In this interview with Help Net Security, James Carder, CSO & VP of Labs at LogRhythm, talks about the IoT security of critical infrastructure, the vulnerabilities that plague this type of technology, and how to tackle the growing number of cybersecurity threats.
In recent times, we are seeing many damaging attacks on critical infrastructure. What is the main cause that makes them susceptible to these attacks?
In recent years, attacks on critical infrastructure have grown from moderate risk to major topicality, and attacker capabilities have continued to expand as well.
Criminal organizations and threatening nation-state actors continued to escalate attacks on critical infrastructure entities, with major attacks on the Colonial Pipeline, SolarWinds, and California and Florida water supply systems for to name a few.
The critical infrastructure sector is essential for the functioning of modern society and economies. Whether producing electricity, oil and gas, telecommunications or water, the services provided by these organizations are essential to the daily life and proper functioning of businesses.
Because of the vital role these organizations play, they are attractive targets for threat actors who wish to cause serious disruption through cyber attacks. The motivation for doing so varies from politically motivated hacktivists, to hostile nation states wanting to do economic damage, or criminals seeking to extort money.
Traditionally, critical infrastructures have lagged behind in their investments in cybersecurity or cybersecurity is not seen as a core business priority. When you combine an easy target with high impact for the business and its customers, and the means to pay, you have the perfect target for a cyber attack.
Is the IoT technology that powers critical infrastructure really that vulnerable and what can be done to mitigate the risks?
The number of connected devices has grown exponentially in recent years, and we are seeing this technology being implemented more and more frequently in critical infrastructures. The IoT has many uses and can be applied in industries such as power grids, communications networks, and financial services. The increased adoption of operational technology (OT) and information technology in general has widened the attack surface and made critical infrastructure networks more exposed.
Ultimately, IoT devices weren’t designed with security in mind. The large amount of IoT devices tend to be poorly secured, often running with outdated software or using default security configurations, making them a vulnerable target for threat actors. The point is that until the last 5 or 10 years, security was not even considered part of the development of OT. It’s not like a hospital buys a new MRI machine every year, so this 10-year-old hospital MRI machine is still very vulnerable as it was built at a time when security wasn’t safe. was not important or considered.
It’s no surprise that the vulnerability of the IoT and the critical infrastructure landscape as a whole to cyber attacks is becoming a growing concern in the security landscape and that recent attacks on the industry have demonstrated the need to scale up attacks. security efforts.
Even as IoT is becoming a growing target, many recent attacks focus on OT infrastructure. For this reason, the critical infrastructure industry must prioritize security to secure its operations. To mitigate this increasingly complex threat landscape, the critical infrastructure industry must rapidly modernize and take advantage of the security tools, technologies and methodologies available today to ensure that they operate securely and are not considered easy fruit by the attacker.
Surveillance, detection and response are only part of it. I’m thinking of critical capabilities such as multi-factor authentication, endpoint detection and response, heuristics-based AV (modern AV), basic backups, behavioral analytics, and patching for systems. operations and applications powering IoT and OT, followed by monitoring, detection and response. I would even go with the implementation of zero trust as a necessity, as stated in the recent executive orders in the United States.
What are the main techniques used by cybercriminals to compromise IoT technology?
We are seeing a sharp increase in cyber attacks on the IoT and OT environment. For example, the attacks we have witnessed against the South African Department of Justice, Microsoft Power Apps and JBS. Many attacks this year have occurred due to common vulnerabilities such as weak passwords and insecure web interfaces or exposed APIs, insecure network services, and backdoor access often used for maintenance and management. .
The combination of these factors creates the perfect storm for increasingly serious cyber threats. The IoT and the OT landscape as a whole are vulnerable to attacks from ransomware, botnets, Denial of Service (DoS) attacks and the general control of these systems by nation-state threat actors and others. criminal groups. These threats have the potential to shut down infrastructure, cause disaster, or a myriad of consequences once IoT in critical infrastructure has been compromised, at scale.
What does it mean for organizations to go back to basics to strengthen their security posture? Does this also apply to critical infrastructure?
Faced with the growing number of cyber attacks, we have to get back to basics. Organizations should start by analyzing the current state of their critical systems, applications and data by going through a threat modeling exercise to understand what their attack surface is, who is interested, and the attacks they are making. Having a system and application inventory is important because you can’t protect what you don’t know.
This is a practice that can be widely applied to the critical infrastructure industry. Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by discarding data to compensate for network security gaps and physically isolate platforms from insecure networks.
As a result, critical infrastructure operations are ripe with opportunities for bad actors to target and dismantle their systems. Many hacks happen because even the most basic security practice of changing credentials and disabling access after an employee leaves is not followed.
To avoid being seen as a handy fruit by threat actors, organizations must analyze the current threat landscape and adopt a security-focused approach in which the organization places security at the heart of its strategy. and its operations to protect their networks and ensure future resilience. and operational performance. This involves EDR, next-gen AV (heuristics-based), multi-factor authentication, and tools like SIEM and UEBA with integrations to things like threat intelligence.
These are all the basics of a security operation. I would even go so far as to say that zero trust needs to be implemented and that also adds privileged access management, orchestration, automation and response. Understanding user-to-system, application-to-system, system, and application-to-application workloads should all be included in an organization’s threat model.
What will the future of critical infrastructure IoT look like? Do you foresee many changes impacting this technology?
The critical infrastructure industry has seen a massive leap towards digitalization and I predict this will be a trend that will continue to gain momentum. The IoT infrastructure of smart cities is growing rapidly, with innovation in city planning and energy consumption being optimized to reduce inefficiencies.
The potential is not only to enable billions of devices to be interconnected at the same time, but also to harness the enormous amount of actionable data that can transform infrastructure processes to enable an automated future.
As we wait for this industry to mature and prepare for a large IoT environment, we need to ensure that reliable security solutions are in place to prevent potentially devastating cyber threats. With the right security foundation in place, critical infrastructure organizations can protect themselves against the inevitable risk of attack while continuing to scale their operations.