your critical infrastructure - thetaray · 2020-03-17 · your critical infrastructure is no longer...

Learn How to Protect it Before it is Too LateWhitepaper

Your Critical Infrastructure is No Longer Immune to Cyber Attacks

0100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001 010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000100000011100110110100101110100001000000110000101101101011001010111010000101100001000000110001101101111011011100111001101100101011000110111010001100101011101000111010101110010001000000110000101100100010100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000

WHITEPAPER

2Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential

TABLE OF CONTENTSExecutive Summary

More Threats Than Ever, No Slowing Down

Concurrently Increasing Threat Sophistication

Everyone is Affected – But CIs See Highest Impact

Where are CIs Vis à Vis These Threats?

Six Factors Making CIs More Vulnerable to Cyber Threats Than Any Other Organization

Security for ICS/SCADA Was Not Built-In From the Get Go

Reluctance to Replace/Update Equipment and Software

Cyber Security Directives are Mostly Voluntary

Assumed Physical Isolation, Obscurity, Are Myths

Using Security Solutions That Don’t Fit the Job

CIs are Prime Target for Hostile Hackers, Hacktivists and Nation States

What Can CIs Do to Dramatically Lower risk Exposure?

Periodic Training and Awareness Campaigns

Strategic Segmentation

Defense in Depth

Real-Time Malware Protection

Detect Unknown Cyber and Operational Threats

Keep Evolving! Threats Are a Moving Target

3

4

4

5

5

6

6

7

7

8

8

9

9

9

10

10

10

11

11

WHITEPAPER


EXECUTIVE SUMMARY

Researchers and organizations tasked with evaluating the evolution of cyber threats as they apply to consumers, businesses and critical infrastructure (CI), have been increasingly sounding the alarm that threats are growing in severity. Cyber-borne malice is on the rise in scale and sophistication, frequently bringing highly targeted, complex, and dangerous attack scenarios to light.

The information revolution launched by the Internet has reached into every corner of our lives, and cyber threats nowadays adversely affect every type of organization. However, there is one sector where impact by an attack can be devastating. That sector is the industries defined as critical infrastructure; the backbone of the economy and the facilitator of life as we know it.

Critical infrastructure is not only where impact from cyber-attacks can reach catastrophic dimensions, it is also a very vulnerable sector due to the historical way security was neglected for most systems still being used today.

This paper will explore the particularities that result in significantly higher risk levels for CIs as compared with those encountered by other organizations. The conclusion section offers some best practices and suggests ways to use technological innovations to make CIs more resilient and better protected in the face of a brave new world of connectivity and threats from cyber space.

WHITEPAPER


MORE THREATS THAN EVER, NO SLOWING DOWN

The way things stand in the world of online threat nowadays, the information revolution and Internet connectivity have brought with them the threat of constant cyber-attacks that increase in number every year.

Looking at some statistics, 2013 was the seventeenth record year for phishing attacks, with over 450,000 incidents. The number of phishing attacks have increased every single year since 1996 when this type of cyber threat started gaining momentum. On the malware front, new malicious code of all types exceeded the 20 million variant mark in the third quarter of 20131, and the tally grows every year. In fact, one AV vendor2 claimed that 20% of all malware ever invented saw light in 2013.

Another stark example is mobile malware. 2014 marks the tenth anniversary of this threat, which saw a major boom throughout the past four years, evolving to include Trojans, spyware, adware, and most troubling – leveraged in the facilitation of targeted cyber espionage attacks. Researchers3 note having found an average of 272 new malware variants and five new families per month in 2013. In a report released late March 2014, it was further indicated that mobile malware and high risk apps reached the 2 million milestone, which is double the number reported a mere six months earlier.

The picture is clear: the number of threats and attacks they are used in is growing exponentially and their rapid evolution is unstoppable.

Phishing: Over 450,000 unique attacks in 2013

Malware: Tens of millions of variants per quarter in 2013. 20% of all malware ever was released in 2013.

Mobile Malware: On average 272 new malware variants and five new families per month in 2013. Variant count doubles within six months from 1 million to 2 million.

1 Source: McAfee Labs2 Source: Panda Security3 Source: Symantec4 Source: RAND Corp.5 Source: Kaspersky Labss

…The bad guys are winning at a faster rate than the good guys are winning and we’ve got to solve that; we’ve got to do something different.

“”

Beyond their sheer number, cyber threats and the attacks they are linked with have also been evolving in terms of sophistication. This trend holds true for commercially available threats, sold in underground markets, where a new, notable maturity has been emerging, pointing to greater sophistication, stealthier malware, and better encryption keeping attackers anonymous and out of sight4.

It is quite alarming that the same progression applies to targeted attacks (and advanced persistent threats). Carefully tailored to their victims’ systems, APTs are made to circumvent existing security, infiltrate the infrastructure, and slowly make their way toward the final mark. Those targeted attack schemes are one of the top concerns for security teams in all types of organizations.

The notable, increased intricacy of the targeted breed of cyber-attacks is frequently underscored by industry

experts who see the escalation first hand. Take for example the espionage operation dubbed Careto /The Mask; the campaign was named “One of the most advanced global cyber espionage campaigns to date5” by Kaspersky Labs researchers.

Another recent example is the Uroburos APT; it was named “one of the most advanced rootkits we have ever analyzed”, by G-Data’s research team.

To that effect, in a recent interview at the RSA Conference 2014, Wade Baker, principal analyst at Verizon, noted:

CONCURRENTLY INCREASING THREAT SOPHISTICATION

WHITEPAPER


Another quote on the subject came from former head of the NSA Gen. Keith Alexander (see side bar). In a speech to the senate, Alexander described the imminence of a devastating cyber-attack that would affect critical infrastructure and the population as a whole, indicating it was only a matter of time before such a scenario becomes reality.

WHERE ARE CIs VIS À VIS THESE THREATS?

Facing the increasing threats and the new means attackers have nowadays to infiltrate organizations and inflict harm, critical infrastructure IT security teams are under major pressure to find ways to secure their mixed environments of machines, computers and connectivity.

The task is daunting; much more daunting in fact than securing any other enterprise’s systems. The reason critical infrastructure is much more complex is the fact that beyond its more typical enterprise network, it is further made up of old machinery, dated software, and uses protocols devised in the 1970s, 1980s or 1990s alongside high-tech networks, new smart metering, grids, monitoring and connectivity schemes.

The reality for those organizations is that not only do they have to find ways to secure machines, devices and connections that were not created with security in mind, but also, the heterogeneity of the overall environment raises technological challenges that make it harder to harmonize and protect.

Since CIs are already highly regulated and their operations are part of nations’ legislative makeup, they receive ample attention from leaders and from national and regional committees, designed to guide them in protecting themselves from any factor that can inflict extensive collateral damage or disastrous outcomes, including cyber-attacks.

Seeing as cyber threats are an increasing concern to homeland security as a whole, the issue has seen the emergence of very specific directives intended to underscore the urgent need and attention to cyber security, and to empower leaders of organizations with a set of guidelines, professional advice, and policies they could use to build a robust plan.

6 Source: NY Times (quoting Defense Secretary Leon E. Panetta)

EVERYONE IS AFFECTED – BUT CIs SEE HIGHEST IMPACT

High profile cyber-attacks publicized over the past five years have organizations of all sizes more invested than ever in protecting their sensitive data and that of their customers. Nevertheless, adversaries still seem to be getting through, disrupting, destroying, stealing intellectual property and valuable, sensitive data even from organizations with the largest security budgets.

The list of victims exposed in the aftermath of large scale operations is widely diverse. While some industries suffer more attacks than others, not one sector is exempt from the threats posed by hackers and attackers, which can result in customer data breaches, bank account heists, intelligence collection, and the theft of invaluable intellectual property.

Well known cases of targeted attack campaigns, like Operation Aurora, Night Dragon, Red October or APT1, invariably reveal an eclectic list of aims from different countries and industries, for example: Google, Adobe, HBGary, DuPont, Intel, Juniper Networks, defense contractor Northrop Grumman, and Dow Chemical, to name just a few. Other targets on the list include government, diplomatic missions and embassies, scientific research organizations, trade and commerce, the energy sector (nuclear, oil and gas), aerospace, and all branches of the military.

Indeed, attackers seem to have a big appetite for variety, but while commercial entities and large corporations are prime targets for hostile agents and nations, they stand to absorb impact and repercussions that are almost entirely financial in nature. It is critical infrastructure that nations are much more concerned about for the simple reason that impact to those organizations can be catastrophic.

The nature of critical infrastructure organizations and their role in serving the nation’s daily activities is what makes potential harm to them so daunting. It is all too easy and extremely disheartening to imagine a blackout due to an attack on the power grid, the pollution of drinking water, major train or air travel disasters, and even a nuclear meltdown or explosion attributed to a successful attack by foreign adversaries.

While a major cyber-attack has not affected any particular nation at the time of writing this report, national defense officials have already publicly warned about the possibility of a “cyber-Pearl Harbor” due to increased vulnerability to foreign hackers who could make it their aim to dismantle power grids, transportation systems, financial networks and government resources6.

Gen. Keith Alexander: …it is only a matter of time before the sort of sophisticated tools developed by well-funded state actors find their way to groups or even individuals who in their zeal to make some political statement do not know or do not care about the collateral damage they inflict on bystanders and critical infrastructure.

“

”

WHITEPAPER


For example, in February 2013, President Obama signed Executive Order (EO) 13,636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive (PPD)-21, “Critical Infrastructure Security and Resilience.”

As awareness of these threats continues to grow round the world, similar guidelines were also established in Europe by the European Commission, and in various countries throughout Latin America, Asia and the Pacific region, Australia, North Africa, and others.

In most countries, including the US, adopting cyber security guidelines and operating accordingly is still surprisingly voluntary. It is only very recently that the Department of Defense (DoD), in a significant change in security policy, decided to drop its longstanding DIACAP compliance scheme and adopt the NIST’s civilian risk-focused security approach, thereby enforcing it de facto. The DoD is the first organization to enforce an elaborate cyber-security infrastructure for compliance status; it plans to transition all accreditations to the new scheme by September 2017.

While these changes are taking place, it appears that experts are rather apprehensive about the current state of affairs. In a prepared statement from the former NSA Director, Gen. Keith Alexander was quoted as saying: “On a scale of one to 10, with 10 being strongly defended, our critical infrastructure’s preparedness to withstand a destructive cyber-attack is about a three, based on my experience.”

SIX FACTORS MAKING CIs MORE VULNERABLE TO CYBER THREATS THAN ANY OTHER ORGANIZATION

It is evident that CIs are the focus of much concern and protection efforts nowadays in face of converging security threats to their operations and physical integrity, in the shape of cyber-borne attacks. In this section we explore a number of the most problematic factors that contribute to the vulnerability of industrial CIs, which differs from any other type of organization.

1. Security for ICS/SCADA was not built-in from the get go2. Reluctance to Replace/Update Equipment and Software3. Cyber Security Directives are Mostly Voluntary4. Assumed Physical Isolation, Obscurity, Are Myths5. Using Security Solutions That Don’t Fit the Job6. CIs are Prime Target for Hostile Hackers, Hacktivists,

and Nation States

These factors can be divided into two main types:• Issues the CI has direct control over• Issues the CI cannot control

For the first type, factors can be an internal decision to postpone, or refrain from, equipment and software upgrades. The second type includes uncontrollable

7 Source: DOD Information Assurance Certification and Accreditation Process

factors that can be attributed to the rise of hacktivists who specifically target CIs and run attack campaigns against, for example, oil and gas companies.

SECURITY FOR ICS/SCADA WAS NOT BUILT-IN FROM THE GET GO

The first issue and the root cause of the current cyber insecurity of CIs is the fact that ICS/SCADA were never built with security notions in mind 20 and 30 years ago. At the time, vendors and internal teams could not foresee the coming information revolution and therefore failed to plan accordingly.

Keith Stouffer, chairman of the Process Control Security Requirements forum and an engineer at the NIST put it plainly:

SCADA systems were designed around reliability and safety, not security. Now SCADA systems are becoming increasingly interconnected with IP networks and have become vulnerable to internet threats.

“

”In more detail, ICS protocols like Modbus and SNMP were defined in the 1980s and 1990s, they were not defined with security in mind since the then foreseeable future only expected them to connect to an internal network or a local console, literally air gapped from the internet. Fast forward to today and ICS is no longer isolated; rather it is networked and operating as part of larger IT systems and moving closer to a variety of newer connectivity schemes. This is where the lack of security leads to reports of cases of ICS that connect directly and openly to the Internet, allowing access to machinery with default passwords, which in turn can let even the least crafty attackers in.

Another issue that plays its part in the lower security level for ICS, and which is nonexistent in the other domains, is the lack of patching procedures or bug bounty programs for controls which are basic and very easy to hack. The present day control systems that are used to manage power plants, chemical manufacturing plants, and many more strategic facilities across the world, are wholly inadequate and they are considered to be as simple to tamper with as “hacking in the 80s”.

The result of the relative ease of hacking ICS is exemplified through attacks like the one that affected an Illinois water utility, where an external attacker operating from a Russia based IP address was able to power a SCADA water pump on and off until it burnt out. Although minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber-attack, no action was taken to secure it. With better security and advanced anomaly detection capabilities, this incident could have been discovered upon its earliest signs and stopped before any damage occurred.

Indeed, the benefits of connectivity are many and marked, but without proper security for this newfound machine awareness, the potential threats can tilt the balance in the wrong direction. Yes, although connectivity is risky for CIs at this time, the fact of the matter is that it cannot be stopped and so it should be enabled securely.

WHITEPAPER


A quote from Patrick C. Miller, founder of the nonprofit Energy Sector Security Consortium, illustrates the overall situation rather figuratively:

The issue persists as companies continue to put upgrades off, sometimes all the way until a crash happens, or until ordered to take action by the regulators, or unless a meaningful incentive is granted.

The same goes for SCADA, where updating the systems is so complex that CIs take the ‘don’t fix it if it’s not broken’ approach. Replacing or implementing SCADA is even more daunting a project, both in magnitude and intricacy, which causes utilities for example, to steer away from revamps unless there is no other choice. The result here can easily be an update that is ten years overdue before it is addressed, and then only due to some sort of a crisis.

Another issue that comes into play here is that the older devices used by CIs are readily available, and so hackers and nation-sponsored adversaries can easily obtain and analyze them thoroughly, finding exploits they can then use on numerous targets.

The bottom line of this ongoing mix of reluctance to act due to costs, complexity of upgrades, and lack of incentives from regulators, together with outdated equipment, controls, and software leaves CIs highly vulnerable to hackers who can easily attack systems for which zero day patches are no longer being issued, not to mention simpler reach into high impact assets.

CYBER SECURITY DIRECTIVES ARE MOSTLY VOLUNTARY

Understanding that organizations are reluctant to upgrade for different reasons, and bringing up the concept of regulation and incentives – is it not possible to oblige CIs to apply certain updates periodically?

So far, regulators have not been enforcing advanced cyber security directives. Regulation requirements, like the NERC CIP were only approved in 2008 – a mere two years before Stuxnet was discovered in Iran. An initiative like the NIST Cyber Security framework in the US are recommended CIP guidelines, and as such, companies that choose to implement them only do so to a certain extent, if at all.

Beyond the official entities, stakeholders from the process control world in different countries are working to bring together users, academics, government officials, integrators and suppliers to create a common language, define security needs, but more importantly, exactly how to solve them.

While these advancements are positive, regulators will have to begin enforcing them, and governments will have to incentivize the process.

This is the place to note that even without connectivity, recent attack incidents showed that there are ways to access air gapped systems even if they are not connected to the Internet.

Furthermore, malware, such as the Uroburos APT proves that attackers have devised workarounds to enable access to machines that are not connected to the Internet, through the use of a P2P proxy from a machine that is.

Another issue that plays into the same factor is the attempt to save money by upgrading parts of the system, like moving to an electronic network, and while at it, not spending any extra on security. This creates patches of vulnerabilities that riddle the entire attack surface, exacerbating the problem.While the notions of connectivity seem to open a wide door to attackers, the way to protect CIs is not by stopping connectivity, but rather through adapted security and training that can help organizations enjoy and profit from all aspects of connectivity, while deploying technology that can minimize the risks.

RELUCTANCE TO REPLACE/UPDATE EQUIPMENT AND SOFTWARE

Considering the previous factor, the go-to answer would be to start demanding and using more secure controls and ‘baking-in’ security into everything. However, that is not what happens in reality.

Experts in the field of industrial CI operations and security are sounding the alarm on the fact that many organizations delay upgrades, avoid updating software, and refrain from temporary downtime for the purpose of revamping security.

The reasons for decisions of this type, which are usually taken internally and in the hope that things will be okay for the short term, are the strong reluctance of CIs to have to deal with issues like:• Downtime• Multi-million dollar cost of stopping critical assets even

for a few hours• Complex implementation and integration of SCADA• Complex and time consuming recalibration• Complex and time consuming load balancing

What ends up happening in the case of most CIs is that their overall operation runs with very minimal security, while the need for very tight security is on a sharp incline. Being aware of that dire need, security teams attempt to “bolt on” and layer security in the middle, in a rather patchy fashion, as much as they can. One example result of this approach is that some turbines, oil rigs, and other various industrial installations are still running on the Windows 98 platform, which exposes them to exploitation and remote access by attackers.

A recent example quotes researchers who say:

After finding several holes in Yokogawa’s Centum CS 3000 software.

We went from zero to total compromise“ ”

We’ve got this cancer that is growing inside out critical infrastructure. When are we going to go under the knife instead of letting this fester? We need to restructure some regulations and incentives.

“

”

WHITEPAPER


Things changed over time, systems’ purposes have been redefined, reconfigured, and connected on different levels. For example, a system that used to only be accessible to a single computer operating in proximity to a robotic palletizer or a pump system became accessible via the Internet, with very little hindrance.

Vendors are not disinclined to make CIs understand that air gaps are a thing of the past. Stefan Woronka, Siemens Director of Industrial Security Services, was publically quoted on the subject, saying:

Another, similar notion that contributed to the blatant insecurity of industrial controls, was “Security by Obscurity”. A risky idea hoping that if controls remain an unknown domain to hackers and adversaries, they will not know how to reverse-engineer them or exploit their vulnerabilities. This concept was declared no security at all, since it is clear that current day attackers are able to study their aims carefully and devise ways to compromise any system.

Security is not an option, it is a must. The purpose of connecting SCADA systems to the network and the Internet is so that designated personnel can have remote access to the network from remote locations, via mobile devices, and from home. It is often required that vendors and third parties apply patches and updates that can take place remotely. Connectivity affords timely notifications that can help address potential disruptions to operations and services regardless of where the technician is, or the time of day. Connectivity cannot be avoided, and it shouldn’t because it benefits the organization.

The reality of ICS/SCADA shows that all control systems are connected to the outside world in some fashion: a network connection, a serial line, laptops, and removable drives that can be exploited by modern malware like Stuxnet.

There is no air gap to rely on, and even if there was, it could be exploited via a radio pathway, as demonstrated by the NSA in late 20138.

The bottom line is to accept the fact that CIs are increasingly and progressively connected, that this connectivity is only going to become more widespread and touch on more smart metering, control and monitoring systems. There is no way to avoid finding out what security is needed to make this process safe and secure, and keep the CI well protected.

USING SECURITY SOLUTIONS THAT DON’T FIT THE JOB

When it comes to IT security for CI organizations, especially those operating in the industrial markets, the use of security solutions is a challenging matter.

Industrial plants, facilities and key resources were never connected to external resources on the same level as their enterprise environment. As described in the previous section, security notions for the plant and mechanical zones counted on isolation, a concept that has long since dissipated.

Since CIs do need to maintain some level of security, they typically use enterprise grade solutions for perimeter defense (such as IPS and NGFW), and in some cases some detection tools based on rules. The ICS/SCADA zone is much less updated, secured or updated, and the enterprise security schemes are not a good match for it. Moreover, these solutions do not understand industrial protocols nor are they able to harmonize data from machines and controls into a complete, detailed picture of the attack surface.

Most of the solutions used by CIs nowadays are focused on preventing intrusion by detecting previously known signatures, rules, patterns or fathomable behaviors, and less on detecting them once they are already in. Unfortunately, the prevention of threats (IPS, IDS, NGFW), can only work to an extent, if at all, in the case of unprecedented issues. They thus mostly address run of the mill threats while

ASSUMED PHYSICAL ISOLATION, OBSCURITY, ARE MYTHS

In the past, before network connectivity came into the world of ICS/SCADA, these systems were considered possible to air gap. The idea was that creating a physical gap between the control network and the business network, threats like hackers and malware will never be able to reach into critical control systems.

This notion of physical isolation, while it did address the need for security in the 60s when monolithic or distributed connections were most in use, is impossible to truly implement nowadays at a time when ICS/SCADA is networked and connected by IP and to Internet resources.

Gen 1:Monolithic

Today - Gen 4: Internet of Things

Gen 3:Networked

Gen 2:Distributed

Forget the myth of the air gap – the control system that is completely isolated is history.

“”

8 Source: NY Times

WHITEPAPER


attackers make sure to modify their strategy and tactics every time they plan and launch new campaigns.

All too often, anything outside the scope of existing or foreseeable issues succeeds in infiltrating and ultimately hurting organizations and the result is security teams that fail to detect advanced attackers, and can’t find or stop them once they are already in.

CIs are also generating a lot more data and information than ever before, and enterprise solutions are not designed to deal with the masses of unique protocols and environments that come in different shapes and forms within the industrial world. Solutions that attempt to deal with the issue see the data in silos, which is insufficient for making sense of it or revealing crucial connections in the rich data, which can be the very evidence of a multi-vector attack.

The use of the wrong tool for the job means inadequate security that cannot protect the organization.

This deepens concerns about the imminence of a large scale attack, especially in view of an ever growing number of successful APT attacks, proving that current day enterprise-grade solutions are simply not enough; not in the case of commercial companies, and surely not for critical infrastructure where impact can be calamitous.

Security for CIs has to be adapted to their mixed and unique environment. The solutions they implement have to be more sophisticated than the professional attackers that will typically plan attacks, with a clear emphasis on detecting ongoing threats and unknown schemes.

CIs ARE PRIME TARGET FOR HOSTILE HACKERS, HACKTIVISTS AND NATION STATES

Another factor is the unprecedented negative attention CIs are getting from attackers. From nation states to hacktivists to opportunistic malicious hackers, adversaries have found the soft spot of their targets. CIs are the key to paralyzing an economy or causing it considerable damage.

Recent history already lists cases of sabotage campaigns where attackers likely based in the Middle East targeted U.S. energy companies, using probes to identify ways to seize control of processing plants. The ultimate goal was infiltrating industrial machinery to shut down the networks that deliver energy or run industrial processes9. Attribution is always a challenge, and the group behind these attacks could have been state-sponsored as much as they could have been hackers or cybercriminals.

Hacktivist operations have also become a common cyber threat to CIs, especially the energy sector, since energy is both critical to everyday life, and a major driver of the economy.

The Anonymous collective, for example, menaces companies in the energy sector with DDoS attacks, hacking into systems

9 Source: DHS via NY Times10 Source: GlobalScape via CSO Online

to steal and expose sensitive and confidential information, or deface their websites and social media accounts.

While these disruptions and nuisances are never welcome, the principal risks are related to the possibility of further sabotage that could damage physical assets.

The most prominent threat to CIs nowadays comes from nation states and their highly skilled deploys. Cyber-attacks launched against nations, like Estonia in 2007, Georgia in 2009, and Iran in 2010, all either paralyzed government operations, or targeted the critical infrastructure in a quest to disrupt activity, obtain intelligence by means of espionage, r cause destruction to varying extents.

These types of cases are the most sophisticated, targeted and well-planned attacks. Discovering and countering them is not impossible, but it is a serious challenge CIs have to tackle in order to raise security awareness, change practices, adapt training and technological solutions, and begin detecting unknown threats to ultimately become a lot more resilient and better protected.

WHAT CAN CIs DO TO DRAMATICALLY LOWER RISK EXPOSURE?

While implementing proper security is a complex task for IT and IT security teams, there are some main concepts and a number of key tactics that can dramatically lower risk exposure and the potential impact of cyber threats.

PERIODIC TRAINING AND AWARENESS CAMPAIGNS

The very first tactic on the list is training and awareness of employees and all levels of management, making sure they understand and know how to partake in the mitigation of threats that can compromise their infrastructure and end in disaster.

While training and awareness are supposedly integrated into regulation requirements and are part of every security implementation, a recent survey by Globalscape10 found some alarming facts:• Only 48% of employees said that their companies have

policies for sending sensitive files• 30% said that their companies don’t have policies in place• 22% weren’t sure whether a policy existed

Of those employees at companies that have policies for sending sensitive information:• 62% still use remote devices• 54% still use personal email, thereby circumventing

security controls and ultimately putting the data at risk.

WHITEPAPER


11 Source: Multiprotocol Label Switching12 Source: A Solutionary report found that 34% of all attacks are botnet based; the largest type of attack

Making sure security awareness is part of the company’s policies is crucial to every part of the organizational hierarchy, especially since the higher team members are placed, the more privileged they are in the infrastructure, and thereby more adversely impactful if they have poor security habits.

To step up awareness, the IT security team can initiate awareness campaigns about proper password security, locking machines when stepping away, spear phishing and social engineering. A healthy level of leeriness comes in handy when it comes to opening email attachments, sending or giving information over the phone to potential imposters, using company resources for personal purposes and risking malware infection, as well as putting the entire network at risk by plugging in personal devices (with or without BYOD policies in place).

STRATEGIC SEGMENTATION

The way an underlying network is designed, including strategic segmentation and perimeter defenses, play a critical role in determining its overall vulnerability levels.

Sectioning security zones and controlling different parts of the network (VES systems, ICS, SCADA devices) can be the element that would help stop an attack from spreading throughout the organization, or from one environment (like the business IT) to another (plant, machines, ICS/SCADA zone).

The communication schemes between segments can also play a role in their security, or lack thereof. For example, the use of MPLS11, which is often implemented by CIs for speeding up network traffic flow, can spell the sort of vulnerability that will ultimately result in critical downtime if an attacker breaches the physical security of the infrastructure.

Telnet is another example; this insecure remote protocol is all too often the culprit in the compromise of connected resources. Planning for secure communication and disabling telnet can mitigate unnecessary risk.

Conversely, the use of high-bandwidth Ethernet technology for Internet access is inherently more secure and can help reduce network vulnerability overall. When it comes to communications for web-based ICS/SCADA systems, the use of SSL/TLS is the more secure choice.

DEFENSE IN DEPTH

Defense in depth is the tactical layering of security controls to varying levels of redundancy to ensure consistent resilience in the event one of the layers is compromised or fails. It is a necessity in an era where malware can easily disable and circumvent firewall and AV products or tamper with their functions.

The layers typically employed by most organizations are:• Physical security of key assets• Firewall• VPN• Intrusion prevention and detection (IPS, IDS)• Anti-virus software• Whitelisting approved hosts and blacklisting known

malicious hosts• Hashing passwords and encrypting communications

Layering security, in combination with diligent security routines (keeping all machines, drivers, and software up to date, patching regularly, changing passwords, etc.), can foil a variety of opportunistic attacks, like drive-by infection by botnets12, and impede an attacker’s foothold in the infrastructure.

REAL-TIME MALWARE PROTECTION

Real-time malware protection has to be part of every security stack, used in the detection of infections that made it through to endpoints on the network, and can develop further into other parts of it. Malware protection can help keep run of the mill cyber-malice at bay, like automated, opportunistic, run of the mill malicious code (worms, viruses, some Trojans).

Note that while malware protection works for most assets, it is not suitable for PLCs and ICS protocols. CIs need more than enterprise grade solutions to protect their complex networks from external and internal threats that use malware.

WHITEPAPER


USE A SOLUTION THAT CAN DETECT UNKNOWN CYBER AND OPERATIONAL THREATS

While segmentation, defense in depth and malware detection can offer some protection from known threats, their ability to detect unknowns is much less effective, if at all. Current day solutions based on signatures, rules, heuristics, and fathomable attacker behaviors are not able to find unprecedented issues. The case of highly sophisticated and targeted attacks which are methodically tailored to their victims, leaves those solutions powerless and those they protect, exposed.

Detecting unknowns is the most crucial factor in securing CIs, not from the disguised malware that perpetually comes knocking, but rather from surreptitious threats that may have already infiltrated the infrastructure and could be collecting intelligence, exfiltrating information, or planning the next step towards operational or physical harm. It is the plan for when the infrastructure is breached, not if.

The best technological fit for gaining an all-encompassing view of CI systems, effectively securing their heterogeneous complexity, is the use of a Hyper-dimensional Big Data Analytics solution. This type of platform is designed to easily handle the massive amounts of big data generated by the entire organization and leverage every source of it, including the ICS/SCADA traffic, and machine data of all types, for insightful predictive analytics and the discovery of undetected threats.

Issues typically revealed by Hyper-dimensional Big Data Analytics are zero day, mutated malware incidents, APT attacks in progress, underlying operational issues, and looming equipment faults or malfunctions that are not perceptible without the ability to simultaneously analyze data from all possible sources.

A platform leveraging Hyper-dimensional big data analytics should be computationally efficient, flexible, and easy to deploy on premises or in the cloud, offering the following capabilities:1. Easy handling of the unlimited amount of big data

generated by both the business, and the operational networks, by design.

2. Simultaneously and efficiently analyze all sources of data in a non-silo fashion, including ICS/SCADA traffic, network traffic, industrial machine data (turbines, sensors, etc.), various database records, and host based data, to name a few.

3. Offer rule-free detection, non-reliant on patterns, signatures, heuristics etc.

4. Alert about issues with the lowest achievable false positive rate.

5. Come as an automatic, unsupervised solution.6. Provide complete, laser-focused forensics the security

team can leverage and quickly act on.7. Not requiring any big data expertise from security teams,

yet allowing them to use the full capacity of the platform to detect and defeat threats.

ThetaRay is a leading provider of unknown threats detection solutions to critical infrastructure, financial institutions and organizations using Industrial Internet. The company’s core technology is based on state of the art machine learning algorithms which power its proprietary Hyper-Dimensional Big Data Analytics™. ThetaRay customers detect unknown cyber and operational threats at their earliest signs, defeating surreptitious attackers and unidentified equipment faults in minutes and before any damage can occur.

KEEP EVOLVING! THREATS ARE A MOVING TARGET

While this last item can apply to any organization, it is especially true for CIs: not keeping up with threat modeling and sticking to an outdated security policy can be the very reason your CI will get compromised in a targeted attack. The rising number of APT attacks and ever increasing large-scale breaches make it safe to say that the current security policy state of affairs—risk assessments, audits, and compliance schemes—might be leading the way to staying behind threats, instead of the resilience they should be creating.

Another way security teams stay behind security is by shying away from the advents of BYOD, mobility, connectivity, or IoT schemes in order to avoid the security issues those may bring along. The right way to go about these inevitable signs of progress is to use security to enable it.

Much as threats are rapidly evolving and adversaries keep stepping up their skill and tactics, security teams and decision makers have to evolve with the threat and regard the status quo as a risk factor. The time to reexamine longstanding policies and refresh them is now. Moving forward with the times is an important factor that can dramatically improve the resilience of the network and reduce expenses tied to securing it in the long term.

0100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001000000110010001101111011011000110111101110010001000000111001101101001011101000010000001100001011011010110010101110100001011000010000001100011011011110110111001110011011001010110001101110100011001010111010001110101011100100010000001100001011001000101001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001 01001100011011110111001001100101011011010010000001101001011100000111001101110101011011010010000001100100011011110110110001101111011100100010000001110011011010010111010000100000011000010110110101100101011101000010110000100000011000110110111101101110011100110110010101100011011101000110010101110100011101010111001000100000011000010110010001010011000110111101110010011001010110110100100000011010010111000001110011011101010110110100100000011001000110111101101100011011110111001000100000011100110110100101110100001000000110000101101101011001010111010000101100001000000110001101101111011011100111001101100101011000110111010001100101011101000111010101110010001000000110000101100100010100110001101111011100100110010101101101001000000110100101110000011100110111010101101101001010101

24 Hebron Road, Jerusalem, 9354212, IsraelTel: +972-2-640-9763 I [email protected]

ThetaRayw w w. t h e t a r a y. c o m

ABOUT THETARAY

ThetaRay is a leading provider of unknown threat detection solutions to critical infrastructure, financial institutions and organizations using Industrial Internet. The company’s core technology is based on state of the art machine learning algorithms which power its proprietary Hyper-Dimensional Big Data Analytics™. Nowadays, highly customized, sophisticated cyber-attacks easily circumvent traditional security, with adversaries being able to breach, lurk, and operate surreptitiously inside compromised networks for months and years before they are exposed due to impact.

ThetaRay’s patented, award-winning threat detection platform automatically uncovers unknown cyber and operational issues within minutes, allowing customers to take action and avert disaster before any damage occurs. Organizations tasked with securing highly heterogeneous environments that include ICS/SCADA devices, IoT and multiple other data sources, leverage ThetaRay’s unmatched detection and low false positive rates as a see-all power that enables them to unify detection and defeat the unknown.

To learn more about how you can begin uncovering unknown threats and start protecting your critical infrastructure,

contact ThetaRay today: www.thetaray.com | @ThetaRayTeam | LinkedIn | Facebook | Pinterest

http://www.thetaray.com

https://twitter.com/ThetaRayTeam

http://www.linkedin.com/company/thetaray

https://www.facebook.com/thetaray

https://www.pinterest.com/thetaray/

your critical infrastructure - thetaray · 2020-03-17 · your critical infrastructure is no longer...

Documents