How Can Industry Defend Itself Against Hacks?

Copy Link

When even a nation state’s power grid falls victim to a cyberattack, it is time for the critical infrastructure sector to prioritize cybersecurity.

The attack on the Ukrainian power grid that left more than 200,000 people without power for hours in December 2015 achieved just that, and attacks continue to occur.

Today, the protection of critical infrastructures has become a major focus for the cybersecurity industry. This sector is unique because of the potential life-threatening consequences of an attack, and the difficulty involved in securing legacy systems against increasingly sophisticated attackers.

“It is the perfect storm of high connectivity and high-risk new technologies mixed in with these very old systems that puts the industrial environment in a uniquely challenging position,” says Andrew Tsonchev, Director of Technology at Darktrace Industrial, an arm of Darktrace, a billion-dollar cybersecurity startup.

Hackers have adapted their methods to specifically target infrastructure, while certain nations have realized that sponsoring cyberattacks on industrial organizations is just another nefarious tool in the geopolitics game.

“Things have changed over the last few years,” says Uwe Blöcher, Senior Principal, IT Security at Siemens. “The attackers know very well how critical infrastructures work and what protocols are used. We see more and more attacks that very specifically address industrial-specific communication protocols.”

In addition, the proliferation of connected devices and the Internet of Things (IoT) within critical infrastructure means there is a bleed-over of the day-to-day attacks that target IT systems. Although it has disappeared from the news agenda, the WannaCry ransomware attack is still hitting large organizations on a weekly basis.

In this extremely challenging environment, it is vital that organizations implement a robust defense strategy. One of the keys to achieving this is a concept known as “defense in depth”—not a new concept in the security industry.

“As a defense strategy, it goes back to Medieval times, where you had to defend your castle,” explains Henning Rudolf, Head of Plant Security Services at Siemens. The strategy involves multiple layers of defense to ensure an attack has many obstacles to overcome in order to achieve its ultimate objective.

Siemens’ defense-in-depth strategy for critical infrastructure involves three key layers. The inner circle concentrates on system integrity, which includes the built-in security functionalities of a product. This is reinforced by a middle layer focused on network security, while the outer layer is plant security, which comprises organizational and physical access measures.

“Aim to keep the crown jewels at the deepest level, so you have the most protection of those systems,” says Justin Lowe, digital trust and cybersecurity expert at PA Consulting. The defense-in-depth strategy is advised by security experts at the management consultancy, which has made it part of its core guidance for the U.K.-based Centre for the Protection of National Infrastructure.

The defense-in-depth approach is complemented by a concept known as “security by design”. Business is now well-versed in the “by design” concept following the implementation of the EU-wide GDPR’s “privacy by design” requirement in May 2016, which requires that privacy considerations for a new product or service be taken into account from the design phase, rather than being an afterthought at the end of the build.

Now, there is a push to take the concept to the next level through the implementation of “secure by default.”

“The point is that as soon as a device comes out of its box, and before you plug it in, it should be secure,” says Lowe. “It is also about making sure it remains secure and asking how long the device will be supported. There is a call for manufacturers and suppliers to follow the secure-by-design and -default method, and the biggest thing for anyone buying these products is to ask security questions about how it is secure.”

Lowe argues that if key questions are asked from the outset, then “security will end up being baked in very quickly.” However, it is not enough to only view cybersecurity through a technical lens. The human element cannot be stressed enough.

“Quite often there is no responsible person, no clear budget and no clear process [for organizational cybersecurity],” says Rudolf. “You first need to do the homework and define a clear responsibility structure.”

Siemens has gained insight into how to keep other organizations safe from attack through its experience securing its own 300 factories. It is currently restructuring its 1,100-strong cybersecurity workforce to bolster its internal defenses.

“Clear lines of responsibility will make it easier to implement improvements quicker in protecting our own IT infrastructure,” says Roland Busch, Chief Technology Officer and soon-to-be Chief Operating Officer at Siemens. “That will enable us to defend ourselves even more effectively against future attacks.

We can provide our operating businesses with support from a single source, to help make their own cybersecurity products and services a success. And we can target young talents more effectively, because a strong, focused unit will be more attractive to them.”

Siemens’ aim when building its suite of cybersecurity products and services has been to ensure that they are easy for plant engineers to use, because it does not believe everyone should have to be an expert in security to use such products.

“In many critical infrastructure industries, safety is now second nature and is built in, and you don’t need to think about it because it is there by default. That is the sort of thing we need to try and get to with security culture,” says Lowe.

The development of an effective organizational security structure helps deliver this goal. “There is the principle of least privilege, where certain functions are only accessible by the people who need to access them, and not by everyone,” explains Blöcher.

But even with all the right measures in place, it is a commonly held belief in the cybersecurity industry that it is impossible to ever be perfectly secure.

“Whenever someone is claiming to sell 100 percent security, they are probably selling you snake oil,” says Rudolf.

For instance, an isolated system can be breached by “breaking the air gap.” “The traditional way of protecting high-value critical systems is by putting in place an ‘air gap’ so there is no network connection between them,” explains Lowe. “But you can overcome it through things like USB drives that need to be used to transfer data and updates to and from those systems.”

Legacy systems in the industrial sector can be up to 40 years old, and as a result they cannot be kept secure simply by patching or updating them in a similar manner to modern IT systems. Attempts to patch such systems also run a greater risk of disrupting critical systems, with potentially devastating consequences.

Nevertheless, it is still possible to innovate when developing products and measures to protect legacy systems. One such example is a data-capture unit created by Siemens that effectively separates the network of the legacy equipment from other parts of the network, but still allows it to communicate securely with the outside network; this one-way gateway allows data to go from the legacy system to the other network, but makes it impossible for the second network to communicate with the first.

Many organizations are understandably guilty of focusing too much on the protection side of the equation and not enough on the detection and response aspects of cybersecurity. Since a security system can never be 100 percent secure, it is dangerous to not invest sufficient time and effort in detection and response.

“Often people say, ‘I already have a business continuity plan,’ or, ‘We already have a crisis management plan,’” says Lowe. “But actually, those don’t necessarily deal with cyber events. They may help deal with the output of the events, but there is actually quite a lot more that organizations need to do from a cyber perspective.”

When developing a defense-in-depth strategy, it is key to take a step back to consider the full end-to-end system, and to make sure it is flexible enough to adapt to multiple environments.

“We believe that there is no silver bullet. There is no one single security measure that on its own will protect you in a sufficient way, but it is about the right combination of these measures—that is why it is so important to understand the security needs of a customer,” concludes Rudolf.

Even though there is no silver bullet, it is crucial that critical infrastructure organizations invest substantial and sufficient resources into timely cybersecurity products and services. The very nature of the services these organizations provide means failure could be a matter of life and death. There are no higher stakes on the cybersecurity battlefield.

Written by Matthew Chapman, for Bloomberg Media Studios.