The Guru sat down with Glasswall Solutions‘ VP of Alliances, Chris Dye, and asked him about a range of topics – from cyber attacks on CNI to current security trends, weaponised documents to the future of cyber security.
[Guru] Should we be fearful of a cyber attack targeting critical infrastructure?
In a word, yes. We have seen a number of high-profile attacks in recent months, including on Israel’s Electricity Authority, California’s Hollywood Presbyterian Medical Centre, the parliament of Western Australia and Ukraine’s power grid, which left hundreds of thousands of homes without power in the dead of winter. For national infrastructure organisations, these should all be cause for concern.
[Guru] What methods would likely be employed in an attack on critical infrastructure?
We are already seeing publicised, successful attacks such as the recent attack on the Ukrainian power grid, in which emails attachments were used as a vector to initiate the actual attack process. What likely preceded this was many months of reconnaissance and intelligence gathering by the attackers, in order to ensure their methods would be successful. Information leakage and rogue insider threats are typically the top risk for critical national infrastructure operators. The combination of knowledge with the extortion of employees can be a powerful weapon.
[Guru] What are the standards governing the security of infrastructure? Are they enough or is there work to be done?
There are certain frameworks, such as ISA 99, but they are just that – best practice frameworks. Even more worrying are private organisations who insist on crafting their own version of “compliance.” Siemens, a majority market share owner in the industrial control system world, laid the gauntlet down a few years ago by stating they would be creating best practice frameworks and compliance. Any genuine global effort to introduce legislation could be severely impacted if private organisations are already heavily invested in programs to meet a private firm’s form of compliance. Where will the additional budget come from? Consumers, and we will not like that one bit.
Current standards are simply not enough. If we take the example of US nuclear power facilities, the Government Health and Safety Regulators that organisations are legally obliged to grant access, they have literally no power to impose fines for non-compliance. It is a very strange dichotomy that some of the most extreme hazards to global public safety are not governed by international or national regulation and legislation specific to cyber security, given its priority on the global stage. Operational Technology owners are merely governed by traditional physical health and safety guidelines and this is what drives and motivates them to comply. If the term “robust cyber security measures” doesn’t exist in the small print with an explicit list of guidelines and best practices, why put profits at risk and put the costly infrastructure in?
[Guru] Who should take responsibility for any failure in security around critical infrastructure and what should this party do to reduce risk?
Ultimately, responsibility should lie with the owner and operator of the infrastructure. There is a growing trend to outsource management of industrial systems in search of improved cost efficiency, but we have to ask what is the real cost? One of these cloud-based managed service organisations, manages the production facilities of several oil companies, which they will gladly inform those attending the various summits and events they attend. This makes them a clear target for any attacker wishing to gain control, cause disruption and start claiming almost any fee they like in return for ceasing their malicious activity.
The points made above will be argued fiercely by any industrial control system owner and operational technology manager, but they will sound defensive and make the same claims of “impenetrability” that the banks made over a decade ago. We may see a trend of ransomware in the market, though the financial impact is fairly low, at least for the time being. Once this trend of attacks rises on critical national infrastructure, we will truly see industrial sized ransoms and the costs of breach impact.
Current Trends
[Guru] Ransomware has suddenly become very prevalent. Why is this?
The success ratio is the primary driver; enterprises that have suffered a ransomware attack generally pay, and as a result the impact is kept in-house. Therefore, these attacks do not have the same public-facing impact that generic data breaches have.
[Guru] How is security evolving to deal with the latest threats?
It isn’t. The principle message is simply “you will be breached, it is a matter of mitigating the impact.” Companies have almost given up on protection and are currently invested in reaction.
[Guru] How are current technologies being bypassed?
Glasswall is finding that within the major file types, the majority of attacks are exploiting the structural vulnerabilities in files, as opposed to straight forward macro or JavaScript style attacks. These structural attacks are constructed in a way that makes them unknown to the traditional AV tools, hence the zero-day attack which, as stated before the industry has almost given up on preventing.
[Guru] Are hackers winning the cyber arms race?
Hackers are not necessarily winning the race, but they are certainly causing the industry sit up and consider alternative and innovative security solutions.
Weaponised documents
[Guru] What is “weaponisation,” how is it carried out?
Carefully crafted spear-phishing emails with weaponized Word and Excel documents use highly persuasive subject lines and email body text, tricking users into opening malicious attachments. These corrupted documents have dropped a wide variety of Trojans, crimeware and ransomware.
[Guru] How does one defend against weaponised documents?
By deploying a policy-based approach which removes the fear of opening files from the user. Glasswall’s solution achieves this by scanning email attachments for the “known good,” neutralising any lines of code that could potentially be hiding malicious exploits.
[Guru] Can a human line of defence be nurtured i.e. employees are conditioned to spot e-mails and other files sources that appear untrustworthy, or is the solution in technology alone?
In my opinion, this can only be part of a solution; education is good but you cannot expect employees to make split decisions as to whether to open an email or click on a link, especially as the attacks are crafted to look like something related to their day-to-day role. Organisations need to take the fear of files off the table and bring control back to the enterprise, away from hackers.
The future
[Guru] Will we be suffering from the same sorts of threats this time next year?
Everything indicates that the situation will only grow in volume and sophistication over the next year. Unfortunately, with all new technology, hackers will continue to not only target, but look for new ways to exploit them, if preventive measures are not in place.
[Guru] If not, what will the new forms of attack look like? Will we be prepared in defending against them?
Innovation in terms of security will be key in staying ahead of the hackers. Unfortunately, the currently established security providers are basing much of their solutions around a 20 year-old approach of signature-based protection. New technologies that are not just chasing the bad, but validating the good, are more proactive in their defence.
[Guru] Which industries will be the prime targets for hackers?
It is across the board as data and information is a key commodity and nearly every company holds something of value. Law, the financial sector and banking head the list, but we have seen hospitals being attacked, so it’s clear that no company is immune. Critical national infrastructure will also come to the front in the coming years as hackers seek to exploit targets on a grander scale.