News & Commentary

1/6/2017
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Fixing Critical Infrastructure Means Securing The IT Systems That Support It

IT security can mean the difference between life and death, just as much as a well-designed bridge.

2016 was a banner year for hackers.

Coming on the heels of a devastating 2015 attack on Ukraine's power grid, 2016 gave way to a steady flow of WikiLeaks announcements that captured public attention and influenced public opinion. The Internet of Things (IoT) briefly shut down the Internet, and we capped the year with the White House announcing retaliatory measures for Russian election-related hackings. In between, we saw cyberattacks on the IRS, Yahoo, the Arizona and Illinois election boards, and dozens of others. Bottom line, cybersecurity threats were front-page, mainstream material all year long.  

As any CISO knows, these threats are nothing new. The tech industry has been working for more than a decade to prevent increasingly sophisticated attackers from compromising sensitive data, critical resources, and infrastructure, including national energy systems.

Now, as a new administration heads to Washington with the stated goal of rebuilding the nation's infrastructure, it's important to remember that the information systems supporting and powering our infrastructure deserve equally serious consideration. As last year's events showed, the problem isn't just stolen credit card numbers. Just like a crumbling bridge, IT security can be a life-or-death concern.

The challenge gets more difficult all the time. As technology continues to evolve, so do the threats. Cybercriminals are much more sophisticated than ever, and the same disruptive technology trends that allow machines to monitor themselves while humans post to Snapchat from the beach are also dynamically altering the threat landscape for organizations.

An increasingly mobile workforce combined with an explosion of apps, the emergence of cloud computing, and the IoT have dissolved the traditional security perimeter. The fortified security architectures of even a few years ago are no longer adequate when it comes to protecting critical infrastructure — such as hydroelectric plants, airports, trains, power grids, and nuclear facilities — against threats that can slip in and out of secure systems with other encrypted traffic.

To borrow from a commonly used analogy, traditional security architectures are akin to building a castle and a moat to protect the king and queen. Firewalls and other devices on the network perimeter act to monitor and block suspicious traffic attempting to penetrate the network's boundaries. But those boundaries are no longer clearly defined. Attacks can come from anywhere. Securing software applications and all their associated data today is more like a modern world leader relying on the protection of the secret service while constantly traveling around the globe.

Despite this trend, a majority of security investment is still aimed at securing the network, rather than application access and identity, even though most attacks though most attacks arise from application vulnerabilities and stolen user credentials.

In the breach of Ukraine's power grid, the hackers took advantage of compromised user credentials of workers logging remotely into the SCADA network that controlled the grid. Because two-factor authentication wasn't required for remote login, attackers were able to hijack workers' credentials and gain crucial access to systems that controlled the breakers.

The IoT is another concern. The infrastructure that supports transportation, energy, cities, and other critical public sectors increasingly relies on sensors, smart meters, and other devices connected to a broader network. All of these unsecured new devices create new attack vectors that must be mitigated.

We must stay vigilant to address the threats presented by new technologies as the tech landscape continues to evolve by protecting software applications, the sensitive data they contain, and the critical processes they drive — within the network and beyond.

But no matter how sophisticated the CISO's toolkit is today, collaboration and unity of effort will be critical — because one weak link is enough. Those in the energy sector can continue to evolve their security architecture, but they can't do everything. Government must be on board, too. Fixing the nation's physical infrastructure is as important as it's ever been. Securing the IT behind it will ensure it's there when we need it.  

Related Content:

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
1/19/2017 | 1:37:26 AM
Re: 192.168.l.l
Thanks, very interesting opinion!
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/16/2017 | 9:09:39 AM
This is why 2017 will be the year of Identity
There is a reason why Identity governance raised to #3 in CIOs priorities and Firewalls dropped to #6.  It is so much easier to hack a human than to penetrate a network.  2016 was a solid proof of that, 2017 will show a wide exploit of the human vulnerability.
enhayden
50%
50%
enhayden,
User Rank: Strategist
1/9/2017 | 1:21:41 PM
The Focus Needs to be on BOTH IT and OT Systems
I agree with Mark's article with one nuance.  That is, there are really a multitude of threat vectors on Critical Infrastructure / Key Resources (CIKR).  There are the attacks/threats/vulnerabilities on the Information Technology (IT) systems but there are also the security issues associated with the control systems otherwise referred to as the Operations Technology (OT) systems.  Hence, an added approach to Mark's article is to secure BOTH the IT as well as the OT systems supporting the CIKR.

Thanks!  Ernie Hayden CISSP CEH GICSP PSP
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15607
PUBLISHED: 2018-08-21
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote atta...
CVE-2018-14795
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files.
CVE-2018-6692
PUBLISHED: 2018-08-21
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet.
CVE-2018-14793
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution.
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...