Skip to main content

Cyber Security Part V - Critical Infrastructure

The final part in the cyber security series, will focus on the issues critical infrastructure environments face.  Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are two of the standard environments that can constitute a critical environment.  Whilst many financial services environments can be described as critical, critical infrastructure is more focused on the key assets described by a government as being essential to the standard function of the society and economy.  This would include key utilities such as electricity and water supply, public health institutions and national security groups such as policing and the military.

In recent years they have been subject to specific and prolonged attacks, opening up long standing vulnerabilities.

Difference of priorities: CIA to AIC

The standard information security triad consists of confidentiality, integrity and availability.  The priorities for many business information systems will follow the CIA approach in that order.  Confidentiality is still the number one priority, with things like access management, network perimeter security and data loss prevention strategies still the number one budget grabber.  The main driver behind such decisions, is often related to the protection of intellectual property, client records or monetary transactions.  The output of many service related organisations, obviously takes on a more intangible nature, placing a greater reliance on digital management, storage and delivery of the processes and components that make that organisation work.

From a critical infrastructure perspective, I would argue the priorities with regards to the security triad, alter, to focus more on availability, with integrity and confidential being less important.  An electrical generation plant has one main focus: generate and distribute electricity.  A hospital has one priority: keep people alive and improve their health.  These types of priorities, whilst relying on information systems substantially, are often managed in a way that makes their delivery more important than the component systems involved.

This difference in attitudes towards how security policies are implemented, can have a significant impact on vulnerability and exploit management.

Vulnerabilities - nature or nurture?

Vulnerability management from a consumer or enterprise perspective is often applied via a mixture of preventative and detective controls.  Preventative comes in the form of patching and updates, in an attempt to limit the window of opportunity from things like zero-day attacks.  Detective defence comes in the form of anti-virus and log management systems, which help to minimise impact and identify where and when a vulnerability was exploited.  The many basic steps often associated with enterprise protection, are often not always available within critical infrastructure environments.  

Critical infrastructure is often built on top of legacy systems using out dated operating systems and applications.  These environments often fail to be patched due to the lack of downtime or out of hours permitted work.  ICS and energy generation systems, generally don't have a 'downtime' period, as they work 24 x 7 x 365.  Outage is for essential maintenance only and preventative patching wont necessarily fall into being an essential outage.  Due to the age and heterogeneity of such systems, a greater focus on additional patch management would seem natural.  Many critical infrastructure environments are also relatively mature in comparison to modern digital businesses.  Mechanisation of industrial and energy related tasks is well over a century old, with computerization coming only in the last 35 years.  This maturity, has often resulted in cultural and personnel gaps when it comes to information security.  

Basic security eroded

Some of the existing security related policies that have been implemented in critical infrastructure environments are now starting to erode.  The basic, but quite powerful and preventative measure, of using air gapped networks to separate key systems from the administrative side of the organisation, is now being eroded.  The need for greater management information, reporting and analytical systems, has lead to cross network pollution.  The low level programmable logic controllers (PLC's), used for single purpose automation of electromechanical tasks, are now being exposed to the potential of the public network.  Through the connection of desktop and laptop devices to previously secured networks, has brought the risk of infection from internet related malware a lot higher.

Recent attacks and a change in culture

The two major exploits, focused specifically on critical infrastructure related environments in the last couple of years, have probably been the Stuxnet and Duqu attacks. Whilst the motives for these attacks are maybe different to the standard monetary or credibility drivers for malware, they illuminated the potentialfor mass disruption. As with any security attack, post-incident awareness and increased focus often result, with several new attempts at securing critical infrastructure now becoming popular. There are several government lead and not-for-profit organisations that have contributed to security frameworks for critical environments.  Kasperky labs also recently announced plans to develop a new build-from-the-ground-up secure operating system, with a focus on critical environments.

Whilst previously only focused on the availability and delivery of key services and products, critical infrastructure environments, now have to manage the increasing threat posed by cyber attacks and malware exposure.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…