Hello Internet

Hello Internet

Acknowledging the role of the end user in critical infrastructure security

In 1999, I moved out of my parents’ house in California to take a job with an Internet company in Virginia. The move was a big deal—as was the job. The company I was crossing the country to work for was special because (at the time) it moved 80 percent of the world’s Internet traffic.

It was like an information highway railroad, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read every day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.

It Started Here

The company I’m referring to is UUNET Technologies. Now a part of Verizon Enterprise, it followed an acquisition path that included telecom giants like World- Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec professionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I remember them.”

During its formative years, UUNET was one of the most critical parts of the Internet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre- 9/11, a colleague and I would train agents with the National Infrastructure Protection Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.

In relatively short order, Internet access has become the red thread of daily business operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on efficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.

One of the prime issues any organization will face with regard to security is uptime. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, securing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regulating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middleware. In other cases it is an air gap.

From an attacker’s standpoint, there is little advantage to attempting to infiltrate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.

Social Engineering and Critical Infrastructure: An Elevated Threat

Phishing is a problem for everyone from consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals intellectual property, or downloads a database full of credit card numbers. Many in the security industry believe that the longer- term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.

The early stages of a critical infrastructure attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.

As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an organization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportunities for success.

In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple methods combined together to improve chances of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempting to get information (about equipment, people or places) over the phone. Employees might be approached via social media and asked to participate in an industry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.

In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted attack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a controller, or even changes to the network to gain access to a specific device.

In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likelihood that they will be detected and evicted. Because they know they may have to reestablish access at some point, they identify multiple inroads before they begin.

So, how is any of this more threatening for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a malicious event within a critical infrastructure organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.

Elevate Your Security Awareness Training to Match the Threat

With all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a program that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be considered part of the job, not superfluous to the job.

A good example of how to do this can be seen with one of our energy customers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping people from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).

The fact is much of improving security is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level executives are not only vocal advocates of the security awareness and training program, they are participants. The training manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the organization. A 67 percent reduction in vulnerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.

Bottom line: If you are in critical infrastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-prevention measures. By elevating cyber security education, you will elevate awareness, change behaviors and reduce risk.

This article originally appeared in the August 2016 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.