Like many industries, critical infrastructure systems—power plants, transportation networks, hospitals, and all the systems essential to keep communities and countries running—are increasingly digitally controlled and connected. This shift brings enormous operating and business efficiencies.
It also brings enormous cyber risk.
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that, in 2015, cybersecurity incidents involving critical infrastructure increased by 20%. And 2016 is proving to be far worse. Take the spate of ransomware attacks on health service organizations that disrupted operations for days in some cases. Or the attack on the Lansing Board of Water & Light in Michigan that has cost the utility an estimated $2 million so far.
Even our most potentially dangerous systems are susceptible. In April of this year, inspectors discovered malware on several PCs at a German nuclear plant. Fortunately, no critical system in the nuclear reactor was affected. At a recent industry conference, a European aerospace group reported about a hijacked communications satellite. And just a few weeks ago, the head of the International Atomic Energy Agency (IAEA) cryptically revealed that an attack serious enough to disrupt operations had occurred on an unnamed nuclear plant at some point in the past three years.
Other than the recently disclosed nuclear-plant breach, for which we have no details, all of the above cases have one thing in common—the attack began at the endpoints. Based on their criticality, need for continuous operation, and high-performance requirements, these endpoints may have very little security or may have one or even several anti-malware systems installed. In the case of the Lansing Board of Water & Light, their system was fully protected, they thought, with up-to-date antivirus software. So if they are not well protected, or if they are protected with systems that are easily bypassed, how can we guard these essential systems and services?
To begin with, we must keep patching. According to NSA Deputy Director Richard Ledgett, in most of the high-profile breach cases that the NSA investigates, an attacker used a known but unpatched vulnerability to compromise the organization.
Of course, constant patching is not feasible, nor does it protect against zero-days or advanced evasive-malware techniques. Some newer technologies hold promise, as antivirus add-ons provide memory protection and exploit prevention. Moving Target Defense (MTD), for example, makes vulnerabilities in applications and web browsers inaccessible to attackers by constantly morphing the targets ahead of attacks.
Like their business counterparts, critical industries are best served by an endpoint security stack that balances traditional and innovative approaches to keep services running safely without losing the efficiencies they have gained.
Omri Dotan is chief business officer for Morphisec.
Want more? Find the ebook "Industrial Internet of Things and Communications at the Edge" right here.