James Clapper, the Director of National Intelligence, recently warned that the biggest threat to U.S. economic and national security is not terrorism -- it's cyber attacks.
Sadly, he's right. Cyber attacks are growing in frequency and severity. Last year, hackers pulled off nearly 300 attacks against critical infrastructure such as electric grids and nuclear plants. That's a 50 percent increase over 2012.
Alarmingly, critical infrastructure is often an easy target for bad actors. Most critical infrastructure is protected by antiquated security systems that rely too heavily on firewalls and antivirus programs, both of which are no match for determined attackers easily capable of bypassing traditional static defenses.
Even "air-gapped" systems -- systems that are not connected to the Internet or any other network infrastructure -- are not completely secure, as threat actors have already demonstrated success breaking into these systems. One such attack occurred in Iran, where threat actors were able to infiltrate and cripple an air-gapped uranium enrichment plant using infected USB flash drives.
Another big concern is the fact that critical infrastructure owners and operators are behind the curve in terms of security maturity and staffing. In a survey of nearly 600 utility, energy, and manufacturing organizations, only half of the companies had a dedicated IT security program.
Fortunately, there are several steps that critical infrastructure organizations can take to mitigate their risk of attack. By establishing email controls and performing regular security assessments such as penetration tests, Red Team assessments and Industrial Control System (ICS) assessments, owners and operators across industry can increase the strength of their cyber defenses.
Email controls assist in detecting and blocking the types of phishing attacks that frequently bypass email security and spam filters. These controls are pivotal since all it takes is a single click on a malicious email for attackers to gain the foothold they need to ultimately access critical control systems. Setting up email security controls makes it much harder to gain entry by just sending an email, making this is a fundamental and necessary measure.
When it comes to assessments, critical infrastructure entities -- utilities in particular -- are heavily audited and may not leap at the chance for more evaluations. However, there are some great alternatives to assessments, including security monitoring services through managed security service providers. Additionally, pre-planning and incident response preparedness are both excellent ways to stay ahead of the bad events that typically catch organizations flatfooted.
Still, despite the potential for audit fatigue, security assessments may spell the difference between being compromised and conducting business as usual. Specifically, there are now well-structured assessments designed for industrial control systems (ICS) that do not put systems at risk. These ICS assessments utilize a non-invasive approach, which helps overcome the organizational inertia caused by the fear of taking down mission critical systems. These ICS assessments can bolster cyber defenses by analyzing the network to verify traffic patterns and gauge severe risks.
Organizations can also carry out compromise assessments, which check to see if an attacker is already in the system. Currently, the global average for entities to learn they've been breached is 146 days. By catching attackers quickly, organizations can prevent initial breaches from turning into catastrophes -- something that has become increasingly important as we see a major shift from IT to OT.
Additionally, traditional penetration tests can and should be used help to identify vulnerabilities. However, "red team" assessments may be a better approach. With a "red team" assessment, trained security experts will simulate a cyber attack to see if they can identify vulnerabilities, misconfigurations, and other weaknesses in an organization's network. If successful, the "red team" can assist in plugging up those holes, thus preventing future attacks.
Through "red-teaming," organizations gain a very clear understanding of how their own team (the "blue team," or defenders) stacks up against advanced threat actors. Typically, the organization learns if attacks are being detected, how their team responds to attacks, if they can defend against attacks, and if they can remediate. This, in turn, allows an organization to focus on visibility, awareness, and control gaps to have a better probability of success against a real threat.
As nation-states become more aggressive and cyber criminals become more talented in honing their tools, tactics, and procedures, critical infrastructure sectors need to bolster their own cyber defenses to stay one step ahead of the bad guys. If they don't, the results could be unthinkable. After all, according to the White House, critical infrastructure "provides the essential services that underpin American society." We don't want that pin pulled.