Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/25/2018
10:30 AM
Dave Weinstein
Dave Weinstein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Our Interconnected Infrastructure

A little over a year ago, the world witnessed NotPetya, the most destructive cyberattack to date. What have we learned?

In late June, the House of Representatives passed legislation specifically aimed at securing the industrial control systems that run our nation's most critical infrastructure, from oil pipelines to water treatment facilities to the grid. These systems also run infrastructure that might not rise to the level of "critical" but are certainly important. The automated machines powering America's manufacturing industry, for example, are all powered by a software and hardware that is increasingly subject to a growing threat landscape.

This legislation is no doubt a reaction to the events of a little over a year ago, when the NotPetya malware metastasized from its original targets in Ukraine to over a dozen countries, including the United States. The US, UK, and other western powers later blamed and sanctioned Russia for the self-propagating worm, which has been dubbed the most destructive and costly cyberattack to date with damages exceeding $10 billion globally.

NotPetya and its predecessor WannaCry, both of which utilized an exploit that was allegedly developed by and later stolen from the National Security Agency, are glaring examples of how threats that have traditionally only affected IT systems are now creeping into operational technology, or OT systems like those that open and close breakers, rotate turbines, and shut down plant operations when conditions reach dangerous levels. Indeed, the IT and OT worlds are converging, meaning that the victims of cyberattacks are no longer always the primary targets.

The reason for this phenomenon can be summed up in one word: interconnectivity. Our technological worlds are converging because the "things" that were heretofore disconnected are gaining a network connection, and more connected devices are being introduced into the global digital commons. By some estimation, the Internet of Things will more than triple in size between now and 2025 to over 75 billion devices. Most of these devices are consumer-facing — like smart thermostats and home assistants — but they are also found in our industrial facilities in the form of sensors, actuators, and portable interfaces like tablets and smart displays.

These industrial devices pose the greatest potential cyber-risk to our critical infrastructure. As stated by Congressman Don Bacon (R-Neb.), the primary sponsor of the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, they are "the critical interface between the digital controls in an operational process." Unlike most IT environments, where hackers are forced to overcome authentication hurdles, usually by stealing credentials or cracking weak passwords, industrial control systems have no authentication. To make matters worse, the traffic is almost always unencrypted.

While it's encouraging that the House is leaning forward on industrial cybersecurity and committed to authorizing and equipping the Department of Homeland Security to protect our critical infrastructure, this still remains largely a private sector problem. After all, over 80% of America's critical infrastructure is privately owned and the owners and operators of these assets are best positioned to address their risks.

In doing so, one of the questions companies are asking themselves is how to reconcile the risks and rewards of the interconnected world. Should we simply retreat into technological isolationism and eschew the benefits of connectivity in the interest of security, or is there a better way to manage the risk?

The former is gaining a growing chorus, especially among security researchers. The latest call comes from Andy Bochman of the Department of Energy's Idaho National Labs. Bochman argued this past May in Harvard Business Review that the best way to address the cyber-risk to critical infrastructure is "to reduce, if not eliminate, the dependency of critical functions on digital technologies and their connections to the Internet." Said differently, when it comes to our most critical infrastructure assets, we should replace digital with analog and machines with humans.

Maybe I'm influenced by my millennial bias as a networked and digital creature, but such an approach seems tantamount to surrender in the face of a rising cyber threat that is still a long way from its apex. If the goal is to achieve maximum security of our critical infrastructure at all costs, even if it means depriving asset owners and operators of real-time performance analytics and the ability to conduct remote maintenance under routine and exigent circumstances, then so be it. However, this strategy is unlikely to receive much support outside of security circles and could prove to be cost prohibitive for most organizations.

By contrast, we must accept and embrace connectivity while, at the same time, improving security. This means balancing the risks of interconnectivity to our industrial control systems with gaining greater visibility into who and what are on these networks. Interconnectivity alone is not the problem; rather, it is this interconnectivity paired with opacity that produces the greatest risk to the country's critical infrastructure.

When it comes to securing the industrial Internet of Things, we are still in very early days. Let's not raise the white flag just yet by retreating into technological isolationism. Instead, let's learn from the events of a year ago and bring together government, industry, and the critical infrastructure community to raise what are currently far too low barriers to entry for hackers.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Dave Weinstein is the chief security officer of Claroty. Prior to joining Claroty, he served as the chief technology officer for the State of New Jersey, where he served in the Governor's cabinet and led the state's IT infrastructure agency. Prior to his appointment as CTO he ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/27/2018 | 1:04:07 PM
Nothng
Earlier this year, the City of Atlanta was hacked, ransomeware and every single dashcam video used by police and courts was lost.  NO BACKUP.  Gee, what HAVE we learned?    Nothing.   Equifax CEO blames their mess on one single individual instead of a massive protocol collapse.  C-Suite is ignorant and IT dept does not do it's job.  We have learned NOTHING. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.