Internet services companyOperahas come under a short-sell assault based on allegations of predatory lending practices by its fintech products in Africa. Hindenburg Researchissued a report claiming (among other things) that
Digital transformation has revolutionized critical infrastructure industries like manufacturing, enabling them to harness new technologies such as the cloud and the Internet of Things to do things better, faster and smarter. And like with any newly blazed trails, this transformation has come with new risks.
Industrial control systems (ICS) — used in sectors such as manufacturing and energy — traditionally relied on architecture segmentation, “air-gapping” and other passive defenses. But with the number of internet-facing embedded devices and control systems growing in the last decade, those passive defenses no longer work. At the same time, the attacks targeting those systems are on the rise. Under these circumstances, a major attack could result in severe damage, including loss of human life.
An expanded view of critical infrastructure
In a 2019 ICS (industrial control systems) survey, 51 percent of more than 300 respondents perceived the level of operational technology (OT) and ICS risk to be severe, critical or high. The top threat identified was devices and “things” that are being added to the network and can’t protect themselves.
Not only are industrial control systems being connected to the internet and the cloud for the first time, but every new device creates an entry point for a bad actor to exploit. And with this new ecosystem now being interconnected and interdependent, supply-chain security and infrastructure security are new priorities that these sectors haven’t had to grapple with in the past.
Emily Miller, direction of national security and critical infrastructure programs at software-security company Mocana, recently told Infosec on its Cyber Work podcast that securing industrial control systems is a matter of saving lives. But she takes a broader view of the definition of critical infrastructure, including agriculture.
“What happens if your food sources are potentially impacted … not only from the cascading consequences of water and power [being affected], but also the cascading consequences of component elements that no one at the national level has even recognized as a critical infrastructure,” she says.
Yet like other critical infrastructure industries, she points out that agriculture has been innovating — using many embedded devices and other technologies that create not only physical risks but also data tampering risks for components that end up in the food manufacturing process.
You can have “a physical introduction of a contaminant — but what if you’re having somebody introducing a data element that is telling you something is true, when something is actually not true,” she says.
New technology, new security concerns
Many critical infrastructure businesses are using cloud-based and mobile technology that have data going through a long communication chain before it gets used for decision-making by a human. A device may first collect the data in the field, then talk to another device in the cloud and then the data will get filtered back to another platform and so forth. A threat actor thus has many opportunities to manipulate the results, from tampering with the device itself to intercepting the data in transit.
“Where in the data chain have you validated that the data from the original data point and data source is accurate, that the originating device was not in some way corrupted or manipulated, or that the data in transit was not somehow corrupted or manipulated,” says Emily Miller, who previously worked with the Department of Homeland Security, Department of Health and Human Services and ICS-CERT.
Embedded devices are only one source of security challenges for ICS. Many companies are using so-called legacy technology that has vulnerabilities easily exploited by hackers. For example, CyberX Labs analyzed more than 850 industrial control networks across multiple industries and found that 53 percent had outdated systems like Windows XP.
“Retrofitting legacy devices are a huge thing the industry has to deal with,” Miller says.
As the critical infrastructure sector is dealing with these issues, it’s also increasingly the target of attacks. A 2018 Forrester study commissioned by Fortinet found that of more than 400 organizations using ICS or SCADA, 56 percent had a breach in the previous year.
And increasingly, more attacks on critical infrastructure are being attributed to nation states. In the 2019 SANS survey, 28 percent of organizations believed they were attacked by nation-states or state-sponsored actors, compared to zero two years before.
Taking a systematic approach to infrastructure security
Miller noted that different industries have different risk priorities. At t