Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

1/6/2017
10:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Fixing Critical Infrastructure Means Securing The IT Systems That Support It

IT security can mean the difference between life and death, just as much as a well-designed bridge.

2016 was a banner year for hackers.

Coming on the heels of a devastating 2015 attack on Ukraine's power grid, 2016 gave way to a steady flow of WikiLeaks announcements that captured public attention and influenced public opinion. The Internet of Things (IoT) briefly shut down the Internet, and we capped the year with the White House announcing retaliatory measures for Russian election-related hackings. In between, we saw cyberattacks on the IRS, Yahoo, the Arizona and Illinois election boards, and dozens of others. Bottom line, cybersecurity threats were front-page, mainstream material all year long.  

As any CISO knows, these threats are nothing new. The tech industry has been working for more than a decade to prevent increasingly sophisticated attackers from compromising sensitive data, critical resources, and infrastructure, including national energy systems.

Now, as a new administration heads to Washington with the stated goal of rebuilding the nation's infrastructure, it's important to remember that the information systems supporting and powering our infrastructure deserve equally serious consideration. As last year's events showed, the problem isn't just stolen credit card numbers. Just like a crumbling bridge, IT security can be a life-or-death concern.

The challenge gets more difficult all the time. As technology continues to evolve, so do the threats. Cybercriminals are much more sophisticated than ever, and the same disruptive technology trends that allow machines to monitor themselves while humans post to Snapchat from the beach are also dynamically altering the threat landscape for organizations.

An increasingly mobile workforce combined with an explosion of apps, the emergence of cloud computing, and the IoT have dissolved the traditional security perimeter. The fortified security architectures of even a few years ago are no longer adequate when it comes to protecting critical infrastructure — such as hydroelectric plants, airports, trains, power grids, and nuclear facilities — against threats that can slip in and out of secure systems with other encrypted traffic.

To borrow from a commonly used analogy, traditional security architectures are akin to building a castle and a moat to protect the king and queen. Firewalls and other devices on the network perimeter act to monitor and block suspicious traffic attempting to penetrate the network's boundaries. But those boundaries are no longer clearly defined. Attacks can come from anywhere. Securing software applications and all their associated data today is more like a modern world leader relying on the protection of the secret service while constantly traveling around the globe.

Despite this trend, a majority of security investment is still aimed at securing the network, rather than application access and identity, even though most attacks though most attacks arise from application vulnerabilities and stolen user credentials.

In the breach of Ukraine's power grid, the hackers took advantage of compromised user credentials of workers logging remotely into the SCADA network that controlled the grid. Because two-factor authentication wasn't required for remote login, attackers were able to hijack workers' credentials and gain crucial access to systems that controlled the breakers.

The IoT is another concern. The infrastructure that supports transportation, energy, cities, and other critical public sectors increasingly relies on sensors, smart meters, and other devices connected to a broader network. All of these unsecured new devices create new attack vectors that must be mitigated.

We must stay vigilant to address the threats presented by new technologies as the tech landscape continues to evolve by protecting software applications, the sensitive data they contain, and the critical processes they drive — within the network and beyond.

But no matter how sophisticated the CISO's toolkit is today, collaboration and unity of effort will be critical — because one weak link is enough. Those in the energy sector can continue to evolve their security architecture, but they can't do everything. Government must be on board, too. Fixing the nation's physical infrastructure is as important as it's ever been. Securing the IT behind it will ensure it's there when we need it.  

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
1/19/2017 | 1:37:26 AM
Re: 192.168.l.l
Thanks, very interesting opinion!
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/16/2017 | 9:09:39 AM
This is why 2017 will be the year of Identity
There is a reason why Identity governance raised to #3 in CIOs priorities and Firewalls dropped to #6.  It is so much easier to hack a human than to penetrate a network.  2016 was a solid proof of that, 2017 will show a wide exploit of the human vulnerability.
enhayden
50%
50%
enhayden,
User Rank: Strategist
1/9/2017 | 1:21:41 PM
The Focus Needs to be on BOTH IT and OT Systems
I agree with Mark's article with one nuance.  That is, there are really a multitude of threat vectors on Critical Infrastructure / Key Resources (CIKR).  There are the attacks/threats/vulnerabilities on the Information Technology (IT) systems but there are also the security issues associated with the control systems otherwise referred to as the Operations Technology (OT) systems.  Hence, an added approach to Mark's article is to secure BOTH the IT as well as the OT systems supporting the CIKR.

Thanks!  Ernie Hayden CISSP CEH GICSP PSP
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11586
PUBLISHED: 2020-04-06
An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.
CVE-2020-11587
PUBLISHED: 2020-04-06
An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the content of ETL Processes running on the server.
CVE-2020-11589
PUBLISHED: 2020-04-06
An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only.
CVE-2020-11590
PUBLISHED: 2020-04-06
An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name.
CVE-2020-11591
PUBLISHED: 2020-04-06
An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the full application path along with the customer name.