The goal of hackers is to take control of an organization’s resources. Depending on their motivation, they will either sell acquired credentials on the Dark Web or use them to encrypt computers and extort money, as in case of Waikato District Health Board in 2021.
Critical infrastructure organizations attract special interest from hacking groups due to the scale of the potential negative outcomes. State-sponsored teams actively try to conduct reconnaissance attacks to gather sensitive information and use it to achieve control over a critical resource.
Causing harm to the population of a town, city, or large geographic area by poisoning the drinking water supply is a high impact example of a critical infrastructure attack. In the case of a Florida Treatment Plant in 2021, an outdated version of Windows (operating system) and a weak cyber security network allowed access to the treatment plant’s computer system and the manipulation of chemical levels in the drinking water which if not detected would have been catastrophic for the local population.
Cyber attacks have reportedly increased across OT/ICS organizations by 80% in 2021 (Claroty report). Recovery from a cyber-attack is estimated to cost between USD3.2m and USD4m (IBM 2020 estimates) on top of any ransomware costs paid and the risk of national infrastructure shutdowns, economic production and risk to life and wellbeing.
In the light of recent significant cyber-attacks, it’s obvious that cybersecurity must be addressed in any organization. The question is where to start?
Cyber security risks broadly cover the areas of hardware and software, roles and resourcing, policies, processes, and physical security.
Assessing an organizational cybersecurity risk is based on understanding their vulnerabilities and how they can be exploited to harm the business, people, and environment.
Undertaking a cyber security assessment allows organizations to identify the vulnerabilities and specific methods of attack (vectors) relevant to them. Once identified, steps to mitigate risk and reduce organizational vulnerabilities can be put in place.
There are several standards and frameworks which can be used to facilitate the process of spotting vulnerabilities: NIST Cyber Security Framework, NIST 800-82R2 Guide to Industrial Control Systems Security, ISA/IEC 62443 Standards of security development of Industrial Automation and Control Systems, ISO 27000 series, NSCS Voluntary Cyber Security Standards for Industrial Control Systems.
All these standards provide a broad, high-level approach and require a specialist to translate specific security requirements to actions and controls specific to the organization.
No cybersecurity policy
An organizational security programme is the set of policies, processes and procedures describing different aspects of cybersecurity governance, physical security, administrative measures, and technical controls.
Many existing practices across the industry indicate only a limited number of technical security controls are in place. These controls have been deployed based on the existing experience and knowledge of the engineers responsible for either networks or automation systems and frequently aren’t reflective of industry best practice.
Establishing an organizational security programme starts with identifying key roles, responsibilities, and a set of important policies addressing the organizations cybersecurity posture. Examples of policies include an inventory management policy, patch management policy, and business continuity policy.
Firewall vulnerabilities
There is a common misconception that a firewall gives an infinite level of protection against cyber threats. Firewall design, configuration and alignment to an organizations specific needs and vulnerabilities is critical in its ability to work against malicious intruders.
The balance between function and cost is often visible when it comes to level of firewall capability. It isn’t uncommon to find situations where a consumer-grade firewall has been deployed in an environment with much higher and more complex security needs.
Unlike consumer-grade firewalls, enterprise- level firewalls can detect complex reconnaissance activities and intrusion attempts and inform experts in real time about the suspicious anomalies.
Managing the balance between budget and risk protection is constant for many organizations and while investing in enterprise-level firewalls can appear significant, the cost of downtime, lost earnings and reputational damage is much higher.
Regardless of capability, a firewall provides the first layer of what should be a multilayer approach to cybersecurity. Human error is a common cause of firewall breaches, so it is important to set up several layers of protection and constantly monitor activity.
Attacker has too many privileges in the network
Once a hacker or a ransomware is already in the network, malicious activities should be detected and shutdown.
If it’s not possible to shut down an illegitimate action, then the attacker’s activities should be impeded as much as possible.
A simple flat network structure or close to flat structure gives an attacker an advantage in carrying out malicious actions. The implementation of security zones, and the minimization and filtering of communications between zones via firewall rules, and monitoring of communications are recommended.
Lack of resiliency for critical production systems and services
If hackers gain access to the network and ownership of critical components, they can implement a Denial-of-Service attack disconnecting critical services and systems from the operational environment and disrupting business operations. This can include tampering with critical systems, such as safety measures or chemical dosing.
The impact of such an attack could cause harm to people both directly and through the delayed restoration of services.
Mitigating such an outcome involves duplication of both physical and logical network components and the development of a comprehensive disaster recovery plan.
Lack of control over remote access
This risk is often the result of unpatched software on VPN firewalls. This vulnerability is then exploited through leakage of user’s credentials and poor configuration of the remote access system. If intruders are already in the network, then a monitoring system should be able to detect them and disconnect them from the network at the early stage.
All remote access connections should be placed in special perimeter network or Demilitarised Zone (DMZ) and should be monitored and controlled. Any suspicious activity in the remote access connection should trigger an immediate disconnection from the network.
Lack of sensitive data confidentiality
If data is transmitted in unencrypted form, it can be easily intercepted by attackers, and sensitive information can be leaked. This risk can be mitigated via the encryption capability of properly configured communication devices.
Particular attention should be given to encryption in systems like remote access solutions, radio linking systems, and secure access to the network devices for configuration.
A security assessment is a snapshot of an organization’s security position at a point in time. The first assessment will become a benchmark, it will identify current vulnerabilities but does not resolve them.
System security misconfigurations and undetected intrusions could occur (or continue to occur) after the assessment, completely compromising the organization’s operational environment.
Implementing a security and network monitoring service provides another layer of protection to your organizations network by actively monitoring logs and security events to detect malicious actions and remaining informed about potential security incidents.
Ensuring an organizations cybersecurity position is strong is a multifaceted approach requiring collaboration from specialists across the organization. Either appointing a security expert as a member of the organization or working with a cybersecurity technology partner is essential in ensuring policies, processes and procedures are both created, implemented, and monitored across the organization.
Critical infrastructure organizations are the attractive goal for malicious intruders. In majority of cases these organizations are the part of the national critical infrastructure. Cyber security must be taken seriously to keep the community safe and minimize disruption to critical services.