iOCATA 2015

Critical infrastructure continue to be at risk from constantly evolving threats in cyberspace, which need to be addressed in a holistic and effective manner in order to protect economies and societies1 2.

Supervisory Control and Data Acquisition (SCADA), Industrial Control Systems (ICS) and Automatic Identification Systems (AIS) are complex systems composed of various hardware and software components, often from different vendors. They were often designed with little consideration for network security. Mergers and acquisitions, poor assessment management, absence of patch management policies and a lack of knowledge transfer prior to staff turnover can all negatively impact the cybersecurity of CIs. Together with the persistence of legacy systems and the difficulties in maintaining a continuous cycle of updates, a steady increase in the number of opportunities to exploit vulnerabilities can be expected3.

CI is becoming increasingly automated and interlinked, thereby introducing new vulnerabilities in terms of equipment failure, configuration error, weather and other natural causes as well as physical and cyber-attacks. Network isolation is no longer sufficient to ensure the security of an industrial facility4.

The threat theatre is increasingly characterised by organised groups or non-state actors and individuals resorting to asymmetric attacks enabled by the universal connectivity the Internet provides and the availability of the necessary tools and attack information. Loss of control over technology as a result of globalisation, the need for online accessibility, and foreign ownership of critical infrastructures is also increasing vulnerabilities.

The time period from when a vulnerable system is breached by a malicious outsider to the breach being discovered and vulnerabilities identified and patched, is currently on average about 200 days5. This may be due to a variety of reasons, including the fact that the scope and nature of attacks may not be clear from the beginning.

Future threats and developments img

Future threats and developments

The management and operation of critical infrastructure systems will continue to depend on cyber information systems and electronic data. Reliance on the power grid and telecommunications will also continue to increase, as will the number of attack vectors and the attack surface due to the complexity of these systems and higher levels of connectivity due to smart networks. The security of these systems and data is vital to public confidence and safety6 7 8.

Even though cyber sabotages have been infrequent so far9, attacks on critical infrastructures are a threat that is here to stay. In the future we will observe an increase in attacks on data brokers, on physical infrastructures, and on telecommunication networks, such as global denial of service attacks on all connected services10. New forms of CI such as social media platforms will become a prime target for cybercriminals11.

Exploitation of existing vulnerabilities, zero days and targeted phishing attacks will increase and continue to pose threats against critical infrastructures owing to the complex mix of legacy systems and new components combined with the need to minimise business disruption and cost, which often delay upgrades and updates. Lack of supplier support and end-of-life policies also have a significant impact on the security of CIs. Employees with privileged system access will remain key targets and subject to social engineering attacks12 13.

Strengthening cyber security and tackling cybercrime requires a combination of prevention, detection, incident mitigation, and investigation. Addressing critical infrastructures’ vulnerabilities necessitates a cooperative approach from the public and private sectors, and connecting the local and international dimension. The challenge of protecting critical infrastructures requires managing competing demands between security and privacy14 15.

  1. NBC News, Critical Infrastructure Is Vulnerable to Cyberattacks, Says Eugene Kaspersky, http://www.nbcnews.com/tech/security/critical-infrastructure-vulnerable-cyberattacks-says-eugene-kaspersky-n379631, 2015
  2. Dell, 2015 Annual Threat Report, http://www.dell.com/learn/us/en/uscorp1/press-releases/2015-04-13-dell-annual-threat-report, 2015
  3. Kaspersky, Critical Infrastructure Protection, http://www.kaspersky.com/industrial-security-cip, 2015
  4. The Economist, Defending the Digital Frontier, http://www.economist.com/news/special-report/21606416-companies-markets-and-countries-are-increasingly-under-attack-cyber-criminals, 2014
  5. Informationweek, The Weaponization of Cyber Vulnerabilities, http://www.informationweek.com/whitepaper/cybersecurity/network-&-perimeter-security/week-to-weak:-the-weaponization-of-cyber-vulnerabilities/360793?gset=yes&, 2015
  6. CSO, Pressure Mounts in EU to Treat Facebook and Twitter as Critical Infrastructure, http://www.cso.com.au/article/578271/pressure-mounts-eu-treat-facebook-twitter-critical-infrastructure/, 2015
  7. Recorded Future, Real-Time Threat Intelligence for ICS/SCADA Cyber Security, http://go.recordedfuture.com/hubfs/data-sheets/ics-scada.pdf, 2014
  8. Techcrunch, The Dinosaurs of Cybersecurity Are Planes, Power Grids and Hospitals, http://techcrunch.com/2015/07/10/the-dinosaurs-of-cybersecurity-are-planes-power-grids-and-hospitals/, 2015
  9. Infosecurity Magazine, Destructive Cyber-Attacks Blitz Critical Infrastructure – Report, http://www.infosecurity-magazine.com/news/destructive-cyber-attacks-critical/, 2015
  10. Trend Micro, Report on Cybersecurity and Critical Infrastructure in the Americas, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/critical-infrastructures-west-hemisphere.pdf, 2015
Recommendations img

Recommendations

  • Policy makers must ensure the swift implementation of the EU Directive on attacks against information systems. The Directive aims to strengthen national cybercrime laws and introduce tougher, consistent and EU-wide penalties for illegal access and system and data interference and criminalising the use of malware as a method of committing cybercrimes16.
  • In the context of the draft Directive on Network and Information Security (NIS), there is a need to improve coordination, active partnership, and relationships between the private sector, law enforcement and CERT community17.
  • Law enforcement and prosecution must be engaged early following cyber security incidents to allow investigation of the criminal aspects of such attacks18 19 20 21.
  • Organisations should consider adopting ENISA guidelines for incident handling in order to minimise operational downtime when investigating incidents.
  • Member States should identify which entities should be considered as critical infrastructure within their jurisdiction.
  • Law enforcement and agencies dealing with National Security Strategies should ensure there is a single point of contact available to deal with key national critical infrastructure entities.
  1. EU Directive on attacks against information systems, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:en:PDF, 2013
  2. ENISA, Critical Infrastructures and Services, https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services, 2011
  3. CERT-EU, DDoS Overview and Incident Response Guide, http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_09_DDoS_final.pdf, 2014
  4. Mandiant, M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf, 2015
  5. CERT-EU, Data Acquisition Guidelines for Investigation Purposes, http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_12_04_Guideline_DataAcquisition_v1_4_4.pdf, 2012
  6. ENISA, Electronic Evidence – a Basic Guide for First Responders, https://www.enisa.europa.eu/activities/cert/support/fight-against-cybercrime/electronic-evidence-a-basic-guide-for-first-responders, 2015
  1. Tripwire, Cyberterrorists Attack on Critical Infrastructure Could be Imminent, http://www.tripwire.com/state-of-security/security-data-protection/security-controls/cyberterrorists-attack-on-critical-infrastructure-could-be-imminent/, 2015
  2. Arstechnica, Fear in the Digital City: Why the Internet has Never been More Dangerous, http://arstechnica.com/information-technology/2015/02/fear-in-the-digital-city-why-the-internet-has-never-been-more-dangerous/2/, 2015
  3. Trend Micro, A Security Evaluation of AIS, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-a-security-evaluation-of-ais.pdf, 2015
  4. Kaspersky, Cyberthreats to ICS Systems, http://media.kaspersky.com/en/business-security/critical-infrastructure-protection/Cyber_A4_Leaflet_eng_web.pdf, 2014
  5. Infosecurity, Hackers Spend 200+ Days Inside Systems Before Discovery, http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/, 2015