From Data to Critical Infrastructure: Attackers Get Physical

The irresistible march of technological progress continues unfettered day after day, but there are consequences. Those who seek to further their own ends by exploiting weaknesses in these systems are constantly on the lookout for new ways to achieve their goals.

Thus, as we slide into the Internet of Things era, those black hats are looking to expand their repertoire from mere data theft to include attacks on critical infrastructure. It’s much easier to do today than it was even a few years ago. That’s bad news for all of us, because we’re no longer talking just about regulatory fines and reputational damage, but the possibility of actual physical harm.

As cyber-threats attain an increasingly dangerous physical dimension, a unified and layered endpoint security response becomes essential.

IoT under attack

A great deal of media coverage has focused of late on the forthcoming European General Data Protection Regulation (GDPR), but its requirements are partly a response to the growing problem of data breaches. Over one billion customer records were stolen by hackers in 2016, according to Forrester. These will certainly continue, as long as there’s a big enough cyber-black market for such information.

So will the more shadowy business of covert APTs designed to lift information useful to nation states and the like. In 2017 and beyond we’ll increasingly see a focus on IoT and the critical infrastructure it powers. Why? In part because many of the organizations which run such systems – most of them in the private sector – have historically relied upon “security-by-obscurity” for protection. That’s no longer keeping them safe and secure.

Unfortunately, many systems today are far from obscure. They can be easily researched online by hackers, code can be reverse engineered and weaknesses found. Plus, they’re often usually connected to the public-facing internet, which means anyone with a browser can probe them for flaws.

There are millions of these exposed systems in the US, and you can bet there are millions more in the UK and Europe. Gartner estimates 8.4 billion connected things will be in use this year, and with 3.1bn set to be used by businesses the risks are growing faster than our ability to mitigate them.

Hacking goes industrial

The risks are no longer theoretical either. In many ways Stuxnet was the grand-daddy of critical infrastructure attacks. More recently, state-sponsored campaigns using sophisticated malware against Ukrainian power stations in December 2015 and 2016 have shown us the potential impact of cyber-attacks on the real world.

Leave thousands without power in the height of winter and there’s a real danger to physical wellbeing. This goes way beyond the risks associated with theft of sensitive data.

The means to launch simpler but highly effective attacks on CNI firms is being democratized on an industrial scale thanks to the dark web. Just take a look at the havoc ransomware has managed to wreak on hospitals at home and abroad.

The Hollywood Presbyterian Medical Center was the first major case of ransomware impacting patient care. But it has been followed up by attacks on NHS Trusts. North Lincolnshire and Goole Trust had to cancel nearly 3,000 appointments due to an outbreak late last year that took key systems offline for days. The NHS is particularly vulnerable due to its vast, creaking IT infrastructure and the criticality of services. Freedom of Information requests suggest a third of Trusts were infected last year, and we can expect more of the same in 2017 – across various industries which can’t afford downtime and so are deemed more likely to pay up.

As if that weren’t bad enough, we’re also beginning to see the emergence of attacks blending data theft and ransomware. This could spell the worst of both worlds for CNI organizations: damaging customer and IP data loss alongside crippling service outages.

Unifying endpoint security

As the bad guys look to maximize the RoI of attacks by blending techniques in this way, organizations must revisit their endpoint security strategies to lock down risk where possible. That starts with gaining visibility into your estate – especially important given the explosion of smart devices and systems in the enterprise.

Task the service desk with this job, as it sits in a perfect position in the organization to lead such efforts, tooled up with the right unified security and asset management capabilities. Then look to layer up security to provide the most comprehensive range of protections possible. Legacy tools like AV and firewalls are fine against commodity malware, but can’t cope with ransomware and more sophisticated attacks.

Comprehensive patch management tools will keep endpoints safe against known threats, and application control can mitigate the risk of zero-day threats by ensuring nothing unsanctioned runs on the network. Also consider controls for removable media, data encryption, and enterprise mobility management to enforce policies on every device.

Your security end goal hasn’t changed: to keep key data safe and systems secure. As hackers increasingly turn their attention towards disrupting critical services, the stakes have well and truly been raised.

What’s Hot on Infosecurity Magazine?