Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/31/2020
10:00 AM
Benny Czarny
Benny Czarny
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Embracing a Prevention Mindset to Protect Critical Infrastructure

A zero-trust, prevention-first approach is necessary to keep us safe, now and going forward.

In the TV series Mr. Robot, Elliot Alderson, a gifted cybersecurity engineer by day, moonlights as a vigilante hacktivist for the "fsociety" group, which conspires to topple corporate America by canceling the debt records of every citizen.

In this doomsday scenario, cyber anarchists aim to disrupt the financial infrastructure that supports the global economy as a means to bring about their ideological political goals. Beyond this dramatic metaphor lies a sobering truth: Our world is interconnected to such a degree that the notion of critical infrastructure has evolved beyond what we have traditionally classified as such.

While power plants, chemical factories, and government agencies rightfully deserve the "critical" designation, there are scores of other industries upon which these critical infrastructure organizations would cease to properly function if they were knocked out of commission by a well-orchestrated targeted attack.

To reduce risk and thrive in this age of unpredictable and targeted attacks, critical infrastructure organizations must take a more expansive view of the critical infrastructure ecosystem, commit to making cybersecurity training a priority for employees at every level of the organization, and embrace a holistic zero-trust approach that prioritizes prevention strategies over reactive detection methods.

Mitigating Cyber-Risk with Training and Awareness
In February 2019, employees of the Fort Collins Loveland Water District and South Fort Collins Sanitation District in Colorado were hit by a ransomware attack that locked them out of their computers — for the second time in two years. In September 2019, Kudankulam Nuclear Power Plant, the largest nuclear plant in India, was breached in a malware attack, and in November 2019, criminals shut down computers at Mexican oil giant Pemex in exchange for a $5 million ransom. The US experienced the first attack on a power grid in March 2019 when North American Electric Reliability Corp. (NERC) was disrupted in a "cyber event" that lasted nearly 12 hours.

As public and private enterprises look to new cybersecurity solutions to mitigate the risks, global cybersecurity spending is expected to grow to $133.8 billion by 2022, according to International Data Corporation. The White House's 2020 budget alone includes more than $17.4 billion for cybersecurity-related activities, a 5% increase over 2019. However, we'll need to do more than throw money at the issue.

The problem lies in the fact that critical infrastructure sectors have become increasingly attractive targets — both for nation-states engaged in geopolitical campaigns as well as profit-motivated criminal syndicates. That's largely due to the fact that much of our nation's critical infrastructure is built upon a tangle of legacy industrial control systems that were intentionally designed as closed, air-gapped systems.

But perhaps the greatest vulnerability is the human element. While many of these companies address supply chain risks by certifying the cybersecurity practices of their partners, basic security awareness and training often lags behind other industries. Threat actors, regardless of their motivation, are like water flowing in a riverbed: They will always choose the path of least resistance.

A Shift in Mindset: From Detection to Prevention
As we enter the next decade, executive leadership for critical infrastructure organizations must take a hard look at their existing IT systems, their security practices, and, most importantly, their attitudes toward how they approach cybersecurity.

And because threats can now come from anywhere, any piece of connected technology must be treated as potentially malicious. This is the essence of a zero-trust, prevention-first mentality, one in which trust is never implied and the legitimacy of every file, every device, and every network connection is always questioned.

All employees — whether executives, engineers, or accountants — must develop a deeper appreciation that any interaction with technology can open a door to a potential cyberattack. It's imperative that critical infrastructure organizations prioritize cybersecurity training for all employees, emphasizing that every person who interacts with technology also plays an important role in protecting mission critical infrastructure.

To prepare for the increasing sophistication and frequency of cyberattacks on critical infrastructure sectors, the burden will rest on the shoulders of executive leadership, who must take the lead in showing that all employees, regardless of their role or responsibility, are aware that any interaction with technology has the potential to unleash the next Stuxnet, or worse.

As we move into this new decade, there are more unknowns than knowns. While critical infrastructure security leaders can't predict and prepare for every attack scenario, they must at least acknowledge that the threat landscape has shifted and that a prevention-first, zero-trust approach is necessary to keep us all safe, this year and beyond.

Related Content:

Benny Czarny is the Founder and CEO of OPSWAT, a leading cybersecurity firm with over 1,000 customers, 200 employees, and 8 offices worldwide. Founded with a personal investment in 2002 to offer a unique, market-driven approach to security application design and development, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4537
PUBLISHED: 2020-02-26
IBM WebSphere Service Registry and Repository 8.5 could allow a user to obtain sensitive version information that could be used in further attacks against the system. IBM X-Force ID: 165593.
CVE-2019-4596
PUBLISHED: 2020-02-26
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...
CVE-2019-4597
PUBLISHED: 2020-02-26
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 167880.
CVE-2019-4598
PUBLISHED: 2020-02-26
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 167881.
CVE-2019-4726
PUBLISHED: 2020-02-26
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172363.