Protecting critical infrastructure (CI) has always been a top priority for most nations. However, the 2007 US-Israeli attack on an Iranian uranium enrichment facility changed everything. Their use of the Stuxnet virus set the stage for a new wave of targeted cyber-offensive attacks on CI and supervisory control and data acquisition (SCADA) systems.
As most CI systems are decades old, the reliance on outdated SCADA systems has put CI sectors at risk for these very kinds of attacks. On 5 February 2021, the Oldsmar Florida water treatment facility faced every cybersecurity professional’s biggest concern: a potentially destructive cyberattack on critical infrastructure.
It all starts with critical infrastructure
Australia’s unique geographical position to stave off global threats is no longer enough. Although the events in the United States are not our own, we cannot ignore the real risk to our CI sectors. These all comprise systems, networks and assets (both physical and virtual) that are vital to society. Increased reliance on digitally networked systems – also known as Industry 4.0 or the next wave of industrial revolution – has created a greater attack surface and new threat vector in the protection of our nation’s critical infrastructure.
The attack on Florida’s water treatment facility is a prime example of the need for a plan. The notion that an attacker could gain access to the systems that control the water composition for civilians is concerning. The new age of cyber warfare does not play by the same rules of engagement of past conflict. Now more than ever, vigilance is required. Cybersecurity should be everyone’s concern.
How did this happen?
According to reports, an employee from the water treatment facility noticed that someone had gained access to his computer. The intrusion was dismissed, because it was common for supervisors to have remote access to his computer. Several hours later he realised this was not a supervisor and reported the intrusion. Thankfully, the vigilance on the part of the employee and several other mitigation controls were in place to prevent the attacker from causing any real damage. Outdated software and a lack of strong password policy were reported as key indicators for how the attackers gained access to the network.
The pandemic-induced remote-workforce environment has created new norms for many organisations. Most were not prepared for the sudden transition to work from home. Giving workers remote – yet secure – access to sensitive company systems provided IT professionals with a daunting task, and adversaries with a new attack vector.
Organisations no longer enjoy the protections that their physical facilities afforded them. Control over the network infrastructure, physical access control and guard staff are no longer a reliable luxury.
These factors all lead to access control risk. Properly identifying and authenticating authorised access is a challenging task when your workforce is no longer reporting to your facility, or your facility guard staff has been reduced due to COVID-19 and in-person employees are not consistent.
So what now?
Don’t worry, we’ve got a strategy!
In 2020, the Australian Cyber, Digital, and Technology Policy Division of the Department of Home Affairs adopted its latest Cyber Security Strategy, building on the previously published 2016 version. Their vision is to promote “a more secure online world for Australians, their businesses and the essential services upon which all citizens depend”.
As the Florida water-supply attack demonstrated, government cannot protect critical infrastructure on its own. There must be a strong partnership between government, business and community in sharing information, as well as education on cyber threats and mitigations controls.
This strategy relies on a commitment from businesses and community organisations to prioritise cybersecurity as much as physical security. To turn this vision into reality, it is important to understand there is no longer a delineation between a person’s activities at home and at work when interacting in the digital world. Unintentional insider risk results from employees being targeted through social media platforms. Threat actors can gain access to employee credentials through various means, including:
- Phishing – sending emails that appear authentic to a user with the intent of causing them to click on a link. That link will either install malware on their device or direct them to a honeypot site that asks them to enter sensitive credentials. The threat actor then records the credentials with the intent of using them for malicious activity.
- SMishing – similar to the phishing technique, except the message is sent through an SMS message.
- Vishing – this is a technique that employs calling an unsuspecting victim posing as a financial institution with the intent of tricking the victim into providing personally identifiable information.
All these techniques can be performed because of information made public through employee’s social media profiles. Educating them on these techniques and making them aware of their existence is an important step in growing cybersecurity awareness.
Robust identity establishment is at the core of a solid security program.
Security has evolved from a purely physical focus to a hybrid cyber–physical focus. You cannot have physical security without cybersecurity, just as you cannot have cybersecurity without physical security. Deploying a holistic security program that focuses both on cyber and physical challenges will make for a stronger program. The notion that cybersecurity is separate from physical security provides a greater attack surface for threat actors. Siloed cyber and physical systems and communications that rely on disparate identity management solutions increase the ways in which a bad actor can gain access to your important assets.
Many organisations believe that strong password policies or installing network security controls are the best ways to thwart cyberattacks, and that implementing physical access control (PACS) systems at strategic entry points will make a facility more secure. Although these will contribute to better security (compared to doing nothing), if credentials are absconded by whatever means, the strength of the user’s password is no longer relevant – just as the number of physical card readers no longer matters. If an adversary is in a network with authorised credentials or in a facility with a stolen access control card, then the security controls put in place will not detect the intrusion.
A strong security program relies on more than the traditional methods of policy, controls and security. It hinges on the protection of identity. When identities – both human and device identities – are protected, a new relationship can be built based on trust decisions.