It was like an information highway railroad, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read every day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.
The company I’m referring to is UUNET Technologies. Now a part of Verizon Enterprise, it followed an acquisition path that included telecom giants like World- Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec professionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I remember them.”
During its formative years, UUNET was one of the most critical parts of the Internet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre- 9/11, a colleague and I would train agents with the National Infrastructure Protection Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.
In relatively short order, Internet access has become the red thread of daily business operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on efficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.
One of the prime issues any organization will face with regard to security is uptime. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, securing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regulating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middleware. In other cases it is an air gap.
From an attacker’s standpoint, there is little advantage to attempting to infiltrate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.
Phishing is a problem for everyone from consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals intellectual property, or downloads a database full of credit card numbers. Many in the security industry believe that the longer- term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.
The early stages of a critical infrastructure attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.
As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an organization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportunities for success.
In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple methods combined together to improve chances of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempting to get information (about equipment, people or places) over the phone. Employees might be approached via social media and asked to participate in an industry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.
In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted attack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a controller, or even changes to the network to gain access to a specific device.
In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likelihood that they will be detected and evicted. Because they know they may have to reestablish access at some point, they identify multiple inroads before they begin.
So, how is any of this more threatening for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a malicious event within a critical infrastructure organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.
With all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a program that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be considered part of the job, not superfluous to the job.
A good example of how to do this can be seen with one of our energy customers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping people from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).
The fact is much of improving security is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level executives are not only vocal advocates of the security awareness and training program, they are participants. The training manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the organization. A 67 percent reduction in vulnerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.
Bottom line: If you are in critical infrastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-prevention measures. By elevating cyber security education, you will elevate awareness, change behaviors and reduce risk.
Trevor Hawthorn is the CTO of Wombat Security Technologies, a SaaS based security awareness and training company.