The US Department of Homeland Security (DHS) is the model that most often comes to mind when broaching the subject of national security. The DHS takes critical role in the protection of its infrastructure—electric, water, gas, transport, etc. The DHS, via the US-CERT (Cyber Emergency Response Team), produces alerts, advisories, and reports that not only keep government clientele well informed, but also keep the industry well informed.
Dark Reading recently reported on a Ponemon Institute survey which found that only 32 percent of global IT and IT security executives at organizations associated with critical infrastructure viewed improving their security as a priority. Yet 67 percent of the survey respondents acknowledged suffering at least one breach in the past 12 months. The two figures are incongruous, and it is worth asking if those who viewed security as a low priority were among those who didn't report having a breach. Perhaps their security infrastructure is such that they simply aren't aware.
The "Improving Defenses Against Targeted Attack" report issued in July by the United Kingdom's Center for the Protection of National Infrastructure (CPNI) highlights the reality that critical infrastructure is, and always will be, in the crosshairs of attackers. There are two types of adversaries: those with national interests at stake (nation states) and those with a criminal interest. With a majority of entities acknowledging that they had suffered a compromise, the need to share knowledge of these compromises as a community is of the utmost importance to lower the collective risk.
Targeting Critical Infrastructure
What are these attackers using to compromise critical infrastructure systems, which then puts our homeland at risk? Tools vary, and malware is commonly used. Approximately 1,000 companies in Europe and North America were hit with a remote access Trojan (RAT) called HAVEX this past July. According to F-Secure, HAVEX specifically targets industrial control systems (ICS) and supervisory control and data acquisition (SCADA) manufacturer websites. F-Secure found 88 variants of HAVEX and identified approximately 146 command-and-control servers.
In the case of HAVEX, the Trojan was distributed via spam, exploit kits, and malware installers on compromised sites. Organizations who had trained their employees to avoid opening suspicious messages, or had deployed sandbox environments for email attachments would have been able to defend against this RAT.The sandbox would also have trapped exploit kits delivered via a watering hole attack.
It's bad enough to infect your own enterprise. It's even worse if you infect another. This is what happened to at least three European firms, two of which provided remote management software. If your business is based on delivering remote services and malware becomes part of the package, there certainly will be a business price to pay.
Security as a Priority
Tools to attack ICS/SCADA systems are increasingly becoming commodizied. There is no defensive wiggle room for the ICS/SCADA industry. Through education and by emphasizing the impact the attacks can have on business viability, the 32 percent who don't view security as a priority need to change there minds. Homeland security is at stake.