After many years of working with clients trying to protect their industrial systems – from oil refineries to railway systems – you learn one thing: critical infrastructure needs special attention. Like normal companies, industrial facilities depend on computers and software, but the range of solutions in use is very different from a typical office. You can find ten-year-old machines still working as though they are as good as new, and operators are not worried about the cost of replacement. Instead, they ask how much it costs to stop those machines for just an hour, because industrial operators face million-dollar losses from downtime on one side and compliance failure fines ranging from $1K to $1M per day on the other.
The importance of reliability and continuity is so high in this environment, that a fraction of the strict SLAs they face will, in fact, boost the operations of a regular business. So, do companies with traditional infrastructure have something to learn from critical operations? The answer is ‘yes’ and ‘no’ at the same time.
Critical infrastructure: a role model to protect normal businesses? #securityTweet
When we were developing our specialized security software for industrial facilities, there were some unique requirements we had to meet. Let me name a few here.
- Observability mode. Security solutions are deployed extremely carefully in critical industrial environments. Solutions should be able to monitor activity and detect threats, but leave the decision to block an attack up to the operator. Industrial systems rely on customized software, so even the potential conflict between a security solution and, let’s say, operations of a railway system cannot be allowed. For a typical IT infrastructure this provides us with a good example of the careful deployment of a new feature – such as application control. Run it in the background, collect all of the stats, analyze and refine and only then – roll out full functionality.
- Security assessment. Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for security of those two entities is challenging. An independent look by security experts proficient in both industrial systems and general IT helps to identify potential weaknesses usually found at the meeting point between two systems. This is also true for any traditional IT infrastructure. In fact, the variety of endpoints, mobile devices, on-site servers and cloud services is no less complicated than a power plant.
- Exploit prevention. Technologies designed to identify attacks using previously unknown vulnerabilities is one level above traditional anti-malware systems. As we learned from Stuxnet, critical infrastructure may be targeted with the most advanced cyber weapons. Unlike traditional malware, targeted and advanced attacks require special tools. As we know, targeted attacks put businesses in danger even more than industrial facilities. So if you ask me, it was time to start protecting businesses from APTs yesterday.
These are the positive examples of critical infrastructure specifics that may be adopted by traditional businesses right away. But here are a few things that would be better if they stay within the manufacturing and energy sectors.
- Older hardware. It costs millions, it is reliable, and you can find fully operational machines still working under Windows 98. While there are reasons to use this hardware this in critical infrastructure, this is not an excuse to use outdated software and hardware in the office. When IT reaches its end of life, it’s worth replacing for the sake of security.
- Isolated operations. Letting a SCADA system directly connect to the Internet is the worst thing that can happen with an industrial system. For security it presents problems, especially in terms of the delivery of security updates. They can be solved, but isolating traditional infrastructure without changing the security approach leads to a lot of trouble.
Some security practice from ICS may be adopted by traditional businesses right away #securityTweet
The best takeaway from mission-critical experience is the need to have the right attitude. When you know that the wrong software update can cause an hour’s outage and losses of thousands of dollars per minute, you have to alter your approach. Traditional IT is usually more relaxed, although it is possible to lose anything from $66K (SMBs) to $1,4M (enterprises) due to downtime from a security incident. Given this, adopting a “critical” attitude when thinking about IT security seems to be a wise choice.