Protecting Critical Infrastructure from Threats
Tony Berning, Senior Product Manager, OPSWAT
According to Aegis London, “in the first half of the 2013 fiscal year, the US Department of Homeland Security’s Industrial Control Systems–Computer Emergency Readiness Team responded to more than 200 incidents, 53% of which were in the energy and utility sector”. Efforts to improve security of critical infrastructure systems have accelerated since the 2013 issuance of US Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”.
As attacks become more sophisticated it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure. With most critical infrastructure systems isolated from external networks portable media is a primary vector for cyber-attacks, making it important that extra attention is placed on securing devices that are brought in and out of secure facilities.
While imperative to the protection of critical infrastructure, securing portable media devices is not easily achieved, with most individual facilities requiring unique security policies.
When making decisions about security policies, the costs of implementing a stricter policy should be weighed against the potential results from the failure of a weaker policy. Increases in digital security rarely come without corresponding increases in operating costs, including physical infrastructure. Following deployment there will be ongoing costs, including managing the solution and keeping it up-to-date. Employees must also be trained on the new security policy and procedures.
That said, expenditures must be weighed against the costs of a potential security breach. Facilities may be forced to suspend operations, the monetary impact of which is difficult to calculate. There are also remediation costs and the cost of removing any malware, coupled with a significant loss of productivity.
Impact to an operator’s reputation and criminal liability are other costs that may result, with loss of classified or sensitive information also a possibility, the financial impact of is hard to quantify. Finally, as operators of critical infrastructure provide services to the public, disruptions will have significant negative impacts on many outside individuals too.
Defining a portable media strategy is key to secure data workflow policies. When developing a secure data workflow policy, organisations should define the acceptable types of portable media and how they can be used. In secure facilities, standard policy is to restrict the types of media to only those necessary. Administrators may also choose to limit and filter the file types that are allowed based on their properties.
A secure data workflow policy within a critical infrastructure facility should attempt the highest level of precaution achievable. The best security policies have multiple layers of protection, to guard against both known and unknown threats, minimising the risk of any one threat bypassing all security layers. A secure data workflow should leverage threat protection methods including:
User authentication and source verification: Prevent unauthorised users or sources from bringing in data
File type analysis and filtering: Prevent risky file types from entering the facility
Multiple anti-malware engine scanning: Detect threats that are known by the many commercial anti-malware engines as well as zero-day attacks.
Document sanitization: Further protect against unknown threats through sanitization methods rid documents and images of potential threats.
The most efficient way to protect against threats is a difficult one to establish with many aspects impacting how a secure data workflow is defined and implemented. Each should be weighted to define a secure data workflow policy, allowing an organization to operate in the most secure and productive way possible.
A critical infrastructure facility should err on the side of caution and develop secure data policies that are as restrictive as possible, while flexible enough to evolve with an organization’s shifting needs. The best policy will be one that takes a facility’s specific business and technology needs into account and is designed accordingly.