In recent years, there has been a fundamental change in both the scope and scale of cyber threats to critical infrastructure. I don’t want to minimize the great strides that have been made in cybersecurity. After all, there has been a renewed emphasis on following cybersecurity protocols by business unit heads, and cybersecurity has been elevated to a topic of concern worthy of the C-suite and corporate boards. However, cybercriminals, hacktivists, and nation states have also stepped up their game.
Cyber attacks have been very profitable for criminals and powerful political forces for nation states. This has fueled new, more devastating attacks from a wide range of actors. Furthermore, dark web markets offering ransomware as a service (RaaS) and other tools have lowered the barriers to entry for hacktivists, leading to a flood of new attackers with varying agendas, but a similar intensity and tenacity.
Nation states and hacktivists target critical infrastructure such as the power grid, water systems, transportation, financial services, health, communications, and defense. Attackers are highly motivated and willing to spend the time and effort to gather intelligence, compromise assets, and penetrate the defenses of critical infrastructure. Some key defenses to critical infrastructure cyber threats include air gapping, monitoring, and machine learning.
The first of these defenses is air gapping. Air gapping physically or logically isolates secure networks so that devices on those networks cannot talk to devices on less secure networks. This had historically created problems when devices needed to be updated because data would need to be copied to secure media, then transported to the high-security network, assessed for risk, and then loaded onto the high-security network.
Current threat detection systems are often integrated with cloud technologies to identify zero-day threats and next-generation attacks, so companies have moved to new air gap security models where an on-premise intermediary device obtains threat data and updates. This data is validated and made available to air gapped machines. Air gapped machines pull information from the intermediary device to stay current and protected. Strict controls ensure that they cannot connect elsewhere and that connections to and from the intermediary device are limited to specific authorized functions.
The second key defense is monitoring with orchestration. Critical infrastructure devices, as well as the systems they interact with, generate a lot of data that can be used to identify threats and take action. Monitoring technologies such as SIEM, IPS, and DLP are mature and well-defined. However, these involve a human component that is often the bottleneck in the process and one that cannot respond quickly to evolving threats.
Security Automation and Orchestration (SAO) accelerates threat qualification, investigation, and remediation with incident response workflow and automated playbooks. Critical infrastructure and government agencies have long-since developed playbooks for how to handle different situations. These have become increasingly well-documented, yet still a manual process and usually cumbersome to use in an emergency situation. SAO not only automates the process but contextualizes the data and assesses response options to select optimal strategies.
Machine learning, when implemented correctly, can vastly improve the way critical infrastructure reacts to potential cyber threats. Machine learning can enhance the reliability of security controls, differentiate between hostile and non-hostile threats and boost the overall efficiency of cybersecurity operations.
Attackers are using machine learning to improve their attacks. As the saying goes, “It takes one to know one,” and it takes machine learning to counter machine learning.
With new advances in air gapping, monitoring, and machine learning, critical infrastructure is better able to protect against zero-day exploits, internal threats, and next-generation attacks. Critical infrastructure threat actors are highly motivated and skilled. It takes leading technologies to stay ahead and stay safe.