Guarding vital IT infrastructure
In search of a role model that can be applied to normal businesses to bolster security. By Yeo Siang Tiong
After many years of working with clients trying to protect their industrial systems — from oil refineries to railway systems — you learn one thing: critical infrastructure needs special attention.
Like normal companies, industrial facilities depend on computers and software, but the range of solutions in use is very different from what you see at a typical office.
You can find 10-year-old machines still working as though they are as good as new, and operators are not worried about the cost of replacement. Instead, they ask how much it costs to stop those machines for just an hour, because industrial operators can face million-dollar losses from downtime on one side and compliance failure fines ranging from $1,000 to $1 million per day on the other.
The importance of reliability and continuity is so high in this environment, that a fraction of the strict security level assessments the company faces will, in fact, boost the operations of a regular business. So, do companies with traditional infrastructure have something to learn from critical operations? The answer is “yes” and “no” at the same time.
Speaking from experience, I can say that developing specialised security software for industrial facilities involves meeting some unique requirements. Let me name a few:
Observability mode. Security solutions are deployed extremely carefully in critical industrial environments. They should be able to monitor activity and detect threats, but should leave the decision to block an attack up to the operator.
Industrial systems rely on customised software, so even the potential conflict between a security solution and, let’s say, the operations of a railway system cannot be allowed. For a typical IT infrastructure, this provides us with a good example of the careful deployment of a new feature, such as application control. Run it in the background, collect all of the stats, analyse and refine, and then — and only then — roll out full functionality.
Security assessment. Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for the security of those two entities is challenging. An independent look by security experts proficient in both industrial systems and general IT helps to identify potential weaknesses usually found at the meeting point between two systems.
This is also true for any traditional IT infrastructure. In fact, the variety of endpoints, mobile devices, on-site servers and cloud services is no less complicated than a power plant.
Exploit prevention. Technologies designed to identify attacks using previously unknown vulnerabilities is one level above traditional anti-malware systems. As we learned from the Stuxnet worm, critical infrastructure may be targeted with the most advanced cyber weapons.
Unlike traditional malware, targeted and advanced attacks require special tools. As we know, targeted attacks put businesses in danger even more than industrial facilities. So if you ask me, it was time to start protecting businesses from advanced persistent threats yesterday.
These are the positive examples of critical infrastructure specifics that may be adopted by traditional businesses right away. But here are a few things that would be better if they stay within the manufacturing and energy sectors:
Older hardware. It costs millions, it is reliable, and you can find fully operational machines still working on Windows 98. While there are reasons to use such hardware in critical infrastructure, this is not an excuse to use outdated software and hardware in the office. When IT reaches the end of its life, it’s worth replacing for the sake of security.
Isolated operations. Letting a supervisory control and data acquisition system directly connect to the internet is the worst thing that can happen with an industrial system. For security it presents problems, especially in terms of the delivery of security updates. They can be solved, but isolating traditional infrastructure without changing the security approach leads to a lot of trouble.
The best takeaway from a mission-critical experience is the need to have the right attitude. When you know that the wrong software update can cause an hour’s outage and losses of thousands of dollars per minute, you have to alter your approach.
Traditional IT is usually more relaxed, although it is possible to lose anything from $66,000 (SMEs) to $1.4 million (enterprises) due to downtime from a security incident. Given this, adopting a “critical” attitude when thinking about IT security seems to be a wise choice.
‘‘ Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for the security of those two entities is challenging.