At the RSA Conference in San Francisco this year researchers demoed a new ransomware attack specially crafted to take control of a water treatment plant. Given the growing number of critical infrastructure (CNI) providers to have been knocked offline recently – including many NHS Trusts – this could be a worrying portent. There's a very real danger that CNI attacks will go mainstream in 2017, supported by a cyber-crime industry growing in professionalism every day. That's not just bad news for your bottom line and reputation, it could even lead to customer fatalities.
The only way to hit back is to get more professional and coordinate ourselves which means improving collaboration between IT security and service desk teams, and taking a more considered approach to asset management and endpoint security.
CNI under attack
Why is critical infrastructure such a big target? Because cyber-criminals always follow the money. And the more critical the service they provide, the bigger the ransom that victim organisations are likely willing to pay. Even better for the black hats, many of these providers are still running legacy systems with poor or outdated security and little in the way of segmentation – meaning malware can spread easily throughout. Many haven't woken up to the fact that these systems can be probed and researched by hackers online and are hooked up to the public internet, which means they can be remotely attacked.
Attacks on CNI are nothing new, of course. Just consider Stuxnet, or the destructive malware blitz aimed at oil giant Saudi Aramco. They have continued over recent years with a sophisticated nation state campaign against Ukrainian power stations, the nation's financial industry and other infrastructure. But ransomware opens up the market to even more hackers. It's relatively easy to get hold of and use, and can have devastating results.
Northern Lincolnshire and Goole NHS Trust was taken offline for several days and forced to cancel several thousand patient appointments because of an attack. In fact, nearly half of all Trusts have admitted falling victim over the past year or so. In the US, hackers have also targeted transportation providers, including the San Francisco MUNI system, and even police CCTV cameras in the US capital. Not all attacks put customers in physical danger, but when you're interfering with critical infrastructure the stakes are raised significantly beyond mere data loss.
Already, officials are worried. Neil Jenkins of the US Department of Homeland Security said recently of the prospect of CNI attacks: “I worry that's going to be the next step.”
Boardrooms up and down the land should be taking note. Because once the machinery of cyber-crime powers up and focuses its attention on these targets, the repercussions could be immense.
A revised approach
The first thing IT leaders need to do is improve cooperation between their security and service management teams. The traditional siloes that exist between the two impair organisations' ability to respond and efforts to maintain a robust cyber-security posture. The service desk is in a great place to join the dots between isolated incidents which could spell a major attack on the organisation. So make sure that, if and when it does, it escalates these concerns to the security team. Similarly, IT security admins may, during the course of an investigation, be able to provide service teams with important information, such as endpoints in need of urgent remediation. The communication lines should be open at all times
Above and beyond that, consider arming the service management function with unified endpoint security to keep critical systems safe from attack. The watchwords here must be “defence in depth” – that is, a combination of solutions designed to provide layers of protection. In this way, comprehensive patch management can eliminate the majority of flaws which hackers look to exploit in attacks. But for even better results, combine it with application control systems which will reduce the risk from unknown, or zero-day, threats.
Removable media and mobile devices can also pose a major threat to your organisation. So make sure any endpoint management solution includes capabilities to enforce your security policies at this layer. These capabilities will need to be automated for maximum effectiveness: IT teams are simply too small and overworked to manually manage the volume of incidents and endpoints required today.
As the Internet of Things expands before our very eyes to incorporate more than eight billion smart devices this year, remember that each unsecured IoT endpoint represents a potential attack vector for the bad guys. And when it comes to critical infrastructure, the impact of a direct hit could be an awful lot worse than mere data loss.
Contributed by Chris Goettl, Product Manager, Ivanti
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.