The Evolution of Securing Critical Infrastructure | The State of Security
Everything evolves. Simply stated, the gradual development of something from a simple to a more complex form is what evolution is all about. When something ceases to evolve, yet still exists, it becomes classified as a living fossil. One example is the Ginkgo Biloba tree. It took millions of years for this evolution to cease. This all happened without any help from humans.
When we think of our relationship with technology, it is apparent that we are nowhere near the point of realizing the end of the technological evolution. Even if we consider the earliest human technological achievements, such as how to transport water uphill, we are still many years away from exhausting our imaginations as well as our technological capabilities. However, just as a tree is susceptible to the forces of nature, we have learned that our greatest achievements can be undermined by the same human inspirational ingenuity.
The evolution of critical infrastructure
A more modern example of the evolution of technology is in the area of critical infrastructure and operational technology (OT). Water and wastewater systems are just one classification of critical infrastructure. We have certainly come a long way since Archimedes’ spiral, but we have also become more capable in our destructive capabilities.
Many of the devices that control all sectors of critical infrastructure were designed as stand-alone mechanisms. To clarify, these types of devices, such as programmable logic controllers (PLC), have been around for decades but were never connected – nor were they ever intended to be – to the Internet. While this evolution has brought ease of use and remote access, it opens the door to a whole new set of challenges.
These devices typically have up to 20-year lifecycles without being updated, upgraded, or patched. Malicious actors are finding ways to get these devices to do things they weren’t intended to do. Attacks against PLC devices are rivaling those of popular consumer-grade operating systems, garnering CVSS Base Scores that demand immediate attention.
A time for education and awareness
In order to overcome these challenges, education and awareness are key. These systems now need more than just physical security; they need Internet Protocol-based security—or more affectionately called “cybersecurity.” Devices need to be updated or upgraded more frequently, and if that can’t happen, there needs to be more stringent controls to block unwanted traffic from getting to these devices.
For example, a logic controller should only talk to a certain engineering workstation or Human Machine Interface (HMI). A PLC should only receive certain types of packets to determine if, for example, the valve should be on or off or set to a specific level. If an unexpected command is sent to the controller, such as a command causing it to spin faster than its normal operating threshold, that instruction be dropped, logged, and flagged for further investigation.
A logic controller that openly accepts commands from the Internet is extremely vulnerable. Obviously, as well, a compromised workstation that issues commands to a PLC is also a problem. One of the key impacts to this has been the COVID-19 pandemic. As people were forced to work from home, organizations have had to rapidly enable their workforce to work remotely. Remote access has greatly accelerated the need for security. Prior to the pandemic, many of these companies strictly prohibited remote work, but they were forced to adapt in order to function. Many devices that were already IP based now needed to be controlled remotely for the first time. It was crucial to build that access securely.
As things begin to open up and resume under these new rules of working, there are three groups of mindsets:
- The traditionalists who say that everything should go back to the way they were.
- The futurists who say the time is now to continue working remotely and never go back to the office again.
- Those who are somewhere in between.
It may be surmised that the majority of folks will fall somewhere in between. Given that the pandemic lasted far longer than anyone anticipated, organizations reluctantly began their digital transformation. Some opted to go all-out, and some slowly did the bare minimum to keep their businesses running. Thus, the need for more diligent cybersecurity is only going to grow. Organizations need to take a pragmatic approach by focusing on topics such as:
- Understanding what devices they have on their network.
- Understanding what devices are communicating to other devices, whether internally or externally.
- Understanding the risk posture of those devices, whether it is based on vulnerabilities or how they are configured.
Based on those three points, there will then need to be a focus on mitigating the identified risks and ensuring the network is properly segmented and properly monitored.
The Center for Internet Security publishes the Critical Security Controls, which helps organizations to plan how to build their security programs in a simple and pragmatic manner. This is a great resource for people who are responsible for critical infrastructure and OT security to implement when building out their program. They can also partner with their counterparts on the IT side of the business to create synergies within the organization.
Evolution happens both out of necessity and to make our lives easier. In this case, the cybersecurity posture of critical infrastructure must evolve to be more secure. We have a long way to go before any of our ingenuity becomes a living fossil.
Discover how Tripwire helps secure critical infrastructure today: https://www.tripwire.com/solutions/industrial-control-systems.