Protecting Critical Infrastructure from Cyber Threats

This last week of National Cyber Security Awareness Month (NCSAM), we focus on critical infrastructure (CI). For many years now we have discussed and seen the result of poorly designed and protected control system networks. I wrote on this very topic back in 2016. Now the threat landscape has evolved further and the attack surface is growing by the minute. By 2020, Gartner analysts predict there will be 20 billion connected devices globally. In the first half of 2017 alone, we reported more than 1.8 million cyber attacks have been conducted through home network routers. We are entering a new age with the convergence of IT and OT propelled by Artificial Intelligence. It will bring incredible innovations and efficiencies for smart homes, factories and cities; however, if we do not design and secure them properly we face grave consequences in our near future.

According to the 2017 Emerging Technology Domains Risk Survey released on October 20 from the CERT Coordination Center (CERT/CC), the three domains that it considers high-priority for outreach and analysis in 2017 are Intelligent Transportation Systems; Machine Learning; and Smart Robots. Having come to similar conclusions late last year we have dedicated a lot of engineering, research and resources to understand and protect the booming growth of smart infrastructure. Our Forward Looking Threat Research (FTR) team published reports this year highlighting the growth and innovation of smart cities but also focused on the risks posed by exposed cities. They also dove into discovering the vulnerabilities of critical manufacturing specifically around robotic infrastructure and demonstrated how easily they can be exploited. In addition, just last week we released a paper taking a deeper look into Intelligent Transportation Systems (ITS).

In this report we explored real world ITS cyber attacks and their impact and then we applied the industry standard DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability) threat model to assess ITS cybersecurity risks. It is critical for us to identify the evolutionary changes to IT and OT infrastructure and threats that target them to help our customers develop and deploy robust enterprise risk management strategies.

Our reports try to answer three basic questions, what is the problem (systemic or technical threat or vulnerability); why should CISOs care; and how do they reduce the corresponding risk? Answering the “what” often times is a challenge. We take considerable care in our research to breakdown the trends in infrastructure coupled with the corresponding user behaviors; and expose the current and emerging threats and vulnerabilities. For example in the ITS report released last week, our researchers thoroughly dig deep into understanding intelligent transportation systems, their users and current attacks waged against them. The “why” is the most critical for CISOs of critical infrastructure to answer.

They face constant infrastructure changes that expand their attack surfaces from mobile, wireless, cloud, and industrial IoT. This coupled with minimal human resources and growing security stacks, prioritization becomes paramount. Using a threat model such as DREAD enables our researchers address the “why.” Our researchers analyzed and labeled ITS by Impact Severity Level (ISL) and then scored different physical, network and wireless attacks under Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability categories. The result, of the total number of threats that were modeled:

  • 85 percent were rated as High Risk, 40 percent were rated as Medium Risk, and 6.15 percent were rated as Low Risk.
  • Of the High Risk threats, 71.4 percent were network attacks 31.4 percent were wireless attacks, and 25.7 percent were physical attacks and;
  • DDoS attacks against exposed cyber infrastructure, electronic jamming of wireless transmissions, vulnerability exploitation, and credential brute forcing attacks all scored the highest risk.

Incorporating threat modeling into our reports as seen here is key for us to help CISOs answer the “why.” If not answered properly, critical infrastructure CISOs are thus unable to answer the “how,” which ultimately is the application of maximum protection against the greatest risk.

“He Who Defends Everything, Defends Nothing” ~ Sun Tzu