News & Commentary

1/6/2017
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Fixing Critical Infrastructure Means Securing The IT Systems That Support It

IT security can mean the difference between life and death, just as much as a well-designed bridge.

2016 was a banner year for hackers.

Coming on the heels of a devastating 2015 attack on Ukraine's power grid, 2016 gave way to a steady flow of WikiLeaks announcements that captured public attention and influenced public opinion. The Internet of Things (IoT) briefly shut down the Internet, and we capped the year with the White House announcing retaliatory measures for Russian election-related hackings. In between, we saw cyberattacks on the IRS, Yahoo, the Arizona and Illinois election boards, and dozens of others. Bottom line, cybersecurity threats were front-page, mainstream material all year long.  

As any CISO knows, these threats are nothing new. The tech industry has been working for more than a decade to prevent increasingly sophisticated attackers from compromising sensitive data, critical resources, and infrastructure, including national energy systems.

Now, as a new administration heads to Washington with the stated goal of rebuilding the nation's infrastructure, it's important to remember that the information systems supporting and powering our infrastructure deserve equally serious consideration. As last year's events showed, the problem isn't just stolen credit card numbers. Just like a crumbling bridge, IT security can be a life-or-death concern.

The challenge gets more difficult all the time. As technology continues to evolve, so do the threats. Cybercriminals are much more sophisticated than ever, and the same disruptive technology trends that allow machines to monitor themselves while humans post to Snapchat from the beach are also dynamically altering the threat landscape for organizations.

An increasingly mobile workforce combined with an explosion of apps, the emergence of cloud computing, and the IoT have dissolved the traditional security perimeter. The fortified security architectures of even a few years ago are no longer adequate when it comes to protecting critical infrastructure — such as hydroelectric plants, airports, trains, power grids, and nuclear facilities — against threats that can slip in and out of secure systems with other encrypted traffic.

To borrow from a commonly used analogy, traditional security architectures are akin to building a castle and a moat to protect the king and queen. Firewalls and other devices on the network perimeter act to monitor and block suspicious traffic attempting to penetrate the network's boundaries. But those boundaries are no longer clearly defined. Attacks can come from anywhere. Securing software applications and all their associated data today is more like a modern world leader relying on the protection of the secret service while constantly traveling around the globe.

Despite this trend, a majority of security investment is still aimed at securing the network, rather than application access and identity, even though most attacks though most attacks arise from application vulnerabilities and stolen user credentials.

In the breach of Ukraine's power grid, the hackers took advantage of compromised user credentials of workers logging remotely into the SCADA network that controlled the grid. Because two-factor authentication wasn't required for remote login, attackers were able to hijack workers' credentials and gain crucial access to systems that controlled the breakers.

The IoT is another concern. The infrastructure that supports transportation, energy, cities, and other critical public sectors increasingly relies on sensors, smart meters, and other devices connected to a broader network. All of these unsecured new devices create new attack vectors that must be mitigated.

We must stay vigilant to address the threats presented by new technologies as the tech landscape continues to evolve by protecting software applications, the sensitive data they contain, and the critical processes they drive — within the network and beyond.

But no matter how sophisticated the CISO's toolkit is today, collaboration and unity of effort will be critical — because one weak link is enough. Those in the energy sector can continue to evolve their security architecture, but they can't do everything. Government must be on board, too. Fixing the nation's physical infrastructure is as important as it's ever been. Securing the IT behind it will ensure it's there when we need it.  

Related Content:

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
1/19/2017 | 1:37:26 AM
Re: 192.168.l.l
Thanks, very interesting opinion!
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/16/2017 | 9:09:39 AM
This is why 2017 will be the year of Identity
There is a reason why Identity governance raised to #3 in CIOs priorities and Firewalls dropped to #6.  It is so much easier to hack a human than to penetrate a network.  2016 was a solid proof of that, 2017 will show a wide exploit of the human vulnerability.
enhayden
50%
50%
enhayden,
User Rank: Strategist
1/9/2017 | 1:21:41 PM
The Focus Needs to be on BOTH IT and OT Systems
I agree with Mark's article with one nuance.  That is, there are really a multitude of threat vectors on Critical Infrastructure / Key Resources (CIKR).  There are the attacks/threats/vulnerabilities on the Information Technology (IT) systems but there are also the security issues associated with the control systems otherwise referred to as the Operations Technology (OT) systems.  Hence, an added approach to Mark's article is to secure BOTH the IT as well as the OT systems supporting the CIKR.

Thanks!  Ernie Hayden CISSP CEH GICSP PSP
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.