Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

1/6/2017
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Fixing Critical Infrastructure Means Securing The IT Systems That Support It

IT security can mean the difference between life and death, just as much as a well-designed bridge.

2016 was a banner year for hackers.

Coming on the heels of a devastating 2015 attack on Ukraine's power grid, 2016 gave way to a steady flow of WikiLeaks announcements that captured public attention and influenced public opinion. The Internet of Things (IoT) briefly shut down the Internet, and we capped the year with the White House announcing retaliatory measures for Russian election-related hackings. In between, we saw cyberattacks on the IRS, Yahoo, the Arizona and Illinois election boards, and dozens of others. Bottom line, cybersecurity threats were front-page, mainstream material all year long.  

As any CISO knows, these threats are nothing new. The tech industry has been working for more than a decade to prevent increasingly sophisticated attackers from compromising sensitive data, critical resources, and infrastructure, including national energy systems.

Now, as a new administration heads to Washington with the stated goal of rebuilding the nation's infrastructure, it's important to remember that the information systems supporting and powering our infrastructure deserve equally serious consideration. As last year's events showed, the problem isn't just stolen credit card numbers. Just like a crumbling bridge, IT security can be a life-or-death concern.

The challenge gets more difficult all the time. As technology continues to evolve, so do the threats. Cybercriminals are much more sophisticated than ever, and the same disruptive technology trends that allow machines to monitor themselves while humans post to Snapchat from the beach are also dynamically altering the threat landscape for organizations.

An increasingly mobile workforce combined with an explosion of apps, the emergence of cloud computing, and the IoT have dissolved the traditional security perimeter. The fortified security architectures of even a few years ago are no longer adequate when it comes to protecting critical infrastructure — such as hydroelectric plants, airports, trains, power grids, and nuclear facilities — against threats that can slip in and out of secure systems with other encrypted traffic.

To borrow from a commonly used analogy, traditional security architectures are akin to building a castle and a moat to protect the king and queen. Firewalls and other devices on the network perimeter act to monitor and block suspicious traffic attempting to penetrate the network's boundaries. But those boundaries are no longer clearly defined. Attacks can come from anywhere. Securing software applications and all their associated data today is more like a modern world leader relying on the protection of the secret service while constantly traveling around the globe.

Despite this trend, a majority of security investment is still aimed at securing the network, rather than application access and identity, even though most attacks though most attacks arise from application vulnerabilities and stolen user credentials.

In the breach of Ukraine's power grid, the hackers took advantage of compromised user credentials of workers logging remotely into the SCADA network that controlled the grid. Because two-factor authentication wasn't required for remote login, attackers were able to hijack workers' credentials and gain crucial access to systems that controlled the breakers.

The IoT is another concern. The infrastructure that supports transportation, energy, cities, and other critical public sectors increasingly relies on sensors, smart meters, and other devices connected to a broader network. All of these unsecured new devices create new attack vectors that must be mitigated.

We must stay vigilant to address the threats presented by new technologies as the tech landscape continues to evolve by protecting software applications, the sensitive data they contain, and the critical processes they drive — within the network and beyond.

But no matter how sophisticated the CISO's toolkit is today, collaboration and unity of effort will be critical — because one weak link is enough. Those in the energy sector can continue to evolve their security architecture, but they can't do everything. Government must be on board, too. Fixing the nation's physical infrastructure is as important as it's ever been. Securing the IT behind it will ensure it's there when we need it.  

Related Content:

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
1/19/2017 | 1:37:26 AM
Re: 192.168.l.l
Thanks, very interesting opinion!
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/16/2017 | 9:09:39 AM
This is why 2017 will be the year of Identity
There is a reason why Identity governance raised to #3 in CIOs priorities and Firewalls dropped to #6.  It is so much easier to hack a human than to penetrate a network.  2016 was a solid proof of that, 2017 will show a wide exploit of the human vulnerability.
enhayden
50%
50%
enhayden,
User Rank: Strategist
1/9/2017 | 1:21:41 PM
The Focus Needs to be on BOTH IT and OT Systems
I agree with Mark's article with one nuance.  That is, there are really a multitude of threat vectors on Critical Infrastructure / Key Resources (CIKR).  There are the attacks/threats/vulnerabilities on the Information Technology (IT) systems but there are also the security issues associated with the control systems otherwise referred to as the Operations Technology (OT) systems.  Hence, an added approach to Mark's article is to secure BOTH the IT as well as the OT systems supporting the CIKR.

Thanks!  Ernie Hayden CISSP CEH GICSP PSP
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3311
PUBLISHED: 2019-11-21
Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request.
CVE-2013-3312
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi.
CVE-2013-3313
PUBLISHED: 2019-11-21
The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-331...
CVE-2013-3314
PUBLISHED: 2019-11-21
The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) IP addresses via a request to get_realip.cgi or (2) firmware versions (ui and system), timestamp, serial number, p2p port number, and wifi status via a request to get_status.cgi.
CVE-2015-2793
PUBLISHED: 2019-11-21
Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.