Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/31/2020
10:00 AM
Benny Czarny
Benny Czarny
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Embracing a Prevention Mindset to Protect Critical Infrastructure

A zero-trust, prevention-first approach is necessary to keep us safe, now and going forward.

In the TV series Mr. Robot, Elliot Alderson, a gifted cybersecurity engineer by day, moonlights as a vigilante hacktivist for the "fsociety" group, which conspires to topple corporate America by canceling the debt records of every citizen.

In this doomsday scenario, cyber anarchists aim to disrupt the financial infrastructure that supports the global economy as a means to bring about their ideological political goals. Beyond this dramatic metaphor lies a sobering truth: Our world is interconnected to such a degree that the notion of critical infrastructure has evolved beyond what we have traditionally classified as such.

While power plants, chemical factories, and government agencies rightfully deserve the "critical" designation, there are scores of other industries upon which these critical infrastructure organizations would cease to properly function if they were knocked out of commission by a well-orchestrated targeted attack.

To reduce risk and thrive in this age of unpredictable and targeted attacks, critical infrastructure organizations must take a more expansive view of the critical infrastructure ecosystem, commit to making cybersecurity training a priority for employees at every level of the organization, and embrace a holistic zero-trust approach that prioritizes prevention strategies over reactive detection methods.

Mitigating Cyber-Risk with Training and Awareness
In February 2019, employees of the Fort Collins Loveland Water District and South Fort Collins Sanitation District in Colorado were hit by a ransomware attack that locked them out of their computers — for the second time in two years. In September 2019, Kudankulam Nuclear Power Plant, the largest nuclear plant in India, was breached in a malware attack, and in November 2019, criminals shut down computers at Mexican oil giant Pemex in exchange for a $5 million ransom. The US experienced the first attack on a power grid in March 2019 when North American Electric Reliability Corp. (NERC) was disrupted in a "cyber event" that lasted nearly 12 hours.

As public and private enterprises look to new cybersecurity solutions to mitigate the risks, global cybersecurity spending is expected to grow to $133.8 billion by 2022, according to International Data Corporation. The White House's 2020 budget alone includes more than $17.4 billion for cybersecurity-related activities, a 5% increase over 2019. However, we'll need to do more than throw money at the issue.

The problem lies in the fact that critical infrastructure sectors have become increasingly attractive targets — both for nation-states engaged in geopolitical campaigns as well as profit-motivated criminal syndicates. That's largely due to the fact that much of our nation's critical infrastructure is built upon a tangle of legacy industrial control systems that were intentionally designed as closed, air-gapped systems.

But perhaps the greatest vulnerability is the human element. While many of these companies address supply chain risks by certifying the cybersecurity practices of their partners, basic security awareness and training often lags behind other industries. Threat actors, regardless of their motivation, are like water flowing in a riverbed: They will always choose the path of least resistance.

A Shift in Mindset: From Detection to Prevention
As we enter the next decade, executive leadership for critical infrastructure organizations must take a hard look at their existing IT systems, their security practices, and, most importantly, their attitudes toward how they approach cybersecurity.

And because threats can now come from anywhere, any piece of connected technology must be treated as potentially malicious. This is the essence of a zero-trust, prevention-first mentality, one in which trust is never implied and the legitimacy of every file, every device, and every network connection is always questioned.

All employees — whether executives, engineers, or accountants — must develop a deeper appreciation that any interaction with technology can open a door to a potential cyberattack. It's imperative that critical infrastructure organizations prioritize cybersecurity training for all employees, emphasizing that every person who interacts with technology also plays an important role in protecting mission critical infrastructure.

To prepare for the increasing sophistication and frequency of cyberattacks on critical infrastructure sectors, the burden will rest on the shoulders of executive leadership, who must take the lead in showing that all employees, regardless of their role or responsibility, are aware that any interaction with technology has the potential to unleash the next Stuxnet, or worse.

As we move into this new decade, there are more unknowns than knowns. While critical infrastructure security leaders can't predict and prepare for every attack scenario, they must at least acknowledge that the threat landscape has shifted and that a prevention-first, zero-trust approach is necessary to keep us all safe, this year and beyond.

Related Content:

Benny Czarny is the Founder and CEO of OPSWAT, a leading cybersecurity firm with over 1,000 customers, 200 employees, and 8 offices worldwide. Founded with a personal investment in 2002 to offer a unique, market-driven approach to security application design and development, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...