Warnings about an imminent “Cyber 9-11”, or a “Virtual Pearl Harbour”, have been with us for years. The most recent was from top US regulator Bejamin Lawsky, head of the New York State Department of Financial Services, who last week voiced public concerns about an “Armageddon-type cyber event”.
Now, most often such dire predictions are used to urge Critical National Infrastructure (CNI) firms to better shore up their defences and improve resilience against possible intrusion. After all, a Unisys report a few months back claimed that 70% of CNI organisations suffered breaches in the past year and 78% of senior security officials said a successful attack on their ICS and SCADA systems was likely in the next 24 months.
Now, I’m not saying this isn’t possible. However, it’s easy to get carried away by FUD-y rhetoric.
The most famous SCADA attack to date, Stuxnet, was carried out by nation states. The sheer complexity of the campaign from planning to execution, including the number of zero day vulnerabilities researched and exploited, was unheard of. It’s not happened since on that scale, that we know about, and won’t happen often in the future.
Terrorists and cybercriminals represent another threat. Yet if we’re talking about financially motivated gangs, it’s still easier to hire a botnet and launch a banking trojan campaign than hold a CNI firm to ransom. When it comes to publicity hungry jihadists, doing things in the physical world, where they can be seen and accounted for, is still the best route. Attack a power station and the government will likely try to stifle the oxygen of publicity by claiming another cause was to blame, such as a regular malfunction.
Insecure, with Caveats
ICS and SCADA systems may be woefully insecure, often unpatched and running old operating systems, but they’re also heterogenous, meaning any cybercriminal will be unable to reuse an attack on other systems. This is bad RoI for the cybercriminal, who works to the same rules of economics as a legitimate business.
That’s not to say there aren’t serious problems. Trend Micro honeypot research from last year found it took only 18 hours for the first cyber attack aimed at spoof systems meant to replicate an industrial set-up. A separate report found malware on ICS forums designed to infect and steal information from such firms.
What to Do
So where does the answer lie? Well, if they’re determined enough, cybercriminals will be able to infiltrate all but the most tightly controlled systems. However, a few simple steps can help your organisation improve its security posture to the point where it’s no longer the lowest hanging fruit. And cyber gangs usually go after the path of least resistance.
Here are a few:
- Disconnect machines that don’t need to be internet facing – it’s the most likely attack vector.
- Don’t use old or unsupported OS versions like XP. Attackers will often exploit simple vulnerabilities in these.
- Ditch Windows altogether and use a bespoke Linux set-up. Platform monocultures appeal to cybercriminals because they can re-use attacks, lowering RoI.
- Test and patch systems regularly. Another no-brainer, although it can be tricky in mission critical environments.
- Petition the government to take a lead on standards and guidelines. It’s critical to the country’s wellbeing that CNI firms remain safe from attack, so it should be implementing mandatory best practice frameworks.