Who can afford an attack on their Critical Infrastructure?

The world does not suffer from a shortage of hostile individuals or nations, from politically motivated parties, groups and nations, to ideologically motivated individuals and profit-motivated criminals. Information security attacks remain on the top of the list for being a global extensible war tool.

With the presence of motivation, skills, low cost and low risk, the number of potential targets and their perceived protection might be expected to save the day. To add insult to injury, the number of potential targets is increasing (thanks to the Internet of Things) and so are the number of vulnerabilities, with identified Control Systems’ vulnerabilities having doubled annually since 2011. Economies and lives are at risk as a result, and just because we have not suffered enough real-life consequences yet, it cannot continue to be underestimated.

According to a number of recently published security reports both by vendors and nations, the previous paragraph simply represents the status of Critical Infrastructure security. Attacks are no longer just the story-base for a Hollywood thriller. If organisations have survived under the radar so far, attackers will soon realise their weaknesses, and act upon it if the organisations don’t.

Sophisticated and successful attacks have been on the rise over the past few years. What was a staged experiment by the US Department of Homeland Security last decade (a generator spewing smoke as a result of a computer attack disclosed in 2007), turned out to be a reality this decade (Stuxnet, Duqu 1/2, etc.) A plan of action seems to be overdue. Organisations within energy, transportation and manufacturing sectors, must realise that information security threats to their infrastructure Control Systems not only affects their revenue streams, but also a critical part of Kiwis’ life.

  • Please provide us with your thoughts on the following questions below as comments, and Axenic will publish a follow-up blog post discussing our readers’ feedback.
  • If Control Systems are as vulnerable as they are thought to be, why aren’t we seeing more attacks?
  • Do you think Control Systems are attacked daily, but the attacks are usually undetected? If so, why aren’t we seeing consequences of those attacks?
  • Could the current attacks on critical infrastructure be just the probe or experiment, and the real attacks are yet to come?
  • Are the majority of Control Systems connected to networks that are air-gapped from the internet
  • Would air-gapping Control Systems provide sufficient protection against the perceived threats?
  • Do you think managers and technical staff have the specialized security skills and knowledge to securely operate and manage such critical systems?
  • Could it be possible that attackers have already infected Control Systems with dormant malware, but are waiting for the right moment to use it?
  • Do you think attackers, especially those that are nation sponsored, target Control Systems’ supply chain and infect the systems before they are operating Critical Infrastructure?
  • Are Critical Infrastructure organisations sufficiently managing insider threats? How do you know they do that?
  • Are organisations operating Critical Infrastructure actively managing information security risks?
  • Are they ready to detect and respond to Control Systems information security incidents when (not if) they occur?
  • What are the most effective strategies to ensure computer controlled Critical Infrastructure risks are properly managed?