Defeating Cyber Attacks Against Critical Infrastructure
The World Energy Issues Monitor report states that the risk from cyber threats has increased, specifically in North America and Europe. Whereas cyber criminals once focused solely on financial gain via stolen data, a new crop of attackers now turns its attention to disrupting critical services. The digital world is now invading the physical world in unprecedented and dangerous ways.
Attackers backed by rogue nations are now able to sabotage critical national infrastructure such as the power grid. And though nation-state threats, while very real, may seem a rare and remote Hollywood possibility, any increase in the possibility of such attacks will lead to an escalation in disruption as opportunistic attackers jump on the bandwagon and exploit vulnerabilities for their own ends.
This was the case in Ukraine last year. Its power grid was compromised in December, causing power outages that impacted over 200,000 people. The power companies, caught in the middle of the hack, described it as a sophisticated attack comprised of a vicious cocktail of phishing and a form of malware named “BlackEnergy.”
Controlling Network Access
Malicious actors have a variety of tools at their disposal to breach a network. The perpetrators of the Ukrainian attack got into the network initially via email, but it’s only a matter of time before hackers find their way in via any of the many possible devices connected to the target network. Critical infrastructure today relies on data transfers between devices like water sensors and water valves, for instance. These networks now depend on machine-to-machine and person-to-machine communication between hardware devices and IT and software devices.
Such an environment presents substantial cybersecurity risks. Attackers have already demonstrated that they can take over any device with an IP address—including webcams, printers and baby monitors—and a guessable password and use it for their own purposes.
Organizations must accommodate an influx of third-party vendors who need access to the network, in addition to the exponentially growing number of IoT devices. The catastrophic 2013 Target breach was made possible by hackers gaining access to the company’s HVAC vendor’s credentials. There are as many IoT threats as there are network endpoints, and organizations have taken notice. MarketResearchReports.biz predicts that the IoT security market will grow at a CAGR of 55 percent between 2016 and 2020. They project that the utilities sector will drive the demand due to extensive implementation of smart meters and IoT for utility management systems such as gas, energy, water and oil.
PKI: The Hidden Gem
In this hyper-connected world, attacking an online entity has essentially become the same process for attacking a physical one. It is crucial to recognize that civil infrastructure providers and heavy industry are not building their own networking, data handling and security technologies. Rather, they must reuse what the IT industry has already provided, both on-premises and increasingly in the Cloud. This means that without expert adaptation, they will experience the same kinds of problems that have been going on for years in IT – except that because critical infrastructure is involved, the repercussions are potentially devastating if things go wrong.
All these connected “things” need to be corralled into a system that establishes appropriate levels of trust among them all. But just as organizations can inherit security risks from using what they already have, they can also benefit from existing infrastructure. Public key infrastructure (PKI) has been playing a quiet security role for decades, issuing credentials used to perform strong authentication, validating integrity of transactions and securely exchanging keys used to ensure confidentiality of communications between systems and devices. It’s only natural, then, that the security challenges presented by the IoT are causing a resurgence of interest in PKI.
Global payments network, SSL/TLS fabric and other large-scale systems have proven the efficacy of crypto and PKI technologies. That’s important, because the data that systems receive must be reliable; it will be used to make decisions like which control valve to turn on or off, or when to shut off someone’s electricity. These devices must provide trustworthy information to the infrastructure provider (such as an energy utility), often employing data analytics that span millions of such devices. Users, service providers or even regulators need to authenticate that they are talking to the correct device, that the device is functioning properly and has not been tampered with, is configured correctly and that data is protected when at rest, in use or in motion.
HSMs: The Missing Component
So, cryptography is effective – but only to a point. The linchpin for its success is the integrity of its key management systems and practices. Organizations can’t afford to assume that the cryptographic infrastructure that underpins the integrity of PKI’s identity assertions is solid. The idea that a utility’s keys and PKI could be compromised, resulting in a downed power grid or endangered water supply, is no longer the stuff of fiction.
Hardware security modules (HSMs), the means by which trustworthy digital identities are secured, have become more mainstream and relevant in the light of this very possible scenario. HSMs provide a hardened, secure root of trust to enable a higher degree of security when deploying cryptographic technology. Software-based crypto can’t touch this level of security.
For organizations dealing with a high volume of keys, HSMs are an essential component of the modern, hardened crypto system and are no longer optional. These hardened devices increase the probability of deploying cryptography in a secure and unbreakable fashion.
Keeping Infrastructure Secure
No longer just the plot of a spy thriller, cyber attacks that can take down power grids or other critical infrastructure are possible today. The IoT introduces billions of new end points that raise security concerns, but it finds a natural security partner in an expanded use of PKI, which has a proven track record of helping to bring resolution to high-assurance challenges. As IoT proliferates, PKIs and their associated digital certificates stand ready to secure the growth of Internet-connected devices.
At the same time, encryption must be secured. This is where HSMs provide the hardened trust that provides the integrity of digital identities and strong key management. Using technologies that are already at the disposal of organizations worldwide, our nation stands a strong chance of defeating cyber criminals by protecting our critical infrastructure.
About the author:
Peter Galvinis a product and marketing strategist for Thales e-Security with over two decades of experience in the high tech industry. He has worked for Oracle, Inktomi, Openwave, Proofpoint and SOASTA.
Edited by Alicia Young