Hello Internet
Acknowledging the role of the end user in critical infrastructure security
- By Trevor Hawthorn
- Aug 01, 2016
In 1999, I moved out of my
parents’ house in California
to take a job with an Internet
company in Virginia. The
move was a big deal—as was
the job. The company I was
crossing the country to work for was special
because (at the time) it moved 80 percent
of the world’s Internet traffic.
It was like an information highway railroad,
a railroad that I helped to build and
defend. It’s an infrastructure that is still
in place today. In fact, text you read every
day in an Internet browser was likely
transferred via the fiber-optic “halls” of
that old network.
It Started Here
The company I’m referring to is UUNET
Technologies. Now a part of Verizon Enterprise,
it followed an acquisition path
that included telecom giants like World-
Com, MCI WorldCom, MCI, and Verizon
Business. Despite the fact that UUNET
as a brand has not officially existed since
2001, mentioning its name to InfoSec professionals
with wisps of gray in their hair
and/or beards usually draws something
akin to, “Ah, yes UUNET, AS701. I remember
them.”
During its formative years, UUNET
was one of the most critical parts of the Internet’s
infrastructure. UUNET boasted a
number of prestigious customers, including
many of the largest financial institutions,
the NASDAQ, and other domestic and
foreign exchanges. In these early days of
commercial Internet usage, there were also
connections to the federal government. Pre-
9/11, a colleague and I would train agents
with the National Infrastructure Protection
Center (NIPC) about DDoS attacks
at the FBI Academy at Quantico, VA. This
experience gave me a good appreciation for
critical infrastructure.
In relatively short order, Internet access
has become the red thread of daily business
operations across all markets. As in
the enterprise, the various sectors within
the critical infrastructure space rely on efficient,
reliable connectivity. And like the
enterprise, organizations in these sectors
have recognized the importance of cyber
security, and they have made great strides
in safeguarding their infrastructures. But
challenges remain.
One of the prime issues any organization
will face with regard to security is uptime.
This can be of particular concern for
critical infrastructure sectors like energy,
water, and emergency services. For one, securing
network-enabled devices that can’t
be swapped out or upgraded (because they
are doing something important like regulating
water flow, power levels, etc.) is far
from trivial. One approach that we’ve seen
in use within these industries is to place
something between SCADA devices and
IP networks. In some cases this is middleware.
In other cases it is an air gap.
From an attacker’s standpoint, there
is little advantage to attempting to infiltrate
embedded devices that may be out
of reach, slow, underpowered, or running
software that is difficult to understand.
Rather than crafting an exotic exploit for
a hard-to-reach device, attackers prefer
to target low-hanging fruit. More and
more, they are turning to a low-cost,
high-return method: Social engineering,
but more specifically, phishing.
Social Engineering and
Critical Infrastructure:
An Elevated Threat
Phishing is a problem for everyone from consumers to businesses to governments.
But critical infrastructure is unique in that
an attacker’s ultimate goal doesn’t always
end when he completes a large transfer of
cash, withdraws product designs, steals intellectual
property, or downloads a database
full of credit card numbers. Many in
the security industry believe that the longer-
term objective in critical infrastructure
intrusions is for the attacker to get into the
position to cause damage or disruption
upon request.
The early stages of a critical infrastructure
attack are no doubt similar to other
targeted cyber attacks. First, a desire to
find out how the network is laid out, the
gaps that have been implemented between
IP networks and controller devices, the
makes and models of the gear being used,
etc. Then the attacker will need to figure
out how to persist access back into the
network by stealing credentials, installing
a remote access tool or other back door,
or another method.
As cyber criminals get ready to execute
their attacks, social engineering is likely
to take center stage. Rather than digging
deep to find pieces of information that
are needed to successfully infiltrate the
network, they will take advantage of the
broadest attack surface available: an organization’s
end users. Each connected user
represents a potential penetration point,
which means one thing: lots of opportunities
for success.
In targeted attack scenarios, we’ve
seen any variety of social engineering
techniques used, as well as multiple methods
combined together to improve chances
of success. We’ve mentioned phishing,
but other social engineering attacks often
precede email contact. An organization
might experience a series of unsolicited
vishing calls, with individuals attempting
to get information (about equipment,
people or places) over the phone. Employees
might be approached via social
media and asked to participate in an industry
survey or encouraged to download
an application or video. Or an attacker
might visit a physical location posing as a
delivery person, service provider, or even
an employee in order to get an inside view
of operations.
In many cases, the bits of information
gained in these early quests are put to use
to make follow-up phishing messages more
believable. And, again, a multifaceted attack
is not unusual. An attacker might first
send an organization- or department-wide
email that phishes for login credentials of
an internal system. While response teams
are dealing with that, a more sophisticated
spear phishing or whaling attack could be
launched, with targeted emails requesting
special access, reconfiguration of a controller,
or even changes to the network to
gain access to a specific device.
In these sophisticated attacks, cyber
criminals generally create contingency
plans. They know that the longer they dwell
within the network, the higher the likelihood
that they will be detected and evicted.
Because they know they may have to reestablish
access at some point, they identify
multiple inroads before they begin.
So, how is any of this more threatening
for critical infrastructure sectors than
for enterprise organizations? It’s relatively
simple: The impact and reach of a malicious
event within a critical infrastructure
organization has the potential to be
massive. As such, these sectors are being
increasingly targeted by cyber criminals,
particularly in “hackers for hire” scenarios
that involve nation-state attacks.
Elevate Your Security
Awareness Training to
Match the Threat
With all the day-to-day activities within
the critical infrastructure space, it can be
daunting to think about adding a program
that, on the surface, is something
that takes end users away from doing their
jobs. But this is really the wrong mindset
and one that will not help improve security
postures. Security awareness and training
exercises simply must become more valued
within the critical infrastructure space.
Technical safeguards will only go so far.
End users have to know how to identify
and respond to social engineering attacks
and other threats that present themselves.
Knowing how to do that should be considered
part of the job, not superfluous to
the job.
A good example of how to do this
can be seen with one of our energy customers,
who runs their security awareness
and training program like they run their
worker safety program. The same job
safety approach they take to keeping people
from getting electrocuted, falling off
of ladders, or tripping over power cords
is used in their cyber security education
program. In addition to using simulated
phishing attacks and follow-up training,
they communicate the sobering message
that a breach of their security could result
in real-world impacts. The kinetic effects
of power outages, explosions, and other
implications would have an impact that
would reach far beyond a simple website
defacement (remember those days?).
The fact is much of improving security
is about mindset. One of our utility
customers emphasized the importance
of a top-down approach in a recent case
study. In their organization, high-level executives
are not only vocal advocates of
the security awareness and training program,
they are participants. The training
manager includes simulated whaling
attacks and spear phishing attacks into
her assessment schedule, and ongoing
training and reinforcement exercises keep
best practices top-of-mind across the organization.
A 67 percent reduction in vulnerability
to phishing attacks is just one
of the benefits this critical infrastructure
organization has realized during the past
two years.
Bottom line: If you are in critical infrastructure,
you need to ensure that your
users apply safety measures when using
their computers just as they would up on
the pole, down in the manhole, or during
any other interaction with mission-critical
equipment and systems. You wouldn’t
minimize the impact of a breach, so don’t
minimize the impact of breach-prevention
measures. By elevating cyber security
education, you will elevate awareness,
change behaviors and
reduce risk.
This article originally appeared in the August 2016 issue of Security Today.