Hello Internet

Hello Internet

Acknowledging the role of the end user in critical infrastructure security

In 1999, I moved out of my parents’ house in California to take a job with an Internet company in Virginia. The move was a big deal—as was the job. The company I was crossing the country to work for was special because (at the time) it moved 80 percent of the world’s Internet traffic.

It was like an information highway railroad, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read every day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.

It Started Here

The company I’m referring to is UUNET Technologies. Now a part of Verizon Enterprise, it followed an acquisition path that included telecom giants like World- Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec professionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I remember them.”

During its formative years, UUNET was one of the most critical parts of the Internet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre- 9/11, a colleague and I would train agents with the National Infrastructure Protection Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.

In relatively short order, Internet access has become the red thread of daily business operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on efficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.

One of the prime issues any organization will face with regard to security is uptime. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, securing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regulating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middleware. In other cases it is an air gap.

From an attacker’s standpoint, there is little advantage to attempting to infiltrate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.

Social Engineering and Critical Infrastructure: An Elevated Threat

Phishing is a problem for everyone from consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals intellectual property, or downloads a database full of credit card numbers. Many in the security industry believe that the longer- term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.

The early stages of a critical infrastructure attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.

As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an organization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportunities for success.

In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple methods combined together to improve chances of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempting to get information (about equipment, people or places) over the phone. Employees might be approached via social media and asked to participate in an industry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.

In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted attack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a controller, or even changes to the network to gain access to a specific device.

In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likelihood that they will be detected and evicted. Because they know they may have to reestablish access at some point, they identify multiple inroads before they begin.

So, how is any of this more threatening for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a malicious event within a critical infrastructure organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.

Elevate Your Security Awareness Training to Match the Threat

With all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a program that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be considered part of the job, not superfluous to the job.

A good example of how to do this can be seen with one of our energy customers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping people from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).

The fact is much of improving security is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level executives are not only vocal advocates of the security awareness and training program, they are participants. The training manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the organization. A 67 percent reduction in vulnerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.

Bottom line: If you are in critical infrastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-prevention measures. By elevating cyber security education, you will elevate awareness, change behaviors and reduce risk.

This article originally appeared in the August 2016 issue of Security Today.


  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

  • ASIS Announces ANSI-Approved Cannabis Security Standard

    ASIS International, a leading authority in security standards and guidelines, proudly announces the release of a pioneering American National Standards Institute (ANSI)-approved standard dedicated to cannabis security. This best-in-class standard, meticulously developed by industry experts, sets a new benchmark by providing comprehensive requirements and guidance for the design, implementation, monitoring, evaluation, and maintenance of a cannabis security program. Read Now

Featured Cybersecurity


New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3