The start of 2016 has seen a dramatic rise in cyber-attacks targeted at the infrastructure that run our daily lives. This included the first known power outage caused by cyber-attacks occurred in Ukraine, also a Californian hospital was effectively shut down as hackers locked staff out of its computer systems.
This shift has proven that critical national infrastructure (CNI) is not immune to cyber-attacks. What has changed? Why have the stakes increased? The reasons can be summed up in three industry trends:
- The rise of the Internet of Things (IoT)
- The abundance of data
- Criminals becoming more cyber-aware
The Rise of the IoT
CNI often rely on Industrial Control Systems (ICS) and Building Management Systems (BMS) to run effectively. They integrate and simplify heating, air conditioning, lighting, CCTV, lifts, access and perimeter security. To further develop their capability, centralized control and monitoring functions were built in, requiring connections to corporate IT networks, wireless networks or directly to the internet.
The result? Hackers who gain access to an organization’s networks can also often access the systems that control them, allowing them to do huge amounts of damage.
Doing this is increasingly easy. Vendors are riding the crest of the IoT wave and developing newer devices with increased connectivity. Vulnerable BMS are now prevalent in organizations including hospitals, airports, sports stadiums and government departments. Would a hospital with no lighting be able to treat patients? How would a business operate if its staff could not access its building?
An Abundance of Data
More data at governmental, corporate and individual levels is made public as we move towards a culture of transparency. Coupled with sensitive data, such as personnel records stored on connected networks, it gives rise to increased opportunities for unskilled criminals to undertake sophisticated attacks. By aggregating data from different sources, criminals can develop a picture of an individual or organization not possible several years ago.
This data pool is only getting larger, especially in the CNI space, as requirements in the UK for government buildings to make Building Information Modelling data publically available are introduced.
Attack routes and how to close them
By plugging complex BMS straight into networks, numerous security layers are bypassed. They may be accessible through public Wi-Fi or even physically accessed, with default passwords often left in place.
Yet there are solutions. Erosion of isolation can be minimized with a number of methods, ranging from improving the network security that connects the BMS to more management-focused solutions, like ensuring staff working with BMS understand the cybersecurity required.
Such training will help mitigate cyber-attacks due to human error. Ensuring staff have knowledge of the risks of using unknown IT equipment is a critical first step, while improved audit logging can highlight weaknesses in behavior and show where improvements can be made, beefing up BMS security in the long term.
Convenience is often a driver behind such staff behavior. Pressures create environments where work must be achieved quickly, relegating other concerns and resulting in lax security. To counter this, work protocols are key. Audit logging is an example, but it can cross a broad range of areas from physical access to a BMS to a generation of new network access profiles. Again, control is paramount; understanding each process allows any untoward user to be spotted and the threat contained or eliminated.
Control over access leads us onto often the most troublesome attack route: vendor backdoors. These are gaps in software that allow control of a system via something other than official access points. A main solution to this is collaborating with external partners and helping them to increase their level of security governance through appropriate certification (e.g. Cyber Essentials, ISO 27001 etc.); as mentioned, those that design BMS software are not security experts. Work with them to understand security requirements and if they can't build the appropriate levels of security required, someone else should.
It is very unlikely we have seen the last CNI or BMS attack. The continued interconnectedness of our world means these attacks will become ever more common. Consequences can be severe, but with the appropriate intelligence and levels of security, they can be mitigated just like any other security threat.
All that is required is an understanding of the attack vectors and how these can be closed or minimized. So while we are entering a new realm of cyber-threat, the reaction to it should be the same: use threat intelligence, control the risks and mitigate them.