Time to fix security inside critical infrastructure
A couple of months ago I was discussing datacentre security with a panel of IT managers from critical infrastructure providers. One representative from a major energy provider said that he had no intention of segmenting his network. When I asked him how he monitors his network looking for attacks that have breached his perimeter, he told me, “That is the FBI’s job.”
I wish I could say this was unusual.
Historically, the security strategy of many critical infrastructure companies was to simply not connect them to the public Internet. For years, sometimes decades, they built their internal architectures around that notion. When a user or contractor needed access, it was provided manually. So now, when they are interconnected to a web of users, suppliers, contractors, and peer organisations, implementing a pervasive security strategy is a significant challenge.
Instead, what many organisations in this circumstance tend to do is simply keep building a bigger and stronger front door to keep the bad stuff out. Which, of course, is a recipe for disaster.
A number of things need to happen to fix this problem. First, governments need to legislate that critical infrastructure industries need to meet basic security standards. And this legislation needs to have teeth. Fines are often absorbed as the cost of doing business as usual, and often get passed on to consumers.
As we have seen with publicly traded companies in the US, holding board members and corporate executives personally, financially, and legally liable for failure to implement appropriate security goes a long way towards motivating organisations to overcome whatever inertia is preventing them from properly securing their networks.
Of course, because some of these industries come directly under government control, they will need to be funded. Given the current political climate, this can be challenging. But the last thing that any government wants is a nuclear power plant meltdown, or the release of toxic chemicals, or the contamination of water supplies, or energy grids taken offline that can be traced back to a cyberattack.
Next, these organisations need to understand that perimeter security is no guarantee. Even the best firewalls in the world, according to numerous studies, are only about 98% effective. If you have a boat with a hundred holes in the bottom, and you only plug 98 of them, what happens to the boat?
The compromise of critical infrastructure networks is a matter of when, not if. And frankly, based on forensic evidence from a number of breaches, I can tell you that the only thing standing between us and disaster has been serendipity.
There are also dozens of sector-based Information Sharing and Analysis Centres that organisations in these industries need to participate in. If the recent cyberattack on the power grid in the Ukraine had not been an isolated incident, but part of a larger cyberterrorism strategy, it would have been essential that other energy providers around the world knew the details of this breach immediately, rather than a piece at a time, ferreted out over weeks and months.
From a functional perspective, a security game plan needs to be developed on a site-by-site basis. The most important first step that any organisation in this sort of circumstance can take is to hire security professionals to assess their current state, develop a get-well plan, and prioritise implementation.
From a general perspective, this needs to include a number of key security strategies.
#1 Do not just start with where you are, consider where you are going
A security plan needs to be able to adapt as you grow. If you are planning to add remote offices, or enable mobile users or build a virtualised datacentre, include that in your plan now. And select security tools that are future proof.
#2 Strategically segment your network
This is perhaps the easiest and most critical step in any security strategy. For example, keep your access network separate from your production network. Then actively monitor traffic that passes between segments. Segmentation allows you to detect threats that have bypassed your perimetre defenses, isolate infected devices and malware to one place in your network, contain the spread of threats, and maintain the integrity of your intellectual property.
#3 Keep it simple
As much as possible, build a strategy that provides consistent security across physical, virtual, cloud, access, and mobility networks. Security siloes mean that policies get enforced differently in different parts of your network. Sophisticated cyberattacks will exploit these inconsistencies.
#4 Do not just bolt on security
Tools that work together are better than those that do not. You need to select security tools that can share threat intelligence and provide a coordinated response. An isolated security tool, no matter what it can do, is only effective when an attack passes through it, and nowhere else. These sorts of security tools quickly become chokepoints in the network, and pretty soon time-sensitive traffic will be routed around them.
#5 Visibility is essential
Security teams manage an average of 14 different security consoles, and sometimes many more. And they still have to hand-correlate log files and threat data to discover a threat, and manually coordinate a response to an attack. Which is why Gartner estimates that over 70% of cybersecurity breaches take months to discover. And according to Ponemon, it takes an organisation an average of 256 days to detect a malicious attack. As much as possible, implement a single pane of glass management strategy for centralised visibility and orchestration.
#6 Finally, slow is broken
Security will simply not be used if it gets in the way of time-sensitive traffic. Oh, you might have policies, but the reality is that when you have to process flight information or reroute rush hour traffic or respond to an energy grid failure right now, you cannot afford to wait for an overloaded firewall to decrypt and analyse your files. And whatever performance requirements you have today are likely to be a drop in the bucket compared to tomorrow. So plan ahead.
The reality is that as we transition to a digital economy, critical infrastructures will become increasingly vulnerable. Expanded attack surfaces, new applications and devices, and the need to dynamically share critical information simply expands exposure to risk. Those industries that are essential to the health and well-being of both people and national economies have got to step up and address this challenge. Lives actually depend on it.
- If you have a boat with a hundred holes in the bottom and you only plug 98 of them what happens to the boat?
- An isolated security tool no matter what it can do is only effective when an attack passes through it and nowhere else
- As much as possible implement a single pane of glass management strategy for centralised visibility and orchestration
- Reality is as we transition to a digital economy critical infrastructures will become increasingly vulnerable