This month I am writing about the threats and associated risks faced by computerized industrial systems and other control technology, particularly given the recently publicized attacks on critical national infrastructure (CNI), for example, at the Oldsmar, Florida water treatment plant. Those threats could emanate from internet-based hacking activity, social engineering (a spear-phishing email that caused the release of malware), a call from someone masquerading as “IT support”, a USB stick left in the car park or reception area, or insider activity, such as an employee with a gambling or drug problem. These threats, of course, are uninvited intrusions into an organization’s IT systems and infrastructure, which, in turn, could give access to industrial control systems (ICS) – robots on a production line, for example.
The risks are to an organization’s reputation and regulatory fines for customer data loss. Still, such attacks can be a significant disruption to a company’s production facility; for example, the subtle changing in the operation of production-line robots may, in turn, impact product quality. And there are parallels between the disruption of parts of the CNI, say electricity or the banking system, and the disruption of a production facility.
What can an organization do to protect itself? First up are the bread-and-butter issues of maintaining software to the latest supported releases and ensuring that security patches are applied promptly. This statement applies to the control technology and the whole IT infrastructure, from the interfaces to any external networks (firewalls, routers, and so forth) to the network Ethernet switches, load balancers, application servers, printers, and so on.
It should not be forgotten that many systems and infrastructure components now utilize virtualization techniques. Hence, any virtualization software needs tmustntained as much as any server or application software. Don’t neglect the BIOS (basic input/output system) in your various systems or the firmware that drives many infrastructure-attached devices, such as video cameras, building access control, printers, and air-handling equipment. These areas need maintenance just as much as your IT infrastructure.
Staff skills maintenance (training, education, and awareness). What else can a CNI owner do besides this work? Not in any priority order, but I suggest:
- Regular health checks of the IT infrastructure and all the attached components (similar to penetration testing and often carried out simultaneously).
- Regular penetration testing of all external network interfaces, not just the internet connection.
- Depending on a company’s size and IT complexity, run a security event management (SIEM) or security orchestration and event management (SOAR) system to identify anomalous events that could precursor a security incident. Read, study, and understand the output of these systems – it could be a lifesaver.
- Ensure that all staff and contractors in an organization and all directors (both executive and non-executive) are given regular security awareness briefings.
- Ensure that a company’s top understands the importance of good security, supports it, and promulgates it throughout the organization.
- Get the business’s help in putting together IT and IT security budgets. It’s no good saying you need “x” pounds to do the significant “y” project – you need to be able to articulate what the project does in business terms and, equally, if not more importantly, the potential costs of not doing the task.
To quote Mark Twain: “It is easier to fool people than to convince them that they have been fooled.” Apply this to an organization and its security. The board and senior management must 100% support good, well-funded security. Without it, the organization’s future can be at stake.
