So malware attacks against critical infrastructure are inevitable. What’s next?

September 24, 2014

Today we are publishing research that paints quite a grim picture: A quarter of organizations handling critical infrastructure report malware attacks. We are talking about an environment that is supposedly protected at all costs from all kinds of intrusions. Why is that? Let me explain why critical security breaches happen and our view on the proper protection methods.


Critical infrastructure operators are often reluctant to deploy full-scale anti-malware protection. They are worried about compatibility, performance, compliance, and most importantly: possible downtime. In a critical environment such as the infrastructure of an oil/gas company, one minute of downtime may cost anywhere between $20,000 and $500,000. It’s no surprise that some companies prefer to deploy protection partially, or rely on the “security by obscurity” approach (see “5 Myths of Cyber Security”).

As our research shows, malware is the true enemy. The potential impact of a misconfigured security solution is nowhere near the devastating consequences of a true security breach. Critical systems are prone to all types of cyber attacks, but these three are the most likely:

  • An attack using a sophisticated Stuxnet-like cyberweapon. Always complex, always targeted, very hard to mitigate. Luckily, such attacks are not widespread, as of today.
  • Generic malware attack. This one is the most frequent, caused by wreckless handling of critical control systems. Wreaks havoc in obsolete and largely unprotected environments, but it is less likely to damage the modern system.  Our whitepaper on Critical Infrastructure protection provides more data: link.
  • An APT. An attack that is not Stuxnet-style in terms of complexity, but still a targeted one. As we see from the recent attack investigations (see our report on Energetic Bear), control environments are now being used as an entry point to further infiltrate the entire network of a company in order to steal sensitive information.

There is a high chance of a successful malware attack in a critical environment, and there are numerous ways to infiltrate the system: via a vulnerable software, using social engineering, USB thumb drives, etc. What is the right strategy to protect a company against it?


We believe it is the proper combination of Whitelisting (critical machine runs only critical software, everything else is blocked) and a modern anti-virus engine with a strong heuristics-based detection method that protects from APTs, software vulnerabilities, etc. It doesn’t sound like a big deal since all vendors offer such functionality. But the key is the right configuration and usage/maintenance/update. An out-of-the-box security solution won’t fit the critical environment and may lead to the highly feared downtime. Only a carefully tuned, tailored solution, customized by both company engineers and security vendor experts, will protect the critical environment safely and effectively.

For more on critical infrastructure protection watch this video: