Most of the time, we don’t notice critical infrastructure until it’s disrupted. The recent hurricanes in southwestern Louisiana highlight the inefficiencies when cell phone service, roads, electricity and water service are unavailable, even in small portions of the country. While these disruptions are localized, the impact is magnified because of the effect on life and property.
The disruptions caused by natural disasters are usually fixed by using the business continuity plans in place to limit the impact to the community and the environment. These plans are key for all organizations when the threat comes from the cybersecurity domain, too.
Business continuity plans focus on ensuring the core business function is repaired. Cybersecurity incident response plans are specialized instances of those plans, but many times the cybersecurity aspect seems to focus specifically on the technology and leave out the core business function. In this blog, we’ll focus on why cybersecurity is crucial to protecting critical infrastructure.
Ransomware Tops List of Cybersecurity Concerns
Regardless of whether a disruption is caused by rising water or ransomware, the focus needs to be on restoring service. The public is not interested in the details, just a reasonably accurate restoration time. Exercising these incident response plans, which is a control under NIST SP 800-53r4, and other control frameworks allows the players to understand the threats facing the critical infrastructure at an appropriate level and brings them together to assess the plans, make improvements, add or remove participants, develop checklists and improve response.
While cybersecurity attacks aren’t often front page news, ransomware attacks on several large cities in the US as well as many smaller cities across the country in 2019 and 2020 have become commonplace headlines. Ransomware attacks rarely happen in isolation, but instead, rely on a series of tricks and tools. One common exploit gains access to a network through a phishing email. Once someone opens the email payload, malware, such as Emotet or Trickbot, is loaded onto the machine. TrickBot steals credentials, then moves laterally to look for critical information or systems. Once found, the attacker downloads ransomware, such as Ryuk, and encrypts the systems or data critical to the organization’s function.
Targeting critical systems and information improves the chances of a target paying the ransom to the attacker. For the target, this means that operations are impacted – and for a city, utility or first responder, the impact could affect public safety.
Multiple Lines of Defense Required
Multiple lines of defense are necessary to counter malicious actors when dealing with ransomware or any other malware. The first line of defense is user training, with the largest focus being on recognizing phishing emails. Reporting suspicious emails and not clicking on unknown links reduces the likelihood and lowers the impact of phishing attacks. However, without additional technical controls in places, it only takes one click to affect an entire network. And, let’s face it, we all know one person who will click on an email no matter how much training they get.
When looking at additional technical controls, antivirus is the first stop. While antivirus only focuses on known signatures, it’s effective, low cost and easily maintained. Next generation endpoint detection and response (EDR) solutions are also an option. EDR solutions offer more capabilities than traditional antivirus solutions to detect and prevent cyber attacks. These next-gen endpoint security solutions also enable faster response times to a security incident or breach.
The next step is to remove local administrator access from machines. Not having the ability to run malware will make an attacker’s job more difficult and is a simple administrative step to take.
The last technical control is vulnerability patching. This is one of the most overlooked issues that has plagued networks since the beginning of networking and something we’ll go into more deeply because of its importance to protecting networks that support critical infrastructure.
Proper vulnerability scanning and patching is a process that must be performed regularly as vulnerabilities are discovered and patched on a regular basis. Most have minimal impact, but there are some that require immediate attention, such as EternalBlue. Even though it was revealed in March 2017, EternalBlue and other related SMB exploits have been present on every penetration test we’ve conducted over the past year. It has provided an easy vector to compromise targets by exploiting the Microsoft SMBv1 server present on Windows XP through Windows 10 via port 445.
This was the vulnerability exploited by the “WannaCry” and “Petya” ransomware attacks in 2018 and is also used by other malware such as Emotet and TrickBot commonly deployed before ransomware is installed. Microsoft even released patches that covered the unsupported Microsoft XP and Windows 2003 Server operating systems for EternalBlue. The reason for those special patches was that despite being past their end-of-life date, many of those systems are still in use. While the EternalBlue vulnerability affects Windows platforms, it’s just one vulnerability affecting one platform. Vulnerabilities must also be patched on other platforms and systems, especially those supporting critical infrastructure.
Summary
The focus of your efforts should be on managing risks to your core organizational functions. While cybersecurity tends to focus on the technical aspects of your infrastructure, business resilience and continuity of operations is the ultimate purpose for these cybersecurity controls. Understanding what’s important to operations and what must be protected will assist you in allocating resources towards better security and making proper risk management decisions.
Make sure you’re practicing good cyber hygiene and looking critically at your security practices. Motorola Solutions offers a range of assessment services to evaluate your ability to protect your infrastructure, detect and respond to malicious activity and recover from an incident.
