Hello Internet

Hello Internet

Acknowledging the role of the end user in critical infrastructure security

  • By Trevor Hawthorn
  • Aug 01, 2016

In 1999, I moved out of my parents’ house in California to take a job with an Internet company in Virginia. The move was a big deal—as was the job. The company I was crossing the country to work for was special because (at the time) it moved 80 percent of the world’s Internet traffic.

It was like an information highway railroad, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read every day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.

It Started Here

The company I’m referring to is UUNET Technologies. Now a part of Verizon Enterprise, it followed an acquisition path that included telecom giants like World- Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec professionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I remember them.”

During its formative years, UUNET was one of the most critical parts of the Internet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre- 9/11, a colleague and I would train agents with the National Infrastructure Protection Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.

In relatively short order, Internet access has become the red thread of daily business operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on efficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.

One of the prime issues any organization will face with regard to security is uptime. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, securing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regulating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middleware. In other cases it is an air gap.

From an attacker’s standpoint, there is little advantage to attempting to infiltrate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.

Social Engineering and Critical Infrastructure: An Elevated Threat

Phishing is a problem for everyone from consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals intellectual property, or downloads a database full of credit card numbers. Many in the security industry believe that the longer- term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.

The early stages of a critical infrastructure attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.

As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an organization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportunities for success.

In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple methods combined together to improve chances of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempting to get information (about equipment, people or places) over the phone. Employees might be approached via social media and asked to participate in an industry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.

In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted attack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a controller, or even changes to the network to gain access to a specific device.

In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likelihood that they will be detected and evicted. Because they know they may have to reestablish access at some point, they identify multiple inroads before they begin.

So, how is any of this more threatening for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a malicious event within a critical infrastructure organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.

Elevate Your Security Awareness Training to Match the Threat

With all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a program that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be considered part of the job, not superfluous to the job.

A good example of how to do this can be seen with one of our energy customers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping people from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).

The fact is much of improving security is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level executives are not only vocal advocates of the security awareness and training program, they are participants. The training manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the organization. A 67 percent reduction in vulnerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.

Bottom line: If you are in critical infrastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-prevention measures. By elevating cyber security education, you will elevate awareness, change behaviors and reduce risk.

This article originally appeared in the August 2016 issue of Security Today.

Featured

  • AI to Help Resolve Non-Emergency Calls Across Utah and Decrease 911 Caller Wait Times

    The Utah Communications Authority (UCA), which oversees the state’s next generation 911 technology services, recently announced that public safety answering points (PSAPs) throughout the state plan to implement Motorola Solutions’ Virtual Response technology to automate the receipt and resolution of 10-digit non-emergency line calls in Utah with the help of AI. Read Now

  • Report Reveals Local Governments Face Surge in Ransomware Attacks with Minimal Resources

    KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, recently released new research highlighting the critical cybersecurity challenges facing state, local, tribal, and territorial (SLTT) governments. The report details how government organizations have become prime targets for cybercriminals while simultaneously facing severe resource constraints. Read Now

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.