Internet Security: Critical Infrastructure in the Industrial Control System

By Rajesh Maurya 

Regional Director, India & SAARC, Fortinet

As we transition to a digital economy, critical infrastructures will become increasingly vulnerable. 

Industrial Control Systems (ICS) - public utilities, oil and gas, mining, manufacturing and transportation industries is riding on the adoption of the inevitable convergence of Operational Technology (OT) with Information Technology (IT). As in all spheres of computing, the advantage of increased network connectivity comes at the cost of increased vulnerability.

However,while the impact of a security breach on most IT systems is limited to financial loss, attacks on ICS have the added potential to destroy equipment, threaten national security, and even endanger human life.

With this critical distinction also comes a troubling difference in the profile and motivations of potential attackers. While the lion’s share of modern cybercrime is motivated by financial reward, ICS have recently become attractive targets for terrorism and cyber-warfare. As a consequence, the financial and human resources available to its perpetrators can be an order of magnitude greater than those of conventional cybercriminals. This is especially true of highly targeted state-sponsored attacks, of which STUXNET (first appearing back in 2010) is considered one of the most sophisticated examples so far.

Active mitigation tactics are required to secure critical resources because the potential impact goes far beyond the very significant financial risk to commercial businesses – making security at paramount priority. In addition, distributed critical infrastructure is often located in places that are physically inaccessible, lack connectivity, subject to intemperate climate or otherwise constrained by limited space.  As a result, traditional security solutions intended for indoor environments are often ill-equipped to operate under duress or in harsh conditions.

Implementing a pervasive security strategy is a significant challenge as what many organizations in this circumstance tend to do is simply keep building a bigger and stronger front door to keep the bad stuff out; which of course, is a recipe for disaster.

A number of things need to happen to fix this problem. First, governments need to legislate that critical infrastructure industries need to meet basic security standards. And this legislation needs to have teeth. Of course, because some of these industries come directly under government control, they will need to be funded. But the last things that any government wants is a nuclear power plant meltdown, or the release of toxic chemicals, or the contamination of water supplies, or energy grids taken offline that can be traced back to a cyber attack.

Next, these organizations need to understand that perimeter security is no guarantee. Even the best firewalls in the world, according to numerous studies, are only about 98% effective. If you have a boat with a hundred holes in the bottom, and you only plug 98 of them, what happens to the boat? The compromise of critical infrastructure networks is a matter of when, not if. And frankly, based on forensic evidence from a number of breaches, I can tell you that the only thing standing between us and disaster has been serendipity.

There are also dozens of sector-based Information that organizations in these industries need to participate in. If the recent cyber attack on the power grid in the Ukraine hadn’t been an isolated incident, but part of a larger cyber-terrorism strategy, it would have been essential that other energy providers around the world knew the details of this breach immediately, rather than a piece at a time, ferreted out over weeks and months.

From a functional perspective, a security game plan needs to be developed on a site-by-site basis. The most important first step that any organization in this sort of circumstance can take is to hire security professionals to assess their current state, develop a get-well plan, and prioritize implementation. From a general perspective, this needs to include a number of key security strategies.

• Don’t just start with where you are, but consider where you are going. A security plan needs to be able to adapt as you grow. If you are planning to add remote offices, or enable mobile users or build a virtualized data centre, include that in your plan now. And select security tools that are future proof.
• Strategically segment your network. This is perhaps the easiest and most critical step in any security strategy. For example, keep your access network separate from your production network. Then actively monitor traffic that passes between segments. Segmentation allows you to detect threats that have bypassed your perimeter defenses, isolate infected devices and malware to one place in your network, contain the spread of threats, and maintain the integrity of your intellectual property.
• Keep it simple. As much as possible, build a strategy that provides consistent security across physical, virtual, cloud, access, and mobility networks. Security siloes mean that policies get enforced differently in different parts of your network. Sophisticated cyber-attacks will exploit these inconsistencies.
• Don’t just bolt on security. Tools that work together are better than those that don’t. You need to select security tools that can share threat intelligence and provide a coordinated response. An isolated security tool, no matter what it can do, is only effective when an attack passes through it, and nowhere else. These sorts of security tools quickly become chokepoints in the network, and pretty soon time-sensitive traffic will be routed around them.
• Visibility is essential. Security teams manage an average of 14 different security consoles, and sometimes many more. And they still have to hand-correlate log files and threat data to discover a threat, and manually coordinate a response to an attack – which is why Gartner estimates that over 70% of cyber-security breaches take months to discover. And according to Ponemon, it takes an organization an average of 256 days to detect a malicious attack. As much as possible, implement a single pane of glass management strategy for centralized visibility and orchestration.
• Finally, slow is broken. Security will simply not be used if it gets in the way of time-sensitive traffic. Oh, you might have policies, but the reality is that when you have to process flight information or reroute rush hour traffic or respond to an energy grid failure RIGHT NOW, you can’t afford to wait for an overloaded firewall to decrypt and analyze your files. And whatever performance requirements you have today are likely to be a drop in the bucket compared to tomorrow. So plan ahead.

The reality is that as we transition to a digital economy, critical infrastructures will become increasingly vulnerable. Expanded attack surfaces, new applications and devices, and the need to dynamically share critical information simply expands exposure to risk. Those industries that are essential to the health and well being of both people and national economies have got to step up and address this challenge. Lives actually depend on it.

The author is Regional Director, India & SAARC, Fortinet.