in part via threatpost.com: How to Secure Critical Infrastructure When Patching Isn’t Possible... by me... what you can learn from that!
Author: Threatpost
Mission-critical systems can’t just be switched off to apply security updates — so patching can take weeks if not years.
By Amir Levintal, Infosec Insider
Cyberattacks are on the rise and threatening our digital life and our most intimate information — but also our operational realities. Attacks on critical infrastructure such as power plants, water works, airports and the like (transportation ranks among the highest-value targets for cyberattackers seeking maximal impact) are no longer theoretical — but when it comes to securing these complex systems, there are unique challenges, such as an inability to patch.
In recent decades, critical infrastructure systems have grown ever more connected. Legacy components, which were not designed for the online arena, are now networked en masse. What’s worse, security teams trained to focus on physical safety are prone to downplay (or outright miss) growing digital-age risks. Sure, connecting all of a grid’s transformers might improve efficiency and maintenance, but if officials can connect remotely to monitor the device, can’t a hacker compromise that very device in much the same way?
The Patching Paradox
Securing such critical infrastructure systems introduces a frustrating paradox: On the one hand, defending safety-critical systems is key because any maliciously motivated malfunction invites potential disaster. Yet our need for these crucial systems to be “always-on” complicates standard cyber-procedures.
Case in point: Software patching.
Patching is pretty straightforward: When you find a weak spot, install some code designed to fix it. But for critical infrastructure, there’s a catch. Restarting your computer for a Windows update while you’re working is annoying, but manageable. For power grids, water systems and railway networks, it’s another story. Even when a system-wide shut-down is imperative, operators seek to schedule a deluge of fixes during that window. Needless to say, such coordinated shut-downs can’t be improvised in response to emerging threats.
Known Vulnerabilities
This is a serious problem, because some of the most dangerous cyber-threats take advantage of known vulnerabilities. Take the globally devastating WannaCry cyberattacks in 2017. WannaCry exploited a known vulnerability in Windows, for which Microsoft had released a patch two months prior. Nevertheless, dozens of the world’s largest companies, like FedEx, Maersk, Telefonica and many more, fell victim to the attack.
While the press focused largely on the major, brand-name business targets that were hit, critical infrastructure was also a victim. Both the UK’s National Health Service and Germany’s Deutsche Bahn rail system fell prey to the attacks. The chance discovery of a “kill-switch” within the virus reduced the attacks’ impact, but the episode revealed just how vulnerable critical infrastructure systems were around the world.
One Step Behind
Further complicating the patching issue is the fact that critical infrastructure systems are interconnected by design, making it difficult to isolate the effects of a service disruption or system update. Before installation, controllers must be sure a patch won’t lead to a cascade of negative reactions throughout the system, which is why critical system patches require extensive certification. But these certifications can take months or even years, during which time such systems remain exposed. Even after a patch is certified, complications continue. Oftentimes only the most skilled experts can actually carry out the installation, further extending security lapses.
Take the case of the Slammer worm, which attacked various infrastructure systems in January 2003. Six months prior to the attack, a patch had been released. Some victims, like an Ohio nuclear power plant, hadn’t installed the patch yet and suffered the consequences. An oil company with production platforms in the Gulf of Mexico had already begun rolling out the patch in the summer of 2002. However, issues with server restarts required certain expert staff members to be present during the patching, and as a result, most of the platforms were not yet patched when the Slammer worm attacked.
Potential Path Forward
Despite the challenges of patching vulnerabilities in our critical infrastructure, securing these safety-critical systems is not something we can afford to ignore. Prompt and timely patching is urgent when patches are available. However, there must be additional contingency measures in place to compensate for inevitable lapses and gaps between applying fixes, such as the time it takes for patches and solutions to undergo Safety Integrity Level (SIL) certification processes.
To meet this challenge, stakeholders will need to bring a combination of human and technological resources to bear. These should include enhanced cybersecurity awareness training for all team members, increased lobbying of regulators to fast-track time-consuming SIL certifications and real-time threat-hunting tools that can help operators stay one step ahead of cyberattackers.
Most importantly, critical infrastructure systems must integrate technological solutions into their patch management systems that can provide continuous threat monitoring and detection. This is vital to identifying weak spots that bad actors may seek to exploit. It is also crucial to alert operators that a system has been compromised, but alerts aren’t enough – operators must also be provided the know-how, tools and procedures necessary to react quickly in order to implement remedies before any real damage is done. When combined with a well-trained staff, passive monitoring systems can provide this intelligence and help mitigate cyber-threats.
This may not be standard cyber-procedure, but for critical infrastructure facing a mounting wave of threats, it’s becoming an essential one. The challenges in the sector when it comes to patching aren’t going away — so a more layered approach is necessary as the volume and complexity of attacks against utilities and other targets ramp up and threaten real physical damage.
Amir Levintal is CEO and Co-Founder of Cylus.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
Link to original articke
So, what do you think? Let me know in the comments below!
One thing is for sure, some of the risk management executed in the mentioned examples in this article went awfully wrong!
Sure, it's always about measured reactions and cost benefit leveling but, in many of these cases some simply dropped the ball.
Either the information security specialists weren't able to sufficiently make their cases, or the risk appetite of the executives was to high or auditors dropped the ball or a mix of all of these lead to the dire consequences.
In many cases, that's what my personal experience has showed me many times, if InfoSec isn't sufficiently integrated into the IT architecture, conception and processes of business operations all bets are off!
You can even find ISO certified IT operations for example that are built to deliver a seemingly good setup to auditors but that would fail miserably, on the level of card houses, when confronted with certain vulnerabilities and general information security incidents.
To me it's quite simple...
If you don't make information security a transparent, beneficial service of your overall ITSM (= information technology service management) you'll sooner or later pay the price!
It often just comes down to who is in charge of InfoSec in any given business operation.
- Don't be afraid of harsh truths when being audited!
- Embrace every audit as a chance to propel your information security posture!
- Don't lie and don't tolerate others lying or sugar coating "skeletons in the cupboard".
...and for you, and your personal InfoSec efforts... question yourself by asking the right questions!
- Am I at risk?
- What exactly is at risk?
- What is it worth?
- What can I do to mitigate known risks?
...also, never forget!
How much security is enough security?
Just enough!
But if you're unable to identify the "just enough" something is better than nothing! Hahaha!
Cheers!
Lucky
Hi @doifeellucky, it is better to use > symbol for citation of other people articles and including the source (what you did), so cheetah and other services let you alone. It looks like this then
Hello @ritxi,
thanks for your comment and tip! I'll check this out!
Cheers!
Lucky
Dear @doifeellucky
Another interesting publication.
I wasn't aware of that. But it surely does make sense.
I've been thinking about cyberattacks a lot lately and my conclusion is that with blockchain technology and crypto becoming more popular we will remove "middleman", which is responsible for our security.
We won't be able to rely on banks to keep our funds safe. We will have to learn to protect our wallets and for that reason I would expect more and more personal devices to be target of cyberattacks.
ps. do you use telegram by any chance? I would like to DM you one of those days.
Yours
Piotr
Hello Piotr,
yes very true especially for the crypto community! But one thing that really caught my eye is the fact that many that are in the "space" don't know the first thing about InfoSec/Opsec even though they would have more reason to be concerned than the general public I think.
This is why I post InfoSec news and tips on a regular basis on here but also on Twitter.
My Telegram handle is "doifeel lucky".
Cheers!
Lucky
Finally I had a chance to read your reply and I've also managed to find you on telegram yeyeye :)
Nice Piotr! Thanks you! Just one thing... I'm not constantly online in Telegram but I'll check my stuff there every few days!
Cheers!
Lucky
You must own at least 20 CC to reward commenters on this post!
Please charge 20 CCs to reward your commenters.