White steam flows from the huge cooling towers at power plant showing need to secure critical national infrastructure

Securing the Devices That Underpin Our Critical Infrastructure

Securing the nation’s Critical National Infrastructure (CNI) is no easy task. Encompassing everything from our electricity and water supply, power plants, and emergency services through to our transportation facilities, they are the systems that keep the theoretical wheels turning for our nation. Because of their criticality, it is imperative they are protected against not only physical threats but the risks that come from the cyber world as well.

For the security practitioners responsible for CNI, their focus is to ensure the business is protected from both external or internal cyber attacks and that any incident doesn’t result in business-critical data being left vulnerable to theft, compromise or exfiltration. Moreover, when it comes to securing supervisory control and data acquisition (SCADA) and other CNI systems, the security, or lack of, could result in a potential life or death situation.

Take, for example, the recent incident in in Oldsmar, Florida, where a hacker attempted to poison the water supply by tampering with the sodium hydroxide levels to a lethal concentration via a remote access solution that enabled the hacker to control an operator’s machine. The attempt, which was fortunately spotted before any harm could be done, highlights the threat these facilities face.

Bridging the digital divide

The challenge in securing CNI can be boiled down to the fact that many of these systems were never designed to be connected to the Internet and integrated with a slew of other solutions and devices. Built on legacy technology, they ran as a standalone from other parts of the network and used air gapping as the primary defence. With no connection to the wider internet, there was no way for a hacker to interfere without physically accessing the machinery.

Yet this changed as organisations undertook digital transformation projects and, due to the pandemic, the increased need for remote working solutions that encourage workers to connect to systems from anywhere, at any time.

Due to this rapid digitalisation, many CNI systems have become vulnerable to cyber attack. At the end of 2020 we conducted research to see how big a threat these connected, yet unprotected, SCADA and IoT related devices really are.

Assessing the scale of the threat

What was evident was the sheer scale of critical devices that were open to potential attack due to a lack of security controls. We conducted a search on Shodan, a security-based search engine for Internet-connected devices, to hunt for visible connected devices and specifically focused on six groups of devices using SCADA.

Despite a number of high-profile attacks on SCADA systems, we discovered 43,546 unprotected devices online. The majority of these were using protocols produced by Tridium (15,706) and BACnet (12,648). The rest consisted of protocols from Ethernet IP (7,237); Modbus (5,958); S7 (1,480) and DNP (517).

There was some evidence that Modbus and S7 are being taken more seriously from a security perspective. The reason for this? Modbus and S7 are both mature technologies that have demonstrated continuous improvement to their security posture – perhaps as the result of many years in the public eye. However, other SCADA protocols do not appear to have made any concessions to cyber security.

Delving further into the findings revealed that the United States topped the table in terms of the biggest attack surface with a total of 25,523 unprotected devices. Others high up the list of the top ten countries with unprotected devices included Canada as well as European countries such as Spain, Germany, France, and the UK. The majority of the devices found in the UK were Tridium devices of which there were 583.

How can we plug the security gap?

Taking a proactive approach to CNI security is imperative, but the first mistake security teams make is assuming they can clone their existing IT security strategy and implement it in exactly the same way, but this will not work. Instead, the security team needs to develop a specific security strategy that encompasses all of the Operational Technology (OT) elements and that works alongside the IT security strategy, while also considering the specialism and differences in the associated systems and technology.

The best place to start from is ensuring the organisation has full visibility of the entire network, infrastructure and assets that are within and connected to the business. Without this, vulnerabilities are missed and provide a hacker with a clear route into the network. The importance of mapping the network and having a constantly updated and live list of active and dormant assets should not be underestimated. Furthermore, this asset inventory needs to be constantly maintained and updated to keep track of possible vulnerabilities as the infrastructure develops and grows.

Secondly, the importance of having a proper, secure infrastructure cannot be overstated. These critical SCADA, IoT and CNI-related devices should be isolated from the company’s general IT network, usually behind a second firewall. The idea is that the networks are “separate but together”, not just one big network. Continuous security monitoring of the network and environment is critical.

Finally, a continuous improvement in the networks is necessary. Firmware patches should be applied to firewalls and switches as soon as possible after testing, perimeter devices (such as firewalls or machines exposed to the Internet) being a priority. Strong internal controls should be applied to restrict traffic that might not be trusted, and networks should always follow the rule of least privilege, not only for devices, but for users as well.

Establishing full visibility and control of all devices and networks that are Internet-connected is key as technology continues to become more digitally intertwined to accommodate the change in working practices. This is a global problem, and one which threat actors will continue to pressure test and launch targeted attacks against. Knowing what they have and where, means security teams will be much better informed and equipped to identify and mitigate cyber threats that seek to cause havoc to the foundations of a nation.