Digital threats confronting Critical National Infrastructure (CNI) are on the rise. That’s because attackers are increasingly going after the Operational Technology (OT) and Industrial Control Systems (ICS) that shareholders use to protect these assets. In their report “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?,” for instance, Siemens and the Ponemon Institute found that 64% of respondents considered sophisticated attacks against the utilities sector a top challenge. Slightly less than that (54%) said that they expected an attack on CNI would occur in the next year.
Malicious actors have not disappointed. In February 2020, FireEye revealed that it had witnessed a “significant increase” in publicly disclosed instances of ransomware having affected industrial production and critical infrastructure organizations. It was around that same time when IBM X-Force disclosed that the number of incidents in which threat actors attempted to target organizations’ ICS and OT assets had increased by over 2,000 percent between 2018 and 2019. Just a few months later, NETSCOUT clocked 1,780 distributed denial-of-service (DDoS) attacks against utilities worldwide between June 15, 2020 and August 21, 2020, reported Morning Consult. That’s a 595% increase compared to the same period in 2019.
Clearly, organizations that help to maintain CNI don’t have sufficient cyber resilience. Greenborne Networks found that out in a 2020 study on the levels of cyber resilience within critical infrastructure organizations. According to Help Net Security, just 36% of the 370 participating entities said that they had achieved a high level of cyber resilience.
These findings raise an important question: what makes securing CNI so difficult?
In this post, we’ll discuss five security challenges that stand in the way of hardening CNI against digital threats. We’ll also explain how Tripwire’s solutions can help to overcome these obstacles.
1) Internal Resources
The security industry as a whole continues to struggle with a shortage of internal resources. In particular, many organizations—including those that help to maintain CNI—don’t have a sufficient number of trained security professionals to meet their security needs.
A 2019 survey from (ISC)2 found that the gap consisted of 4.07 million unfilled security-related jobs. A few months after that, 76% of respondents to an iteration of the Stott and May Cyber Security in Focus Survey said that there was a dearth of digital security skills in their company. Per Security Magazine's coverage of the survey, 39% of respondents said that internal skills were the greatest barrier to their ability to execute their security strategy.
2) Breach Detection
As with their IT environments, organizations need to continuously monitor their OT systems for changes that could point to a security incident. Claroty notes that organizations commonly use agent-based solutions to perform this monitoring of their IT assets and that they therefore might be tempted to extend agent-based detection to their OT networks. This type of breach detection doesn’t work on the types of units used for safeguarding CNI, however. That’s because agents require downtime in order to be updated or installed. In the absence of compensating technologies, such downtime on a CNI device could undermine the economy, national security and/or public safety of the country which it serves.
3) Threat Landscape
The OT threat landscape is larger than the IT threat landscape, as most devices that are deployed in the former are not changed out in the same frequency as IT. Indeed, many organizations that help to operate CNI have legacy systems. Organizations resist upgrading their OT technologies because of the projected cost. They can’t just find a new control system; they also need to invest in new network infrastructure to support it. The problem is that these legacy systems are oftentimes years if not decades old. They also use proprietary network protocols for communication and lack remote upgrade mechanisms. Consequentially, organizations leave themselves exposed to malicious actors exploiting a weakness within their legacy systems.
4) OT Cybersecurity Skill Gaps
The issue is that organizations don’t have the requisite talent to secure their CNI. Indeed, those entities are just as subject to the cybersecurity skills gap as are organizations in other sectors. That skills gap isn’t getting any better, either. In a study conducted by Dimensional Research, Tripwire learned that 83% of security experts felt more overworked going into 2020 than they did the previous year. Approximately the same percentage of respondents (82%) said that their organizations were understaffed, with 85% of survey participants noting that finding the right expertise had become more difficult over the past few years. With fewer security experts, organizations are more likely to find themselves in a position of reacting to security incidents rather than detecting them.
5) Situational Awareness
All of the above highlights the need for organizations to be proactive about their ICS security. They need to be able to monitor their industrial environments for threats and spot them before they begin to wreak havoc on their CNI devices. They need to watch for digital attacks using their legacy systems against them in order to produce a disruption and/or move laterally to other parts of their environments. And they need to do so with solutions that compensate for the lack of security personnel in their ranks. In other words, they need the situational awareness to strengthen the security of their industrial networks.
No Problems, Only Solutions
Tripwire helps organizations to address these challenges with its ICS security solutions. These tools compensate for the OT cybersecurity skills gap, as they rely on Tripwire’s professional services like ExpertOps to conduct vulnerability assessments of their industrial environments. Using those findings, they then monitor the network and systems for potential problems, including signs of malicious actors exploiting vulnerabilities within a legacy system.
Through its Tripwire Industrial Visibility (TIV) offering, Tripwire provides coverage for the entire OSI/Purdue Model. TIV specifically covers Layers 0-3 in the OSI/Purdue Model, with Tripwire Enterprise and Tripwire IP360 helping to protect Layers 4 and 5. Simultaneously, Tripwire Log Center provides coverage for all layers. Tripwire Solutions also help organizations adhere to such compliance requirements like NERC CIP, NIST, CIS, IEC62443, NIS/CAF Directive and many more.