The threats to critical infrastructure in the U.S. and elsewhere are so plentiful that even trying to enumerate them is futile (and not a bit depressing). But – if we were to rank them in order of importance – what would be at the top of that list?
Clearly, as this blog has noted, software security is a major concern. Recently, the Industrial Control System CERT (ICS-CERT) warned about a sophisticated malware campaign targeting users of HMI (human-machine-interface) technology from leading vendors. In at least some cases, the systems targeted were exposed directly to the Internet, making compromise simple. In other cases, industrial control system software is deployed with default administrator credentials, or easy to guess passwords.
In other words: while some attackers are persistent and clever, many critical infrastructure owners make their job pretty easy. So, perhaps, its not software insecurity that belongs at the top of the list, but a lack of imagination.
That’s the argument that Ralph Langner, one of the world’s recognized leaders in critical infrastructure security makes in a new blog post.
“As a country with some of the most automated (i.e., vulnerable) critical infrastructure in the world, we seem to collectively lack the imagination necessary to mount an effective defense,” Langner writes.
Malicious actors, Langner argues in his post, are imaginative in figuring out how to penetrate their targets. They approach the task in a systemic way: analyzing both information systems, physical plant and human assets for likely vantage points from which to launch attacks.
In contrast, critical infrastructure owners and operators often display a shocking lack of imagination when they consider how their own infrastructure might be attacked.
“The public, and some political decision makers as well, would be shocked to learn about the blatant absence of appropriate system modeling for what is usually thought of as the country’s most critical systems,” he writes. “We can locate and book any ski resort in the Rockies within minutes from our smart phone, but we didn’t even think to enumerate our critical infrastructure and understand the digital ecosystems that control it.”
The message is that the connections between critical assets and the rest of your infrastructure can be subtle and easy to underestimate. Just as Target, which found its point of sale terminals compromised as a result of an account compromise at a third party HVAC subcontractor.
More worrying: Langner notes proposed rule changes for operators of nuclear power plants that would seem to institutionalize unimaginative thinking by explicitly focusing risk based assessments on assets that are, prima facie, related to critical systems (that is: those that control radiologic material).
“The potential for trouble is in asking for a categorical exclusion of systems based on what looks like a generic risk assessment that is then applied to every operating nuclear power plant,” he writes. “It amounts to promoting the limited use of imagination as an industry best practice. One thing you can bet on is that the offensive team (those with malicious intent) will not make the same mistake.”
Read more via Langner – The last line of cyber defense.