Remember when the lights went out at the Super Bowl and we thought it might be the result of a cyber attack? While it didn’t turn out to be malicious, it was a telling example of how vulnerable we feel.
And, it turns out that our feelings of vulnerability are justified. Critical infrastructure security is the theme of this last week of National Cyber Security Awareness Month. It’s definitely a topic worth our close attention.
The nation’s critical infrastructure is under attack every day. According to the Department of Homeland Security (DHS), America’s water and power utilities are targeted on a daily basis. (See the article DHS: America’s water and power utilities under daily cyber-attack).
Once Again, the Internet Changes Everything
One problem is that we’re moving more systems to the Internet – including components of critical infrastructure that were previous not connected to the broader Internet. These systems are often older and vulnerable.
But the problem runs much deeper than that. Attacks are getting more sophisticated. The infrastructure operators really need to step up their game to respond. Secure network configurations are not enough: the Stuxnet worm targeted “closed” systems not connected to the Internet.
We’ve Got a Framework, but Limited Federal Funding
On the bright side, we’re taking some steps – slowly. President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity calls on the NIST to create a framework for improving cybersecurity and collaboration between the public and private sector. NIST released the preliminary draft of its framework just last week.
But even as we discuss the framework, we’re already late to the game. Worse, budget cuts are forcing the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to scale back training programs and other cybersecurity efforts. The recent federal government shutdown no doubt set us back further.
So while we examine and debate the NIST framework, I’d propose three relatively simple steps to mitigate risk. Despite the complexity of both the infrastructure and the threat environment, I believe that taking a few small steps can have a big impact.
1. Don’t connect every single infrastructure component to the Internet.
Whenever critical infrastructure is connected to the Internet, it is exposed to a much higher level of risk. I’m not saying we shouldn’t connect at all, but we need to review these closely and use careful network segmentation and controls.
2. Beef up authentication and authorization
Every login to the system should be authenticated, and every transaction authorized, Rigorous controls should be standard practice for any system that connects to infrastructure components. It is particularly important to make a decision based on the current context so that the system is flexible and adaptive.
3. Examine every login and transaction for anomalies
The third step is to examine every transaction (including logins and account creations) for indicators of risk. Anomalies might include someone connecting from a disguised location, or a familiar user ID using a compromised device. Then put processes in place to either deny those logins/transactions or add more security measures.
Anomaly detection may be new to utilities and other infrastructure providers, but it’s bread-and-butter familiar to banks, financial institutions and e-commerce organizations.
Shouldn’t our critical infrastructure have at least the levels of protections as our online shopping experience?
The role of anomaly detection
An anomaly detection system needs to be able to identify the legitimate users, while keeping out a wide variety of bad actors, including potential state-sponsored intrusion.
This is no small task, but technology is keeping pace. ThreatMetrix has released a number of interesting features of the past few months that apply to just this challenge:
• PersonaIDs provide insight into the interconnections between devices, identities and entities.
• TrustTags either positively or negatively mark different entities in the network.
For example, an infrastructure provider could use TrustTags to identify legitimate, authenticated users connecting over the Internet using their secure devices. But if they spotted the same user ID from a different device, they would automatically ask for further, out-of-band authentication before allow access.
These three steps won’t eliminate all risk to public infrastructure, but they would certainly give us some breathing room to implement a broader framework for protecting the public interest and safety.
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.