• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Critical Infrastructure   »   Safeguarding the Nation’s Critical Infrastructure

Safeguarding the Nation’s Critical Infrastructure

  • Posted on:October 22, 2018
  • Posted in:Critical Infrastructure, Internet Safety, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0

In May of 1998, President Clinton issued Presidential Decision Directive 63: Protecting America’s Critical Infrastructures. This Directive proposed steps to enact the recommendations of the President’s Commission on Critical Infrastructure Protection, published in October 1997.

Twenty years on, how are things going? The US Federal government has identified critical infrastructure sectors and associated each with a lead agency. The US-CERT (United States Computer Emergency Readiness Team) coordinates the Federal CIO Council, Government Forum or Incident Response and Security Teams (GFIRST), and the National Council of Information Sharing Analysis Centers (ISAC Council).

What’s next? Regulations are still far behind the realities of information security, and the challenges are becoming more serious. IT/OT convergence exposes weaknesses in systems that originally ran in isolated networks. Waiting for IoT or Industrial IoT vendors to voluntarily improve product security hasn’t worked since “C2 in ’92!” as Bruce Schneier puts it, the question now is not regulation vs. no regulation, but good regulation vs. bad regulation.

The most reported critical infrastructure vulnerabilities concern the power grid. The BlackEnergy vulnerability allows hackers to destroy generators by briefly interrupting their connection with the grid. After the generator falls out of phase, Aurora malware re-establishes the connection, and the generator rips itself apart. Fixing this requires updating control circuits on every generator – a massive undertaking. The US has more than 8,000 power plants. Those using conventional fuels may be vulnerable.

Another widely reported vulnerability concerns insecure electronic voting technology. Recent events have shown that such tools are too easy to disrupt maliciously. Deploying a secure, encrypted voting network would involve updating technology at more than 120,000 polling places, another massive expenditure.

Hospitals remain a significant target. Connected healthcare systems expose Operational Technology to IT vulnerabilities. Remediation is difficult as (US-based) hospital technology is FDA certified, and the certification process can take years. Changing the software in a certified device invalidates it. So health care technology software is five or more years out of date at best. There are more than 5,000 hospitals supporting nearly 900,000 patient beds in the US.

Cheaper IoT means non-IT-certified solutions are popping up. One hospital improved patient care and nurse productivity by buying inexpensive sensor pads for hospital beds in one ward. For about $60 each, they put a pad under the mattress cover. The pad notified the nurses’ station if the patient moved or if the dampness changed. That alert would bring the nurse to the patient’s bedside quickly. Rather than walking rounds, the nurses could work on charts, prep medicines, and handle paperwork. The informal experiment was so successful that the rest of the hospital followed suit, and spent about $120,000 to instrument each of the 2,000 beds. Then the head of nursing went to the head of IT and asked them to take over management of this configuration. The pads use Bluetooth, unencrypted, and were invisible to IT’s network monitoring. If the nurses had asked for fully certified intelligent patient beds the cost would have been upwards of $12,000,000 and never would have been approved. This will happen to every industry as IoT applications become affordable.

Supply chain vulnerabilities are growing. The attacks that can harm commerce through ports include “meaconing” – sending fake GPS signals to route a ship incorrectly, ransomware – which can cripple the software managing the loading and unloading of ships and trucks, and corrupting container loading stowage software to make ships unbalanced. Since each port in the world is different, mitigating these attacks will require detailed analysis of each and yield different recommendations.

Today’s critical infrastructure vulnerability is better than it was 20 years ago, but far from adequate. We have identified the potential target areas, and we have some sense of what has to happen to reduce the consequences of an attack. But we do not have the regulatory mandate to drive compliance, and voluntary measures have not, and will not, work. There is much that needs to be done.

References: Presidential Decision Directive 63 https://fas.org/irp/offdocs/pdd/pdd-63.htm

US-CERT https://www.us-cert.gov/Government-Collaboration-Groups-and-Efforts

Cryptogram, Bruce Schneier, Sept 15 2018, https://www.schneier.com/crypto-gram/

What do you think? Let me know by commenting below, or reach me @WilliamMalikTM .

Related posts:

  1. Hackers found using BlackEnergy malware to target critical infrastructure
  2. Protecting Critical Infrastructure and Roadways: How Smart Cities Create New Risks
  3. Understanding the Attack Surface for Critical Infrastructure
  4. Protecting Critical Infrastructure from Cyber Threats

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Digital Transformation is Growing but May Be Insecure for Many
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.