Critical Infrastructure Security and Resilience Month 2019
Coming hot off the heels of National Cyber Security Awareness Month 2019 last month, we are now in November and the topic de jour (or sujet du mois) is Critical Infrastructure Security and Resilience Month 2019.
Back in the good old days, cyber security was more about the electronic world than the real world. What happened on the screen, stayed on the screen and had little impact on meat space. As I wrote in SCADA and the Demise of Security by Obscurity, Stuxnet is viewed by many to be the first cyber attack to really have a major impact on life off the screen – meat space. However, an alleged CIA trojan horse in 1982 is said to have impacted a Russian gas pipeline in a significant way, with an explosion estimated in the 3-kiloton range.
The popular TV show, Mr. Robot, one of the best examples of how Hollywood can sometimes get technology right, covered some of the threats of IoT when it showed what could do wrong when hackers take over a smart house. Of course, if things can go sideways at home, they can also go sideways in your car as we explore in A Used Jagauar Full of IoT Implications.
The consumer world and the industrial world of IoT share much. In both areas organizations largely unfamiliar with networking and security have been thrust into a world where they must now bolt on these sexy new features in order to survive. While having your smart house taken over is obviously a huge bummer (as illustrated by Mr. Robot) having your electrical grid taken over is several orders of magnitude worse than someone pwning your fridge. Greg Copeland explores some of these aspects of security in How Secure is the Industrial Internet of Things. Some of my thoughts on the topic can be found in SCADA and Secure Infrastructure.
Another thing to consider in industrial, medical and other environments is that the people who built controllers for some of this very expensive equipment were in the business of building MRI, X-ray or water treatment systems, not doing network or host security. Thus you may find systems intended to be used for decades controlled by systems on operating systems that were intended to be used for years – not decades. Some of the implications were explored here in The Soft Underbelly of Healthcare and Embedded Systems. For a deeper dive, the white paper “Are Wireless Medical Devices ‘Hospital Grade’” takes a look at a couple real world IoT releases gone wrong.
Part of locking something down involves a better understanding of how it works. Probably one of the reasons this classic blog post on SCADA protocol DNP3 has been as popular as it has been for so long. We also take a look at proven solutions in “Gathering Network Intelligence from the Digital Power Grid.”
If you are making ICS or IACS systems, you probably want to be able to test them in the fastest and easiest way possible. Avik Bhattacharya explores how drag and drop can help. For those wanting to validate audio/video bridging and TSN capabilities, we have a feature brief. And as we have seen so many times in other places, it is not enough to ensure your individual parts or components are standards compliant, you need to do end to end system level testing.
IoT and IIoT are both bringing new capabilities to consumers and infrastructure alike. While the benefits are easy to understand in terms of new capabilities and greater conveniences, some of the challenges and threats, while not as obvious, may be even more important. While a Galactica Approach could shield infrastructure from hacking (and EMP), it is unlikely that we will go down that path. With that in mind, please take steps to secure the hosts running your infrastructure and the networks that connect them.
Thanks for reading!