Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

1/6/2017
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Fixing Critical Infrastructure Means Securing The IT Systems That Support It

IT security can mean the difference between life and death, just as much as a well-designed bridge.

2016 was a banner year for hackers.

Coming on the heels of a devastating 2015 attack on Ukraine's power grid, 2016 gave way to a steady flow of WikiLeaks announcements that captured public attention and influenced public opinion. The Internet of Things (IoT) briefly shut down the Internet, and we capped the year with the White House announcing retaliatory measures for Russian election-related hackings. In between, we saw cyberattacks on the IRS, Yahoo, the Arizona and Illinois election boards, and dozens of others. Bottom line, cybersecurity threats were front-page, mainstream material all year long.  

As any CISO knows, these threats are nothing new. The tech industry has been working for more than a decade to prevent increasingly sophisticated attackers from compromising sensitive data, critical resources, and infrastructure, including national energy systems.

Now, as a new administration heads to Washington with the stated goal of rebuilding the nation's infrastructure, it's important to remember that the information systems supporting and powering our infrastructure deserve equally serious consideration. As last year's events showed, the problem isn't just stolen credit card numbers. Just like a crumbling bridge, IT security can be a life-or-death concern.

The challenge gets more difficult all the time. As technology continues to evolve, so do the threats. Cybercriminals are much more sophisticated than ever, and the same disruptive technology trends that allow machines to monitor themselves while humans post to Snapchat from the beach are also dynamically altering the threat landscape for organizations.

An increasingly mobile workforce combined with an explosion of apps, the emergence of cloud computing, and the IoT have dissolved the traditional security perimeter. The fortified security architectures of even a few years ago are no longer adequate when it comes to protecting critical infrastructure — such as hydroelectric plants, airports, trains, power grids, and nuclear facilities — against threats that can slip in and out of secure systems with other encrypted traffic.

To borrow from a commonly used analogy, traditional security architectures are akin to building a castle and a moat to protect the king and queen. Firewalls and other devices on the network perimeter act to monitor and block suspicious traffic attempting to penetrate the network's boundaries. But those boundaries are no longer clearly defined. Attacks can come from anywhere. Securing software applications and all their associated data today is more like a modern world leader relying on the protection of the secret service while constantly traveling around the globe.

Despite this trend, a majority of security investment is still aimed at securing the network, rather than application access and identity, even though most attacks though most attacks arise from application vulnerabilities and stolen user credentials.

In the breach of Ukraine's power grid, the hackers took advantage of compromised user credentials of workers logging remotely into the SCADA network that controlled the grid. Because two-factor authentication wasn't required for remote login, attackers were able to hijack workers' credentials and gain crucial access to systems that controlled the breakers.

The IoT is another concern. The infrastructure that supports transportation, energy, cities, and other critical public sectors increasingly relies on sensors, smart meters, and other devices connected to a broader network. All of these unsecured new devices create new attack vectors that must be mitigated.

We must stay vigilant to address the threats presented by new technologies as the tech landscape continues to evolve by protecting software applications, the sensitive data they contain, and the critical processes they drive — within the network and beyond.

But no matter how sophisticated the CISO's toolkit is today, collaboration and unity of effort will be critical — because one weak link is enough. Those in the energy sector can continue to evolve their security architecture, but they can't do everything. Government must be on board, too. Fixing the nation's physical infrastructure is as important as it's ever been. Securing the IT behind it will ensure it's there when we need it.  

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
1/19/2017 | 1:37:26 AM
Re: 192.168.l.l
Thanks, very interesting opinion!
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/16/2017 | 9:09:39 AM
This is why 2017 will be the year of Identity
There is a reason why Identity governance raised to #3 in CIOs priorities and Firewalls dropped to #6.  It is so much easier to hack a human than to penetrate a network.  2016 was a solid proof of that, 2017 will show a wide exploit of the human vulnerability.
enhayden
50%
50%
enhayden,
User Rank: Strategist
1/9/2017 | 1:21:41 PM
The Focus Needs to be on BOTH IT and OT Systems
I agree with Mark's article with one nuance.  That is, there are really a multitude of threat vectors on Critical Infrastructure / Key Resources (CIKR).  There are the attacks/threats/vulnerabilities on the Information Technology (IT) systems but there are also the security issues associated with the control systems otherwise referred to as the Operations Technology (OT) systems.  Hence, an added approach to Mark's article is to secure BOTH the IT as well as the OT systems supporting the CIKR.

Thanks!  Ernie Hayden CISSP CEH GICSP PSP
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...