Critical Infrastructure at Risk from Operational Technologies and IOT Vulnerabilities
by Ernie Hayden CISSP GICSP(Gold) PSP
In a recent article, Skybox Technology raised concerns resulting in the above headline. Even in a Kaspersky news release, Internet of Things (IoT) cyberattacks have more than doubled during the first half of 2021. Kaspersky also noted that from January to June of 2021, over 1.5 billion breaches of IoT devices took place – an increase from 639 million in 2020.
Perhaps you may have some questions about these headlines. For instance, what do IoT devices have to do with critical infrastructure? Why is this a big deal? Frankly, I think you’d be surprised at how frequently IoT devices are deployed in critical infrastructure facilities and systems.
One way to think about the placement of OT/IoT devices in critical infrastructure could include looking at a drawbridge in a major city. The drawbridge is more than steel and concrete, it also includes OT/IoT controls and sensors to operate the drawbridge, ensure it won’t fail when under stress, etc. Hence, every time you look at critical infrastructure, immediately accept the fact that the facility is full of cyber and cyber-physical devices that can be hacked, damaged, or shut down.
So, what are OT and IoT devices?
According to Gartner, operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes, and events. Also, Gartner reports the Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.
As you can see, OT and IoT have numerous similarities and they are ubiquitous throughout critical infrastructure systems and facilities.
So, with increased vulnerabilities in OT and IoT, this could pepper the critical infrastructure with holes and problems which offer more opportunities for attackers – such as malicious actors or nation states – to successfully damage or shut down these devices.
In the same Skybox announcement, they observe “the number of network devices such as routers, switches, firewalls, and other operating systems rose nearly 20 percent in H1 2021.” This increase in these devices offers a larger attack surface for the “bad guys” and can give them better opportunities and options to plant malware or even lead to a ransomware attack.
The key point is you need to be aware of a) what are your critical assets; b) what assets contain cyber systems such as IoT, routers, switches, etc.; and c) what vulnerabilities need to be addressed and mitigated.
Mitigating these vulnerabilities is NOT a “one-and-done” approach but needs to be methodically performed – at least monthly. In fact, some excellent resources to help you stay on top of vulnerabilities are the US Computer and Infrastructure Security Agency (CISA) Alerts and Bulletins. You can also subscribe to these vulnerability lists at https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new.
Staying on top and aware of your critical infrastructure cyber and physical vulnerabilities is a full-time task and requires your focus and attention. The bad guys only need one way to get into your components and ruin your whole day.
Ernie Hayden, MIPM, CISSP, GICSP(Gold), PSP is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information.
Ernie is author of the new book, Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook.
In this chapter — The Power of the Observation — you will discover:
- An overview of the concept of an “observation.”
- The primary elements included in the observation as well as its format.
- Fundamental considerations when performing and documenting the observation including the power of one’s influence on the actions being observed, the need for critical thinking, and considerations on how the observation supports the risk assessment.