IoT Security for Critical Infrastructure: Back to Basics
In this interview with Help Net Security, James Carder, CSO & VP of Labs at LogRhythm, talks about the IoT security of critical infrastructures, the vulnerabilities that plague this type of technology, and how to address the growing number of cybersecurity threats.
We have seen numerous and damaging attacks on critical infrastructure recently. What is the main cause that makes them vulnerable to these attacks?
In recent years, attacks on critical infrastructure have moved from moderate risk to major headlines, and attackers’ skills have evolved too.
Criminal organizations and nation-state threat actors have continued to attack critical infrastructure, including major attacks on the Colonial Pipeline, SolarWinds, and the California and Florida water systems, to name a few.
The critical infrastructure sector is vital to the successful functioning of modern society and economy. Whether it’s power generation, oil and gas, telecommunications or water, the services these organizations provide are essential to the daily life and effective operation of businesses.
Because of the important role these organizations play, they are attractive targets for threat actors looking to cause serious disruption through cyberattacks. The motivation for this ranges from hacktivists with political motives, hostile nation states who want to cause economic damage, or criminals who want to extort money.
Traditionally, critical infrastructure has lagged behind in its cybersecurity investments or cybersecurity is not seen as a core business priority. When you combine a simple target with high impact on the company and its customers, as well as the means of payment, you have the main target for a cyberattack.
Is the IoT technology that powers critical infrastructures really that fragile and what can be done to mitigate the risks?
The number of connected devices has grown exponentially in recent years and we are seeing this technology being used more and more frequently in critical infrastructures. IoT has many uses and can be applied in sectors such as power grids, communications networks, and financial services. The increasing introduction of operating technology (OT) and information technology in general has expanded the attack surface and exposed the critical infrastructure networks to a greater extent.
Ultimately, IoT devices were not designed with security in mind. The large number of IoT devices tend to be poorly secured, often operate with outdated software or use standard security configurations, making them a vulnerable target for threat actors. The fact is, security wasn’t even considered part of the evolution of OT until the last 5 or 10 years. It’s not that a hospital buys a new MRI machine every year, so a 10 year old MRI machine in the hospital is still very vulnerable because it was built at a time when safety was not important or on that was not thought.
Unsurprisingly, the overall vulnerability of the IoT and critical infrastructure landscape to cyberattacks is becoming a growing problem in the security landscape, and recent attacks on the sector have shown the need to step up security efforts.
Although the IoT is becoming more of a target, the focus of many new attacks is on the OT infrastructure. For this reason, the critical infrastructure industry must adopt a safety-oriented attitude in order to secure its operations. To mitigate this increasingly complex threat landscape, the critical infrastructure industry needs to rapidly modernize and leverage the security tools and technologies and methodologies available today to ensure they operate securely and are not viewed as low-hanging fruit by attackers.
Monitoring, detection and response are only part of it. I am thinking of critical functions like multifactor authentication, endpoint detection and response, heuristic-based AV (modern AV), basic backups, behavior analysis and patching for the operating systems and applications that power the IoT and OT, and then monitoring, detection and response. I would even introduce Zero Trust as a necessity, as stated in recent executive ordinances in the US.
What are the main techniques cyber criminals use to compromise IoT technology?
We are seeing a sharp increase in cyber attacks on the IoT and OT environment. For example the attacks that we saw on the South African Ministry of Justice, Microsoft’s Power Apps and JBS. Many of the attacks this year resulted from common vulnerabilities such as weak passwords and insecure web interfaces or exposed APIs, insecure network services and backdoor access, which are often used for maintenance and management.
The combination of these factors creates the perfect storm for increasingly serious cyber threats. The IoT and the wider OT landscape are vulnerable to attacks from ransomware, botnets, denial-of-service (DoS) attacks, and the general control of these systems by nation-state threat actors and other criminal groups. These threats have the potential to paralyze infrastructure, cause disaster, or a variety of consequences once the IoT in critical infrastructures has been massively compromised.
What does it mean for companies to go back to basics to strengthen their security posture? Does that also apply to critical infrastructures?
To combat the growing number of cyberattacks, we need to go back to the basics. Organizations should first analyze the current state of their critical systems, applications, and data by performing threat modeling to understand what their attack surface is, who is interested, and what attacks they are carrying out. System and application inventory is important because you can’t protect what you don’t know.
This is a practice that can be widely applied to the critical infrastructure industry. Over the past 20 years, industrial control systems have largely neglected operational technology and the operational risk of air gapping data in order to compensate for deficiencies in network security and to physically isolate platforms from unsecured networks.
As a result, the operation of critical infrastructures offers many opportunities for malicious actors to target and shut down their systems. Many hacks occur because even the most basic security practices of changing credentials and disabling access after an employee leaves the company are not followed.
To avoid being viewed as low-hanging fruit by threat actors, organizations need to analyze the current threat landscape and adopt a security-first approach, where the organization sees security as the core of its strategy and operations to protect its networks and Ensure future resilience and operational performance. This includes EDR, next-gen AV (heuristic-based), multi-factor authentication and tools like SIEM and UEBA with integrations with things like Threat Intel.
These are all the basics of a security operation. In fact, I’d go so far as to say that Zero Trust needs to be implemented and that also adds privileged access management, orchestration, automation, and response. Understanding user-to-system, application-to-system, system and application-to-application workloads should be built into an organization’s threat model.
What does the future of the IoT look like for critical infrastructures? Are you predicting many changes that will affect this technology?
The critical infrastructure industry has made a massive leap in digitization, and I assume that this trend will continue to gain momentum. Smart City IoT infrastructure is growing rapidly, with innovations in urban planning and energy consumption being optimized to reduce inefficiencies.
The potential lies not only in the simultaneous networking of billions of devices, but also in the use of the huge amount of usable data that can transform infrastructure processes to enable an automated future.
As we await this industry maturity and prepare for an expanded IoT environment, we need to ensure that reliable security solutions are in place to prevent potentially devastating cyber threats. With the right security foundation, companies of critical infrastructures can protect themselves from the inevitable risk of attack and at the same time further develop their operations.