For any nation, protecting critical infrastructure is, as the term suggests, critical.
As the US Department of Homeland Security (DHS) stated recently, critical infrastructure is the backbone of our country's national and economic security. Such infrastructure encompasses power plants, chemical facilities, cyber networks, utilities, public health and government buildings. As more and more of these entities and systems become connected to (and powered by) the internet, they have become easier to manage than ever before.
This interconnectedness however, introduces critical infrastructures to many of the web-based problems that enterprises and consumers have encountered as our daily lives have become more centred on the internet: in particular, cyber attacks. In spite of the importance of critical infrastructure, and often because of it, violations and targeted attempts at manipulation are common.
Breaches to national critical infrastructures occur globally. Last July the Indian government suffered from a major cyber attack that resulted in roughly 12,000 accounts being hacked. These included several high-level officials from the Ministry of External Affairs, Defence Research and Development Organisation (DRDO), Ministry of Home Affairs and the Indo-Tibetan Border Police (ITBP).
In 2012, ICS-Cert issued an alert advising American utilities to monitor internet-facing control systems for activity by hackers attempting to gain remote access to control systems through brute force authentication attacks. The attackers attempted to obtain a user's logon credentials by guessing usernames and passwords. Meanwhile in the UK, the number of data breaches involving NHS trusts has risen by almost 1,000 per cent over the past five years.
A recent report revealed that approximately 50 critical infrastructure operators in Australia have been breached in the last year. Not only are they common, but they also have the potential to cause significant damage – out of the 50 operators who experienced a breach, nine lost propriety information and ten had experienced more than ten breaches in the last year.
Most of these breaches were a result of misconfigured operating systems, devices being stolen, vulnerabilities in the software and automated hacking tools. In the UK, there has been a number of high-profile incidents of mishandling data, including by the Greater Manchester Police, which was hit with a Conficker worm infection after staff used infected USB sticks from home in their office PCs.
Attacks on critical infrastructure are not only damaging, but can be difficult to both detect and repair. In the US, one particular power company was infected with a virus at the end of last year – this damaged the facility's turbine control systems, infecting ten computers that were connected to them. It took three weeks of errors and hold-ups before the time cyber security experts realised what had happened.
Governments have largely recognised the extent of the cyber threat and put standards in place. For example, the US Department of Homeland Security recently issued a warning that America was not fully prepared to defend itself from cyber attacks. In February, President Barack Obama issued an executive order requiring both federal authorities and organisations' operating systems of national interest to work together to enhance protection. Currently there are a number of US non-profit organisations that issue best standards, such as NERC.
For governments within the European Union, current EU law mandates that only telecoms companies and data controllers have to report significant security incidents or adopt specific security measures. Earlier this month, the European Commission published an EU Cyber Security Strategy including a proposed Directive on Network and Information Security (NIS Directive). This directive proposes that owners within the critical infrastructure will also have to adhere to these reporting regulations.
Throughout the world, government agencies and non-profit organisations exist to provide advice and best practice measures to protect the national infrastructure. For instance, in the UK there is the Centre for the Protection of National Infrastructure (CPNI), while the Australian government's Critical Infrastructure Protection Modelling and Analysis Program (CIPMA) aims to enhance the protection of Australia's critical infrastructure.
These measures however, are mainly advisory. Obama's Executive Order is more encouragement than definitive action. Recently in India an adviser to the National Technical Research Organisation - a specialised technical intelligence gathering agency - suggested that national cyber security agencies were not in a position to defend Indian critical infrastructure facilities from a synchronised attack.
While the EU Directive will go some way to prescribing specific security standards and imposing regulation, it has not helped to solve what I see as the central issue – that the generation, distribution and transmission of energy are dependent on having secure network and information systems.
In all of these worldwide examples, despite security of the network being vital, defences were alarmingly penetrable. Organisations should allow only 'known' devices and 'known' users to connect to the network in order to protect themselves. By only connecting 'known' devices to the network, companies can better enforce policies and limit the potential for cyber attacks.
This hardware-level security has already been deployed on more than 600 million PCs. Think about it – we already use this type of technology in our garage door openers and our Bluetooth headsets. With a TV cable box, for example, it's the device that allows you to access your channels. Device identity is key – with your mobile phone, you can log on with a pin number that allows the hardware in the phone to become connected. Starting with the device means that the security is built in - part of the hardware - and not added on. With the device as the foundation, you have simple and direct control over exactly who has access to your data, with what devices, over what networks. It's the basis for every mobile phone carrier - so why not in our control systems?
Cyber attacks on utilities can be prevented in the future, but we need to take the necessary steps now to ensure that our infrastructure systems are protected. Using modern encryption methods, organisations no longer even need to rely on passwords to secure their devices – meaning no more passwords to lose or remember. The device acts as the token, leveraging the trusted platform module to securely store and manage user credentials. The user logs into the device by entering a pin or sensor; the device then logs the user into all business services.
We've realised the scope and extent of the threat to our national critical infrastructures, and now it's time to start implementing effective solutions. Let's start by restricting access to only authorised machines – with strong device ID. That's the networking model that will bring 'carrier-class' security to industrial control systems and help to protect the ‘critical' element of our facilities.
Joseph Souren is vice president and general manager for EMEA at Wave Systems