• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   Breaking down old and new threats to critical infrastructure

Breaking down old and new threats to critical infrastructure

  • Posted on:July 23, 2014
  • Posted in:Current News, Industry News
  • Posted by:
    Trend Micro
0

There are few, if any, cliches in cybersecurity more long-lived than warning of an imminent "digital Pearl Harbor," namely a cyberattack that would devastate critical infrastructure. In such a scenario, attackers would not simply steal data from compromised endpoints or conduct cyberespionage, but also exploit the growing reliance of sectors like energy and transportation on computerized systems, causing widespread damage. But beyond all the doom-laden headlines on this subject, how great is the actual risk and where is it most likely to emerge?

Cyberattacks on infrastructure are nothing new: The legacy of ICS/SCADA
Potential vulnerabilities have been continually introduced into critical infrastructure over the past 30 years, as supervisory control and data acquisition networks have become interwoven with industrial control systems. From water treatment plants to automobile factories, the ICS/SCADA combination has facilitated increased automation, gathering of data from remote sites and more streamlined process management.

Going forward, these tangible benefits will only make ICS/SCADA more central to production around the world. In 2012, IMS Research estimated that the industrial automation market was worth almost $160 billion and predicted that it would balloon to more than $200 billion by 2015. Frost & Sullivan analysts looking at the same subject cited cloud computing, mobile devices and custom applications as key drivers of growth in this area.

Essentially, organizations have replaced manual workflows with ICS/SCADA, plus they are making some of these systems Internet-facing, which creates further openings for external attack. Notable examples of ICS/SCADA cybersecurity events include:

  • The 2010 sabotage of uranium enrichment centrifuges at a facility in Natanz, Iran by the Stuxnet worm, one of the most sophisticated pieces of malware in history. It was introduced through a thumb drive and was designed to reduce the life of infected equipment while sowing confusion as to the cause.
  • A 2008 train derailment in Lodz, Poland, initiated by a teenager using a modified TV remote control to manipulate track switching as a prank.
  • An attack on a water utility station in Springfield, Illinois in 2011, possibly by Russian hackers. At the time, LogRhythm vice president noted that such "attacks in cyberspace can result [in] physical damage," and likened the incident to Stuxnet and the related Duqu framework.

In a 2013 Trend Micro research paper, The SCADA That Didn't Cry Wolf, Kyle Wilhoit noted that while ICS/SCADA have been around seemingly forever, their security mechanisms have lagged their feature sets, despite the growing burden for ensuring safety on networked infrastructure. The prevailing approach to securing ICS/SCADA is still one of bolt-on half-measures and band-aids, rather than complete security.

How much risk do enterprises face in securing their critical infrastructure?
Understandably, enterprises – not to mention national governments – are becoming aware of infrastructure security issues. A July 2014 Ponemon Institute survey of 599 security executives found that 57 percent of respondents believed that their ICS/SCADA implementations were vulnerable to attack. Governments in countries from the U.S. to Japan have also introduced institutions to oversee and shore up these environments.

However, organizations, especially in the private sector, have been slow to upgrade network security and patch lCS/SCADA, despite widespread realization of the associated risks. Slightly less than 30 percent of security practitioners included in the survey reported that cybersecurity was a top priority for their firms. Teams may be holding back out of fear that introducing new solutions could compromise the performance and cost-effectiveness of legacy systems, which were designed to last for decades and as such are often out of step with current security practices.

In this context, the lack of an event that lives up to the hyperbolic "digital Pearl Harbor" name – despite the ramifications of Stuxnet and its ilk – may be incubating complacency, leading stakeholders to put off upgrades until something truly damaging affects their interests. Commenting on the Trend Micro TrendLabs Q1 2014 Security Roundup, JD Sherry, vice president of technology and solutions at Trend Micro, listed critical infrastructure as one of many sectors struggling to fend off targeted attacks. Slowness to act has been compounded by increasingly advanced schemes.

"Organizations continued to struggle with attacks that were targeted in nature, which could be directly aimed at the energy, financial, healthcare, and retail industries or critical infrastructure," stated Sherry. "It came down to a simple equation – high-value targets that promised massive payouts were compromised despite the determined efforts of organizations to protect their valuable information."

Cloud security, encryption and data classification all key to protecting critical infrastructure
Shielding critical infrastructure from harm is a leading cybersecurity issue, with implications for both the public and private sector. In a keynote at the Cloud Security Alliance Summit earlier this year, Sherry looked at how broad uptake of cloud computing services was posing new risks to ICS/SCADA security while simultaneously creating prime opportunities for more proactive and effective defense.

Blanketly restricting usage of the cloud is becoming unfeasible. However, enterprises that are smart about how they manage cloud and on-premises systems can reap the benefits of a secure, scalable infrastructure:

  • Data classification plans can determine what information passes through ICS/SCADA and what priority it deserves. Accordingly, organizations can better understand where to focus their security efforts and what risks they run.
  • Building off that, specific measures like encryption can be implemented to protect sensitive assets. Since it may not be economical to encrypt everything, having priorities can save the firm money while improving its security posture.
  • Not all cloud ecosystems are created equal. Enterprises may invest in someone else's hosted infrastructure (public cloud), build a scalable internal system (private cloud) or mix and match them (hybrid cloud). During procurement, it is imperative to ensure that the cloud service provider is diligent about security and spells out associated responsibilities in the contract.

On top of that, a combination of well-honed tactics such as application whitelisting and strategies like following the guidance of the National Institute of Standards and Technology can help organizations mitigate risks to critical infrastructure. The "digital Pearl Harbor" lingo may not go away anytime soon, but enterprises can ensure that they're well prepared in any event.

Related posts:

  1. Taking the Fight to Critical Infrastructure Hackers in Latin America
  2. Protecting Critical Infrastructure from Cyber Threats
  3. Hackers found using BlackEnergy malware to target critical infrastructure
  4. Energy sector shows multi-faceted challenges of securing critical infrastructure

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.