Since the advent of modern terrorism, we have seen increased physical security at power plants, airports, water treatment facilities, and many other locations.
Jens Stoltenberg, Secretary General of NATO recently stated that ‘a cyber-attack can be as destructive as a conventional attack, and practically every conflict has a cyber dimension… being able to defend ourselves in cyber-space is just as important as defending ourselves on land, at sea and in the air’. Indeed, securing the complex IT systems that run the many facilities we regularly use is vital to our ongoing safety – if not, more.
We only need to remember the repercussions of the WannaCry attack last year, which cost the NHS an estimated £180,000 and caused the cancellation of approximately 20,000 appointments, to see how severe the consequences are when a critical national infrastructure (CNI) provider is hacked.
There’s also the Stuxnet virus, which was used to attack and damage Iranian nuclear facilities, and is widely suspected of being a cyber-weapon developed to attack this research by targeting SCADA systems. In addition, a 2017 cyber-attack on EirGrid, operator of Ireland’s electricity transmission grid is believed to be the work of state-sponsored hackers. Routers were compromised, allowing the interception of communications.
Perhaps unsurprisingly, a poll of 100 MPs from the key political parties conducted earlier this year found that 62 percent believed attacks on CNI represent the biggest cyber-security threat facing the UK. The growing threat was also addressed in May when it was revealed that energy, transport, water, health and other critical services firms could be fined up to £17 million if they fail to have the most robust safeguards in place against cyber-attacks.
The increased need for visibility
The days of keeping systems isolated and unconnected from networks are rapidly ending. Indeed, getting a complete picture of an organisation is especially difficult in CNI sectors. There are numerous disparate systems, many of which are often legacy systems and embedded systems, all becoming increasingly connected and generating huge amounts of data that has often previously been kept in information silos. With such a sprawling, complex threat landscape, businesses need visibility across these silos so they can generate a complete picture across multiple systems.
There are numerous measures that can be implemented to help defend against the threat of cyber-attacks. Addressing the threat of external attackers is the most obvious first step, but it is not enough. You can build firewalls, install virus scanners for e-mail and require multiple passwords, but attackers see CNI targets as high value, therefore this is not going to deter them. Even air-gapping systems isn’t a fool proof defence. The Stuxnet attack is believed to have entered air-gapped equipment via infected USB drives.
The next step is scenario monitoring. CNI operators need to look for anomalies and respond to them, ideally automatically. Anomalies in the system must be identified, countermeasures need to be taken, and then the situation can be investigated.
The role of UEBA
Tools such as User and Entity Behaviour Analytics (UEBA) are becoming increasingly important in the fight against modern-day cyber-crime. They can detect and respond to intrusion attempts automatically, not just to intrusion attempts, but also to unusual behaviour from staff or partners – for example, if an employee is attempting to access much larger amounts of data than usual or for geographic regions they don’t normally work in, they may be colluding with attackers (or maybe just competitors). UEBA can identify this anomaly, flag it for investigation, and suspend access until the investigation is completed.
UEBA is among the capabilities of NextGen SIEM, which is now a crucial element of a company’s cyber-defence. It detects anomalous activity and responds with alerts and automated mitigation. Security automation and orchestration (SAO) can also help free up time so that in-house IT teams can focus on other important tasks and improve operational efficiency. Network forensics enable complete visibility for more than 3,000 distinct applications, as well as detection for cloud, bring your own device (BYOD), and the Internet of Things (IoT).
Finally, advanced security analytics with artificial intelligence (AI) and machine learning supports automated, real-time alerts to verify activities and security, as well as reports for regulatory compliance and auditing requirements.
To avoid future cyber-attacks that could threaten the country’s vital infrastructure, intelligent, comprehensive cyber-security tools must be implemented. There needs to be a holistic overview; a complete picture across the CNI’s multiple IT systems. When this high level of visibility is paired with behaviour analytics, CNI firms are in the best position to predict and counteract future cyber-attacks.
Contributed by Ross Brewer, vice president and managing director EMEA, LogRhythm.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.