Ori Eisen is the CEO of Trusona.
Critical infrastructure has become a prime target of global cyberattacks because the indispensable services they provide citizens makes any disturbance highly disruptive.
Look at what happened just last week, when hospitals and railway stations were targets of a massive malware attack called WannaCry. And this isn’t the first time. Recently, major U.S. cities experienced power outages that immediately drove a false scare of cyber-tampering to power grids predicted by Ted Koppel. Last month, Dallas’ emergency sirens were hacked, setting off 156 sirens for 40 minutes.
And this isn’t a new trend: A dam north of New York was targeted by the Iranian government in 2013. While, to date, these attacks were more of a nuisance than a catastrophe, it speaks to larger shortcomings of critical infrastructure security.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Here are precautions that need to be taken to secure the unique needs of critical infrastructure services:
1. Secure social media access points.
Many critical infrastructure organizations leverage social media. Although it is a helpful tool that allows the organization to easily and quickly reach out to a larger audience to update it with vital information, it is also a huge vulnerability. Social media accounts can very easily be hacked, just look at how frequently brands, celebrities and media have to apologize for inappropriate tweets they did not send.
While this is a headache for some companies, it can be disastrous for critical infrastructure. These organizations need to invest in extra precautions to ensure only the appropriate and approved person is sending that tweet as to not cause any mass hysteria. In fact, in 2013 a fake tweet on the AP Twitter account about a bomb in the White House sent the market tumbling until it was proved a hoax.
2. Curb low-tech social engineering.
Other easy access points critical infrastructures need to look out for include internal positions that can be easily socially engineered. For example, hackers posing as a repairman or getting a receptionist to answer questions that appear to be harmless but might be the answer to an executive’s security question.
While this might remind you of a spy thriller, it happens and should be a major concern. Security consultant Kevin Mitnick and his team have made a career out of identifying this weakness and he has found every single company has them. Significant care needs to be taken into verifying the identity of everyone who interacts with a critical infrastructure both online and in person.
3. Do away with passwords.
Critical infrastructure must stop relying on static passwords. Every day, I read about another organization that has been hacked, making personal information, usernames and passwords public. While many of these hacks target consumers, they pose a bigger threat to critical infrastructures.
Passwords are static and can easily be stolen, compromised and replayed by malware, or used by someone else. They are far too risky and are not secure enough to safeguard any organization \our citizens depend on. Instead, they should be utilizing stronger solutions based on dynamic passwords and anti-replay technology, in order to prove with 100 percent certainty who is on the other end of an online transaction.
4. Increase security standards.
Security sufficient for most businesses is not necessarily sufficient for nuclear power plants, water supply, dams or the electrical grid. Critical Infrastructure and Key Resource, or CIKR, must exceed National Institute of Standards and Technology Level 4.
While Level 4 is the highest assurance level, it does not go far enough. We need to go beyond a cryptographic token, but must also be able to prevent malware and session replay attacks. That is the only way we can make sure all critical infrastructure is protected.
Securing critical infrastructure is a chief concern for cybersecurity professionals, many of whom have already called on the current administration to develop a more strict plan to address these insecurities. The above steps are only a few precautions, but as security professionals, we will need to remain on our toes in order to continually address the changing landscape that cyber crime poses on our well-being.