Securing Critical Infrastructure
Securing our Critical Infrastructure is an ongoing process that is a priority for both the public and private sector. The threats continue to evolve and gain in sophistication and impact on society in general.
Threat vectors will continue to evolve within cybersecurity, as will the targets. But there are basic pillars which remain constant in the protection of critical assets. Vulnerabilities consistently are exposed and remain the main avenue in which bad actors take advantage. However, if we can quickly identify the critical assets, vulnerabilities in the critical assets, and then the integrity of the critical assets, we can maintain steadfastness within an IT/OT environment, regardless of the evolution of the attacks.
There are four areas in which those who are responsible for critical infrastructure should be concerned, in order to reduce their attack surface: Identifying Critical Assets, Vulnerabilities within the Critical Assets, Anomalies, Activity Monitoring with Data, both Structured and Unstructured.
Identifying assets which are mission critical is a key component to a security strategy. How do you protect what you do not know? Critical assets are not only endpoints, but also applications which communicate to intelligent electronic devices, as well as databases, and device networks.
Vulnerabilities have the potential to reside in each of these digital interfaces. Additionally, detecting and remediating the vulnerabilities, is consider a challenge since critical infrastructure is built around a reliability and precision engineering real time model. Thus it is not uncommon to find unsupported operating systems communicating with Programmable Logic Controllers PLC, and Remote Terminal Units RTU.
Since patching vulnerability may destabilize a system, it is important as part of the security architecture to look at anomalies within the network infrastructure. Network anomaly detection should include flow data from network and application, as well as, infrastructure logs, user activity events, and physical access control logs. This gives the ability to alert in near real time any suspicious events, such as activity by a user that only works Monday thru Friday, from eight in the morning to five in the afternoon, who suddenly logs in on a Saturday. Flow data is important to capture because it cannot be erased. A malicious user can easily delete their electronic footprint by deleting logs, but not with flow data. Flow data is used for detection and forensic purposes, it can include layer 7 application content and combined with stateful inspection can be a powerful mitigating control which can be used to detect sophisticated attacks.
One often overlooked area from a security perspective is data, structured, and unstructured. A historian within SCADA simply collects data, as well as other databases, such as SAP which can all be part of critical infrastructure. Data activity monitoring of these databases is key in establishing another mitigating security control within a critical infrastructure.
Those charged with the responsibility to secure our critical infrastructure must remain vigil; continuously reevaluating the threats and the mitigating security controls, to ensure that we can continue to be safely Connected.