs using the plant’s network.
"He had bypassed all the security and connected directly on to the internet. That’s probably not what you want from a system inside your control network," said Samani.
Things get more complicated when the supply chain networks of the business join, pointed out cyber-security consultant Mo Ahddoud.
A quick question thrown at the audience of industry members revealed that ten firms had a policy for supply control network management. When it came to having a strategy for managing supply control risks, only one among them confirmed.
"One of the post-incident approaches that we take is to invite all of the supply chain into the post-incident wash-up day, along with our security vendors, as we walk through what went wrong. That could be really fruitful," said Ahddoud.
According to Samani, it all boils down to three words: Know your risk. Something like EternalBlue could completely ravage systems across critical infrastructure because the risk was not identified and mitigated, he said.
"Cyber-security isn’t difficult. You look at the majority of the breaches. They were done because somebody clicked on a link or somebody had a weak password or because there was a vulnerable system that wasn’t patched or there was an architectural flaw," he said. "Know your risk, and then implement the mitigation step. It’s that simple."