Hello Internet

Hello Internet

Acknowledging the role of the end user in critical infrastructure security

In 1999, I moved out of my parents’ house in California to take a job with an Internet company in Virginia. The move was a big deal—as was the job. The company I was crossing the country to work for was special because (at the time) it moved 80 percent of the world’s Internet traffic.

It was like an information highway railroad, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read every day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.

It Started Here

The company I’m referring to is UUNET Technologies. Now a part of Verizon Enterprise, it followed an acquisition path that included telecom giants like World- Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec professionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I remember them.”

During its formative years, UUNET was one of the most critical parts of the Internet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre- 9/11, a colleague and I would train agents with the National Infrastructure Protection Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.

In relatively short order, Internet access has become the red thread of daily business operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on efficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.

One of the prime issues any organization will face with regard to security is uptime. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, securing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regulating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middleware. In other cases it is an air gap.

From an attacker’s standpoint, there is little advantage to attempting to infiltrate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.

Social Engineering and Critical Infrastructure: An Elevated Threat

Phishing is a problem for everyone from consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals intellectual property, or downloads a database full of credit card numbers. Many in the security industry believe that the longer- term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.

The early stages of a critical infrastructure attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.

As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an organization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportunities for success.

In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple methods combined together to improve chances of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempting to get information (about equipment, people or places) over the phone. Employees might be approached via social media and asked to participate in an industry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.

In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted attack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a controller, or even changes to the network to gain access to a specific device.

In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likelihood that they will be detected and evicted. Because they know they may have to reestablish access at some point, they identify multiple inroads before they begin.

So, how is any of this more threatening for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a malicious event within a critical infrastructure organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.

Elevate Your Security Awareness Training to Match the Threat

With all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a program that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be considered part of the job, not superfluous to the job.

A good example of how to do this can be seen with one of our energy customers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping people from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).

The fact is much of improving security is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level executives are not only vocal advocates of the security awareness and training program, they are participants. The training manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the organization. A 67 percent reduction in vulnerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.

Bottom line: If you are in critical infrastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-prevention measures. By elevating cyber security education, you will elevate awareness, change behaviors and reduce risk.

This article originally appeared in the August 2016 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3