We’ve all read the cyber-attack and data breach headlines about Stuxnet, Flame, Shamoon, and most recently, Red October. Critical infrastructure cyber attacks were even a focus of the President Obama’s State of the Union Address.
Organizations that operate critical infrastructure – including oil and gas companies, utilities, nuclear facilities, and more – is well aware it’s under attack. The problem right now is that many of these organizations are struggling to figure out how the protect themselves from potentially devastating attacks.
Industry Control Systems (ICS) Were Not Built for Security
To secure our critical infrastructure, we need to first examine the problem and figure out why these industries are now susceptible to a growing number of advanced attacks. The fact is, most Operational Technology (OT) (which include SCADA systems, Industrial Control Systems, etc.) were not designed with security in mind. As a result, these systems inherently have a number of security vulnerabilities and that was acceptable while these systems were isolated.
The problems these industries face started when OT environments were connected with traditional IT systems and corporate networks.
These systems were built to be segregated – they were not built to address the security issues that arise when you connect to a network.
This introduced known cyber-security risks from the IT environment into the OT environment. These known risks range from everyday attacks (viruses, malware, etc.) to broader more concerning security issues such as securing privileged accounts and user authentication. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently highlighted that the combination of network connectivity with these known vulnerabilities would “significantly increase the ICS threat landscape.”
Connectivity has brought a host of benefits – with security issues trailing closely behind. SO how can we secure our critical infrastructure when it’s reliant on systems and technology that weren’t built with security in mind?
We can start by analyzing several recent infrastructure attacks/breaches to determine the common denominators of the attacks:
A Look Back at Recent Attacks…
More than 30,000 computers were compromised and destroyed by the Shamoon virus a “spear-phishing” attack at Saudi Aramco –back in August. All it took to affect the network was one employee opening an infected email containing malware called Shamoon – and 75 percent of the company’s workstations were impacted/compromised.
In the case of the Telvent breach in September, it is believed that attackers infiltrated the company network by exploiting insecure passwords used in a factory log-in account. Once inside, attackers embedded malicious software allowing them to reach critical project files related to a control system.
And then there was Flame and its predecessor Stuxnet, powerful malware that cyber security firm Kaspersky Lab said were “more than likely created by the same entities.” Stuxnet is believed to initially spread via Microsoft Windows, and then target industrial software and equipment.
Similarly, Flame can spread to other systems over a local network (LAN) or via USB stick. The entry points they used to infiltrate networks vary – yet their ability to inflict damage and access sensitive data made headlines across the globe.
Most recently, Kaspersky Lab identified what they described as a “high-level cyber-espionage campaign” that has infiltrated networks at diplomatic, governmental and scientific research organizations over the past five years. The attack, dubbed Red October, may be reminiscent of other noteworthy breaches, including Stuxnet and Flame: the campaign is, in essence, a malware-based external breach and espionage platform that siphons data from mobile devices, PCs, and network hardware.
Finding the Common Thread – Privileged Accounts
Our research has shown that these high-profile attacks on our ICS have all followed this distinct pattern. Attackers are using simple means to breach the perimeter. Once inside, they immediately target privileged accounts to gain access to additional servers, databases, and other high-value systems. Because OT is now connected with traditional IT systems and corporate networks, attackers can exploit these accounts to elevate access to OT as well. These privileged accounts also allow the attackers to easily hide inside the organization and exfiltrate data on their own timeline. The real problem is that most organizations have no idea how many of these accounts exist on their network and where they are.
Protect the Privilege Pathway
Security teams need to first and foremost change their mindset when it comes to protecting their corporate network and think of security from the inside – out. Traditionally security teams have worked to build up walls, protecting the corporate network from the outside – in. This approach is what has left so many organizations vulnerable to the level of sophistication attacks are armed with today. Assume attackers are already inside and secure your critical assets from there.
Knowing that attackers are going for the ‘keys to the kingdom’ otherwise known as privilege access points, security teams must identify these accounts and protect them from unauthorized access. This can be done manually or automatically so that those with privileged credentials are not only identified but actively managed (providing full accountability and audit trails). It is critical for organizations connecting OT and IT systems to understand where and how many of these accounts exist within their entire infrastructure, as attackers have proven that one easily leads to the other.
As cyber attackers continue to become more and more sophisticated, and the benefits of interconnecting corporate IT systems with OT systems becomes more attractive to companies that operate critical infrastracture, every organization will have to face these evolving security challenges. It is those organizations that proactively learn from others that will be the best protected and those that turn a blind eye will inevitably find themselves in the headlines.
Adam Bosnian is Executive Vice President of the Americas and Corporate Development at Cyber-Ark.