"'There is a Chinese curse which says 'May he live in interesting times.' Like it or not we live in interesting times. They are times of danger and uncertainty; but they are also more open to the creative energy of men than any other time in history."
—Robert F. Kennedy, Cape Town, South Africa, June 1966
In considering the current state of the security industry, that often-used phrase about "interesting times" comes to mind. There is no doubt that we as information security practitioners face unprecedented infosec challenges, ranging from the highly technical malware injections to simple social engineering attacks, that require creative energy to address. Each day we read about new attacks on our systems and new means of stealing data, money and intellectual property -- plenty to keep security officials up at night.
With the quantity of data and cyber systems expanding daily, enterprise security officers' jobs are getting bigger and more difficult.
And the breaches continue. For the past six years, Verizon has published its Data Breach Investigations Report (DBIR), and each year, the number of analyzed data breaches increases. As our lives become increasingly more digital, there are more opportunities to have information stolen, modified or simply erased. Just how should enterprise IT security strategies change to reflect the new challenges that seem to emerge almost daily?
Let's delve into the shifting information security landscape, from dealing with smart devices to tackling industrial control system security, and then try to provide some answers for enterprises wanting to know how to adjust an IT security strategy based on this accelerated pace of change.
Much to fix and protect
With the quantity of data and cyber systems expanding daily, enterprise security officers' jobs are getting bigger and more difficult. For instance, electric utilities are dealing with new technologies like smart meters that send out small quantities of data every second. Though an individual meter won't produce much data, millions of meters will create massive accumulations of data that must be protected and stored for current and future analysis.
Of course, security executives can never ignore the growing trend of bring your own device (BYOD), with employees and contractors connecting personal wireless phones, tablets and computers to corporate networks. How do you deal with securing those devices, and what do you do when a device is lost or stolen?
These challenges are also aggravated by the reality the Internet lies at the heart of almost all of today's enterprise systems. The Internet was not designed to be secure; security systems are essentially bolted on. If you think of enterprise systems as a sieve, then every hole not covered by the security team gives attackers opportunities to breach systems and either steal information or, in the case of the electric power industry, negatively impact grid operations.
ICS: Ignored for too long
Another area of growing concern is industrial control systems (ICS) security. These systems include Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) that are used extensively in factories, bottling plants, food packaging facilities, power plants, substations and transportation systems. These systems, much like the Internet, were not designed with security in mind.
In years past, ICS were considered secure because they used proprietary protocols like Modbus or Profibus. Security professionals were still under the "security by obscurity" mindset and ignored possible security holes under the assumption that hackers wouldn't find them because they weren't familiar with the technology. Some have also argued ICS were protected from most attacks because they are not connected to the enterprise network. However, inspections of these systems continue to reveal that they are not immune from hacking.
The security spotlight shone squarely on ICS security problems in 2011, though, when the Stuxnet worm attacked an Iranian nuclear facility via its industrial control system and resulted in physical failures of centrifuges used to enrich uranium. Some observers declared Stuxnet to be the first cyberwarfare weapon because it caused physical damage. Between Stuxnet and its derivatives, including Duqu and Flame, ICS is now considered to be a very real target for attackers.
As industrial control systems age, they are being upgraded with new components using Transmission Control Protocol/Internet Protocol (TCP/IP). This is good news for operations teams as it is easier to find engineers who understand TCP/IP. However, the bad news is would-be attackers already know how to hack TCP/IP effectively, meaning very little relief will come from this switch.
Supply chain security
A fairly new area of concern for enterprises is security in the supply chain. From making sure digital devices, computers and controllers have not been tampered with during manufacturing or shipping, to ensuring chip sets in complex systems like smart meters and advanced machinery do not contain "switches" that can be turned on by nation states or cybercrime syndicates, enterprises have never had more security concerns to deal with the second they receive new technology. Some governments -- including the United States, Canada and Australia -- have established bans or restrictions on select overseas vendors because of concerns that foreign-built systems could include back doors or other means of cyber intrusion, though enterprises have not yet gone to such lengths in these countries.
Global government action
Speaking of infosec concerns on the part of governments, their collective awareness of cyberattacks and cybertheft (and any ensuing fallout) is rapidly increasing. In early February, the European Commission issued a cybersecurity strategy. The document stresses that security incidents are "increasing in frequency and magnitude, becoming more complex and know no borders. These incidents can cause major damage to safety and the economy and efforts to prevent, cooperate and be more transparent about cyber incidents must improve."
On February 12, President Barack Obama issued an Executive Order -- "Improving Critical Infrastructure Cybersecurity" -- and the associated Presidential Policy Directive (PPD) focused on improving the cybersecurity that underpins critical U.S. infrastructure. Although the president's initiatives specify actions for the executive branch of the U.S. government, the resulting policies, rules and regulations will impact virtually every corporation across the nation.
For instance, the National Institute of Standards and Technology (NIST) is formulating a cybersecurity "framework" to be used for future security assessments and security implementation to protect critical infrastructure, affecting operators of electric and gas utilities, transportation companies, and water and wastewater systems.
There are also some new bills pending before the U.S. Congress.
An IT security strategy that can adjust for change
This new cybersecurity landscape can be daunting for even the most seasoned CISOs and enterprise security teams. Beyond the multitude of threats we've already discusses, the Verizon DBIR paints a picture of attackers that seemingly never sleep, hacktivists with political agendas wreaking havoc and well-funded criminal outfits focusing evermore efforts on lucrative cybercrimes.
So, just what can a concerned organization do to update its IT security strategy and tackle this multitude of threats?
First, I'd focus on the people within the enterprise. Executive leadership teams should provide strong support for cyber and physical security, have a single head of cybersecurity, and make sure there is a "security conscience" on staff. Organizations should also recognize that the first lines of defense are people effectively implementing necessary processes and technologies needed to secure the enterprise. Employees should also be constantly trained and educated on cyberthreats and protecting the network and the organization from attacks.
Next, organizations need to assume the worst -- you will be hacked or breached. Be prepared with an incident response team that is prepared to respond to any security event at a moment's notice. Read daily cybersecurity news and pay attention to new attacks and trends. The Verizon DBIR and other such reports are strong resources. Subscribe to the US-CERT and ICS-CERT mailing lists, and connect with regional and national cybersecurity organizations.
And, finally, get smart on cyber and physical security issues your company, customers and suppliers face. Contact your local FBI and U.S. Secret Service offices and have a "go-to" security resource should events require outside help. You should also pay attention to the current policy environment in Washington and be an active, educated participant in the political process.
As organizations continue to struggle making the necessary adjustments to IT security strategies in the face of major headwinds, the following excerpt from the 2013 Verizon DBIR provides a compelling point for all of us to consider:
Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don't do). If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.
That's sound advice to build a strategy on.
About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, works as managing principal for critical infrastructure protection and cybersecurity on Verizon's RISK Team, devoting much of his time to working with clients to assess cybersecurity strategy and plans and implement recommendations on security policy and deployment plans for energy, utility, critical infrastructure, industrial control systems and smart grid security globally. Hayden is an experienced information security professional and technology executive, providing global thought leadership for more than 13 years in the areas of information security, cybercrime and cyberwarfare, business continuity and disaster-recovery planning, leadership, management and research.
This was first published in August 2013