Keep both critical infrastructure and security top of mind
Hackers involved in terrorism and cyber-warfare are increasingly attacking industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
"At stake is not only financial loss and brand reputation, but also national security and even people's lives," says Anton Jacobsz, MD at Networks Unlimited, a value-added distributor of solutions within the converged technology, data centre, networking, and security landscapes throughout Africa.
"In this fast changing threat landscape we need to rethink security strategies to ensure the long-term sustainability of our businesses, systems and, most importantly, our society," he continues.
ICS are systems that control and monitor physical processes like the "transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society".
SCADA is the term used for the systems that are used to control physical equipment – such as in industries like power plants, oil and gas pipelines; at public facilities like metal detectors at airports; and even in private facilities – to control/monitor processes like heating, ventilation, energy consumption and more. It is estimated that 33 billion endpoints will be connected by 2020.
Ruchna Nigam, security researcher at Fortinet, the global leader in high performance cyber security solutions and a distribution partner of Networks Unlimited, says: "In recent years, the ICS upon which much of our critical infrastructure and manufacturing industry depends have come under increasingly frequent and sophisticated cyber attacks. In part, this is a consequence of the inevitable convergence of operational technology (OT) with information technology (IT). As in all spheres of computing, the advantages of increased network connectivity through open standards such as Ethernet and TCP/IP, as well as the cost savings derived from replacing dedicated proprietary equipment with off-the-shelf hardware and software, come at the cost of increased vulnerability."
One of the top challenges for organisations to secure ICS is the sophistication of today's cyber criminals, but industry-specific systems, regulations and practices are additional areas of concern.
"Most industrial control systems come from very different vendors and run proprietary operating systems, applications, and protocols, such as GE, Rockwell, DNP3 and Modbus," continues Nigam. "As a result, host-based security developed for IT is generally not available for ICS, and many network security controls developed for common enterprise applications and protocols do not offer much in the way of support for those used by ICS."
Nigam explains the following few security recommendations organisations can use to avoid making "cyber attacked" headlines:
* Beware of phishing e-mails: As convincing as a phishing e-mail might seem, good antivirus software could add another layer of security by warning about malicious attachments. Spear-phishing e-mails have been found, in practice, to be used in all attacks, making them as popular in the ICS world as they are in the enterprise world. To quote a related incident, a spear-phishing attack reported to the ICS-CERT involved attackers making use of a social media account to post as a prospective candidate for employment. Using this account, attackers managed to gather information such as the name of the company's IT manager and current versions of active software from employees of the critical infrastructure asset owner. Following this, employees were sent an e-mail with the supposed candidate's resume attached as 'resume.rar'. The attachment contained a piece of malware that successfully infected the employees' systems, but was fortunately prevented from spreading to or impacting control systems.
* Logging and regular network scanning: Logs are a great way of monitoring activity on systems, and help investigators put together the various pieces of the puzzle in the event of an incident. They can also serve as early detectors of infection. Log maintenance is highly recommended to ICS sysadmins for the same reason. Finally, regular network scanning is another security best practice that can serve as an early indicator of an infection.
"The good news is that, in recent years, the inherent problems and vulnerabilities of ICS have become more widely recognised, and first steps have now been taken to rectify them," points out Nigam.
One way this is occurring is through the help of government bodies such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US, and the Centre for Protection of National Infrastructure (CPNI) in the UK, both of which publish advice and guidance on security best practice for ICS.
"In South Africa there is a need for a regulatory board that
would consolidate our efforts to engage with global agencies and share best practices," says Jacobsz.
Another way is through the definition of common standards such as ISA/IEC-62443 (formerly ISA-99). Created by the International Society for Automation (ISA) as ISA-99, and later renumbered 62443 to align with the corresponding International Electro-Technical Commission (IEC) standards, these documents outline a comprehensive framework for the design, planning, integration, and management of secure ICS.
"Apart from standardisation, security vendors have begun to step up to the challenge of securing critical infrastructures. Fortinet's own solution, for example, Rugged, has been designed to address the challenges unique to these ICS systems, brought upon by industry-specific systems, regulations and practices, environmental conditions and distributed, remote locations."
In our interconnected world it is not possible today to simply stay off the public Internet in order to stay safe, making key security strategies a must.
As Fortinet's director of Products and Solutions – Enterprise Security, Daniel Cole, concludes: "The reality is that as we transition to a digital economy, critical infrastructures will become increasingly vulnerable. Expanded attack surfaces, new applications and devices, and the need to dynamically share critical information simply expands exposure to risk. Those industries that are essential to the health and wellbeing of both people and national economies have got to step up and address this challenge. Lives actually depend on it."