After many years of working with clients trying to protect industrial systems – from oil refineries to railway systems – one thing is clear: critical infrastructure needs special attention.
Like all companies, industrial facilities depend on computers and software, but the range of technological solutions used is very different from a typical office. You can find ten-year-old machines still working as though they are as good as new, and operators that are not worried about the cost of replacement. In fact, it’s not uncommon to find ten-year old machines, some of which are running outdated operating systems such as Windows XP.
It’s not a question of laziness, neglect or even a question of the cost of replacing the legacy systems. The real issue is that industrial operators face million-dollar losses from downtime on one side and compliance failure fines ranging from $1K to $1M per day on the other.
The pressure to replace or update the IT infrastructure is not the same as in a normal business either. This is because in an industrial setting, many of the tasks that computers are asked to perform are quite basic and require very little processing power. They don’t need the latest and greatest kit.
In industrial settings, there are far more service level agreements in place than in a regular business, because for industrial players, reliability and continuity are mission critical.So, do companies with traditional infrastructure have something to learn from critical operations? The answer is both ‘yes’ and ‘no’.
When developing specialised security software for industrial facilities, there are some unique requirements that must be met. These include:
Observability mode
Security solutions are deployed extremely carefully in critical industrial environments. Solutions should be able to monitor activity and detect threats, but leave the decision to block an attack to the operator. Industrial systems rely upon customised software, so even the potential conflict between a security solution and, for instance, operations of a railway system, cannot be allowed. For a typical IT infrastructure, this provides us with a good example of the careful deployment of a new feature – such as application control. Run it in the background, collect all of the stats, analyse and refine, and only then – roll out full functionality.
Security assessment
Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for security of those two entities is challenging. An independent look by security experts proficient in both industrial systems and general IT helps to identify potential weaknesses usually found at the meeting point between two systems. This is also true for any traditional IT infrastructure. In fact, the variety of endpoints, mobile devices, on-site servers and cloud services is no less complicated than a power plant.
Exploit prevention
Technologies designed to identify attacks using previously unknown vulnerabilities is one level above traditional anti-malware systems. As we learned from Stuxnet, critical infrastructure may be targeted with the most advanced cyber weapons. Unlike traditional malware, targeted and advanced attacks require special tools. As we know, targeted attacks put businesses in danger even more than industrial facilities.
These are the positive examples of critical infrastructure specifics that may be adopted by traditional businesses right away. But there are a couple of things that would be better if they stay within the manufacturing and energy sectors, including:
- Older hardware
It costs millions, it is reliable, and you can find fully operational machines still working under Windows 98. While there are reasons to use this hardware in critical infrastructure, this is not an excuse to use outdated software and hardware in the office. When IT reaches its end of life, it’s worth replacing for the sake of security.
- Isolated operations
Letting a SCADA system directly connect to the Internet is the worst thing that can happen with an industrial system. For security it presents problems, especially in terms of the delivery of security updates. They can be solved, but isolating traditional infrastructure without changing the security approach leads to a lot of trouble.
The best takeaway from mission-critical experience is the need to have the right attitude. When you know that the wrong software update can cause an hour’s outage and losses of thousands of dollars per minute, you have to alter your approach. Traditional IT is usually more relaxed, although it is possible to lose an estimated £10.5 billion per year due to downtime from a security incident. Given this, adopting a ‘critical’ attitude when thinking about IT security seems to be a wise choice.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.