Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/25/2018
10:30 AM
Dave Weinstein
Dave Weinstein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Our Interconnected Infrastructure

A little over a year ago, the world witnessed NotPetya, the most destructive cyberattack to date. What have we learned?

In late June, the House of Representatives passed legislation specifically aimed at securing the industrial control systems that run our nation's most critical infrastructure, from oil pipelines to water treatment facilities to the grid. These systems also run infrastructure that might not rise to the level of "critical" but are certainly important. The automated machines powering America's manufacturing industry, for example, are all powered by a software and hardware that is increasingly subject to a growing threat landscape.

This legislation is no doubt a reaction to the events of a little over a year ago, when the NotPetya malware metastasized from its original targets in Ukraine to over a dozen countries, including the United States. The US, UK, and other western powers later blamed and sanctioned Russia for the self-propagating worm, which has been dubbed the most destructive and costly cyberattack to date with damages exceeding $10 billion globally.

NotPetya and its predecessor WannaCry, both of which utilized an exploit that was allegedly developed by and later stolen from the National Security Agency, are glaring examples of how threats that have traditionally only affected IT systems are now creeping into operational technology, or OT systems like those that open and close breakers, rotate turbines, and shut down plant operations when conditions reach dangerous levels. Indeed, the IT and OT worlds are converging, meaning that the victims of cyberattacks are no longer always the primary targets.

The reason for this phenomenon can be summed up in one word: interconnectivity. Our technological worlds are converging because the "things" that were heretofore disconnected are gaining a network connection, and more connected devices are being introduced into the global digital commons. By some estimation, the Internet of Things will more than triple in size between now and 2025 to over 75 billion devices. Most of these devices are consumer-facing — like smart thermostats and home assistants — but they are also found in our industrial facilities in the form of sensors, actuators, and portable interfaces like tablets and smart displays.

These industrial devices pose the greatest potential cyber-risk to our critical infrastructure. As stated by Congressman Don Bacon (R-Neb.), the primary sponsor of the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, they are "the critical interface between the digital controls in an operational process." Unlike most IT environments, where hackers are forced to overcome authentication hurdles, usually by stealing credentials or cracking weak passwords, industrial control systems have no authentication. To make matters worse, the traffic is almost always unencrypted.

While it's encouraging that the House is leaning forward on industrial cybersecurity and committed to authorizing and equipping the Department of Homeland Security to protect our critical infrastructure, this still remains largely a private sector problem. After all, over 80% of America's critical infrastructure is privately owned and the owners and operators of these assets are best positioned to address their risks.

In doing so, one of the questions companies are asking themselves is how to reconcile the risks and rewards of the interconnected world. Should we simply retreat into technological isolationism and eschew the benefits of connectivity in the interest of security, or is there a better way to manage the risk?

The former is gaining a growing chorus, especially among security researchers. The latest call comes from Andy Bochman of the Department of Energy's Idaho National Labs. Bochman argued this past May in Harvard Business Review that the best way to address the cyber-risk to critical infrastructure is "to reduce, if not eliminate, the dependency of critical functions on digital technologies and their connections to the Internet." Said differently, when it comes to our most critical infrastructure assets, we should replace digital with analog and machines with humans.

Maybe I'm influenced by my millennial bias as a networked and digital creature, but such an approach seems tantamount to surrender in the face of a rising cyber threat that is still a long way from its apex. If the goal is to achieve maximum security of our critical infrastructure at all costs, even if it means depriving asset owners and operators of real-time performance analytics and the ability to conduct remote maintenance under routine and exigent circumstances, then so be it. However, this strategy is unlikely to receive much support outside of security circles and could prove to be cost prohibitive for most organizations.

By contrast, we must accept and embrace connectivity while, at the same time, improving security. This means balancing the risks of interconnectivity to our industrial control systems with gaining greater visibility into who and what are on these networks. Interconnectivity alone is not the problem; rather, it is this interconnectivity paired with opacity that produces the greatest risk to the country's critical infrastructure.

When it comes to securing the industrial Internet of Things, we are still in very early days. Let's not raise the white flag just yet by retreating into technological isolationism. Instead, let's learn from the events of a year ago and bring together government, industry, and the critical infrastructure community to raise what are currently far too low barriers to entry for hackers.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Dave Weinstein is the vice president of threat research at Claroty and a non-resident fellow at New America.  Prior to joining Claroty, he was the chief technology officer of New Jersey, where he served in the governor's cabinet and was responsible for delivering and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/27/2018 | 1:04:07 PM
Nothng
Earlier this year, the City of Atlanta was hacked, ransomeware and every single dashcam video used by police and courts was lost.  NO BACKUP.  Gee, what HAVE we learned?    Nothing.   Equifax CEO blames their mess on one single individual instead of a massive protocol collapse.  C-Suite is ignorant and IT dept does not do it's job.  We have learned NOTHING. 
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16354
PUBLISHED: 2019-09-16
The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
CVE-2019-16355
PUBLISHED: 2019-09-16
The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files.
CVE-2019-16353
PUBLISHED: 2019-09-16
Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device.
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.