John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys
As October began, I was pretty excited that the Homeland Security Department decided to expand its activities for National Cybersecurity Awareness Month. DHS has been supporting cybersecurity education and awareness activities as part of October’s activities since 2013 but only really started to promote and push the event over the past two years.
Most of the month has been focused on educating less tech-savvy members of the public on basic cybersecurity practices like making sure to have anti-virus tools installed on computers and to avoid clicking on suspicious links. That’s a worthy activity, but in terms of overall cybersecurity on a national scale, they saved the best for last. The last two days of October were devoted to the topic of protecting critical infrastructure, which includes things like electric utilities, water, sewer, highways, and also organizations like internet service providers, financial services, food distribution businesses and a few others.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
I was slightly disappointed that only two days of the month was being devoted to what is arguably the most important topics in cybersecurity until I learned that DHS is now going to segue that into a full month devoted to the topic. As we close out the October cybersecurity awareness month, we move right into November being named the Critical Infrastructure Security and Resilience Month.
Perhaps because of waiting for November, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report for 2017 did not come out as part of this year’s cybersecurity awareness month. Last year the report pointed out some fairly important areas where critical infrastructure cybersecurity needed to improve. The ICS-CERT report is great for getting a snapshot of critical infrastructure health because it combines both government and the private sector, and uses a series of real assessments to get its results.
Last year, DHS really started to ramp up those assessments too, conducting over 130 using a few primary tools which include a Network Validation and Verification (NAVV) evaluation, a Design Architecture Review (DAR) assessment and a new Cybersecurity Evaluation Tool (CSET). The CSET is a downloadable program that enables organizations working within critical infrastructure to conduct a self-assessment against a range of cybersecurity standards. Because of these new tools and additional DHS resource allocation, it’s estimated that the 2017 report will contain a higher number of assessments, and thus more accurate results.
Incidentally, any organization operating within a designated critical infrastructure sector can request that DHS assess them by sending an e-mail to ICS-CERT at email@example.com with “Assessment Request” in the subject line. Presumably, those results could be added to the pending 2017 report. Also, anyone can download the self-evaluation tool from ICS-CERT.
Last year, the report specifically detailed two disturbing trends in critical infrastructure security. The first was a weak layer of protection and control sitting between the operational technology (OT) networks of critical infrastructure providers and their normal, business-related IT networks. The second, which exacerbates the first vulnerability, is that many networks within critical infrastructure did not apply the concept of least privilege or least functionality on their administrators and users.
Combining those two vulnerabilities couldn’t be more dangerous for critical infrastructure. You see, the OT network is what controls things like the flow of liquid through pipes, how much electricity is being generated or distributed through transmission lines, and things like that which only have a few functions, or even only one function. Traditionally, they were controlled using manual or electrical equipment, having a human throw the right switches to activate them as needed. This has been changing however, as more and more industrial sites and utilities upgrade their OT devices and provide them with IP addresses to enable remote control.
Why? The biggest reason is that utilities and those industrial type of jobs are falling out of favor with young people. Nobody wants to get their hands dirty and work in industrial type environments anymore. At least not enough people to make up for the massive retirements that are occurring in those industries. Once the so-called gray-beards retire, they’ll take the institutional knowledge of how to maintain those manual machines with them, leaving companies with almost no choice but to upgrade OT to computer control. Plus, with a smaller workforce, sending someone out to a substation in the middle of nowhere to flip a switch is a big investment of time. Remotely managing OT is seen as a much better option.
However, as pointed out in the report, this connection between OT and IT seems to be happening without proper barriers between networks, meaning that someone could gain access to the IT network, like hackers are doing at organizations every day, and then migrate over to controlling OT. Now, when you add in the fact that not having least privilege security in place was the fifth most dangerous problem in 2015, and the second in 2016, the scope of the threat becomes clearer.
Least privilege or least functionality means that users and even administrators are only given permission to do exactly what they need to accomplish their jobs, and only on the machines they are responsible for overseeing. That way, if their credentials are stolen or hacked, the amount of damage that an attacker can do is minimalized. It seems from the 2016 ICS-CERT report that many critical infrastructure organizations don’t do this, likely giving their admins superuser access to everything on the IT network – which is now increasingly linked with OT.
The suggestions made by DHS regarding critical infrastructure in the last two days of cybersecurity month were not terrible. A few things like arguing for stronger encryption are worthwhile suggestions. But they are minor tweaks for a critical sector that needs a complete cybersecurity overhaul, and needs it before an attacker exploits common vulnerabilities to trigger a catastrophic event in some part of the critical infrastructure that we all depend upon.