Similar response patterns can be seen repeatedly in the wake of successful or thwarted security incidents that have made the news. More so regarding state infrastructures, critical systems, or companies with global visibility, politicians demand stricter regulations and more robust audits, operators of these systems demand more money, and software suppliers present new and extended components from their range of security systems, often combined with new concepts and many three to five-letter abbreviations. But cyber security didn’t just start a few years ago; instead, technologies, ideas, and common-sense approaches to implementing those have existed in many cases for decades and have been successfully deployed in many organizations for just as long.
Indeed,It is by no means a matter of technically complex avoidance of highly sophisticated attack vectors; instead, it is often a matter of implementing the most basic security measures. better auditing and more money for cyber security (if used wisely) can help. But the root causes of the security incidents that have occurred in recent months reveal blatant conceptual weaknesses. It is besirable access to the water treatment plant hacked in the US state of Florida was gained via an unmaintained operating system version (Windows 7) from Microsoft, which was not protected by a firewall. Remote maintenance software was left installed on this system, accessible based on username and password. The password in question was known to all employees.
This description of the overall circumstances almost sounds like an invitation to intrusion. Whether access could have been gained by guessing/trying out passwords or was done by a malicious employee or ex-employee is already irrelevant in such a case. This highlights that the most critical steps that need to be taken now to protect critical systems are the exact steps that should have been implemented comprehensively and continuously for years. Commonly applied in enterprises already, there is often still a need for action in critical national infrastructure (CNI) and its underlying operational technology (OT).
Safeguard from the ground up.
Figuratively speaking, it is not primarily a matter of repainting the house and erecting yet another fence. Instead, it’s cleaning out the basement, securing the doors well, changing all the locks, and finally making appropriate use of the existing alarm systems that were purchased (and ignored) years ago. Employ a security guard service if necessary. Let’s start with the essential requirement that all software components, including the underlying operating system, are deployed in the latest version with all the required patches and are configured and operated securely. Protect all systems. Wherever reasonable, firewalls and appropriately granular network segmentation are a mandatory for securing critical systems. This also includes identifying remote maintenance systems or instances of SSH access that are no longer in use or are only weakly protected.
