When thinking about critical infrastructure, most people will probably imagine oil rigs in the middle of the ocean or electric power plants that sit on the outskirts of towns across the country. You’d also probably assume that because of how important they are to the day-to-day running of the nation, that they are some of the most secure infrastructures – both physically and virtually – around. Unfortunately, this isn’t always the case.
Critical infrastructure runs on legacy networks which previously were air gapped by being kept separate from the IT network. Now, due to an increasing demand for connectivity and the ability to work remotely, these legacy networks, which are often 25+ years old, are becoming connected. As a result, the infrastructure that essentially runs the world, has been opened up to a number of vulnerabilities and other security issues, leaving them open to cyber attack.
This year we’ve been tracking and investigating SCADA devices through the Shodan platform and have found a number of unprotected SCADA devices across the globe, including in countries such as the US, Canada, the UK, France and Germany. And the number seems to be increasing. For instance, our search in January demonstrated that there were 20,000 unprotected devices, however more recent analysis showed the number more than double to 43,000.
One of our theories for this, as for many threat increases this year, is that it could be a consequence of making systems available to a remote workforce due to the COVID-19 pandemic. But equally, we know attackers are opportunistic, if there are vulnerabilities to be found, they’ll find them.
This rise can be attributed to the increase in the number of IoT/SCADA devices connected to the public internet without appropriate security measures in place, meaning they are being left open to potential attack and hacking attempts.
Despite a number of high-profile attacks on SCADA systems having hit the headlines, the majority of devices and protocols are still not being robustly protected. There is hope in that some users of protocols such as Modbus and S7 are demonstrating improvements in their security posture, but many are not seeming to consider security at all.
Due to these previously standalone legacy networks now being connected to IT networks, cyber security for critical infrastructure is vital but somewhat lagging. The first mistake we see security teams make is assuming that they can implement operational technology (OT) security by recycling their existing IT security strategy, but this is simply not the case.
Nevertheless, there’s a number of security strategies organisations in CNI industries can take to protect themselves against those with nefarious intent.
Top three tips for organisations
1. Starting with visibility. To even begin to be able to secure an entire infrastructure and avoid falling victim to attack through unknown vulnerable devices, organisations must have a clear view of all assets connected to the network. Don’t underestimate the importance of mapping the network and having a constantly updated and live list of active and dormant assets.
2. Separate but together. Simply having a proper, secure infrastructure will do wonders to an organisation’s security posture. Organisations should be isolating OT devices from the company’s general IT network, behind a second firewall, for instance. The idea of this is to have the networks “separate but together”, rather than just one big network. Continuous security monitoring of the network and environment is also critical.
3. Continuous improvement. For all organisations updating and improving the network is always going to be necessary. This includes firmware patches being applied to firewalls and switches immediately after testing; strong internal controls should be applied to restrict untrusted traffic; and network operators should always follow the rule of least privilege for both devices and users.
Want to know more about how to get a handle on the risks facing your business? Read all about how we can help conduct vulnerability assessments to mitigate your cyber risks.