Blog :: General

Protecting Critical Infrastructure from Cyberattacks with Network Traffic Analytics

critical infrastructure

According to a recent New York Times’ article, there have been cyberattacks on critical infrastructure Saudia Arabia recently. While these attacks were not elaborated on in full detail (at least not in the article), it is important to understand the importance of protecting critical infrastructure from such attacks. In this article, I’d like to help you understand what critical infrastructure is, how it’s being targeted, and how you we can protect critical infrastructure from future attacks.

What is critical infrastructure?

Nuclear power plant

Before we can dive into how we can protect critical infrastructure from cyberattacks, it is important to define what we are talking about. Critical infrastructure is a broad term to describe assets that are essential to the function of a society and economy. Among the list of facilities associated with critical infrastructure include: electricity generation (which could include nuclear power, natural gas, coal, etc.), water supply (including sewage and wastewater), public health (hospital and amulatory services), and security services (police, military). In the United States, the Patriot Act of 2001 defined critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

How is critical infrastructure being targeted?

Now that you understand what critical infrastructure is, let’s discuss ways that it is being targeted by cybercriminals.

“A report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the United States reports that industrial control systems were hit by cyber attacks at least 245 times over a 12-month period, from October 2013 to September 2014. Around 32% of industries were from the energy sector, while critical manufacturing comprised 27%. ICS-CERT further revealed that 55% of investigated incidents showed signs that advanced persistent threats, or targeted attacks, had been used to breach systems.” according the the joint Oranization of American States (OAS) and Trend Micro “Report on Crybersecurity and Critical Infrastructure in the Americas.”

Over the past 30 years, thousands of analog controls in CI facilities have been replacd with digital controls. These new controls give operators and managers visibility into every part of their operations, including information pertaining to flows and pressures at refineries, electricity generation at power plants, and temperatures at nuclear cooling towers. These new digital controls have, in turn, made facilities more efficient and more productive than their analog counterparts. Unfortunately, the same connectivity that facility managers use to collect data and control devices has allowed cybercriminals with a way to get into these networks to steal sensitive data, damage equipment, and reduce production.

As was seen in the recent Saudi Arabia cyberattack with Schneider’s Triconex controllers, cybercriminals are able to take advantage of weaknesses in control components and network infrastructure to gain access to systems and cause damage. In this case, investigators found an odd digital file in a computer at an engineering workstation that looked like a legitimate part of the Schneider controllers but was designed to sabotage the system. How the file got on the workstation is still a mystery, but it shows how a simple file injected on a workstation can cause serious problems for critical infrastructure systems.

How can we protect critical infrastructure from future attacks?

Given what we know, critical infrastructure must be on high alert and needs to move to a zero-trust model. We are at a point where we can no longer trust that the vendors used to build our infrastructure will protect it from attacks. Further, critical infrastructure must deploy network traffic analytics to baseline normal operations and configure alerting for when traffic deviates from what is expected. Using a solution like Scrutinizer, would allow critical infrastructure to see where abnormalities in network traffic are taking place. Specifically, it would allow IT professionals with a window into where hackers are trying to penetrate the system, and, more importantly, where they have broken in.

Finally, critical infrastructure must take a hard look at the components that are internet-facing (or that are connected to systems that are internet-facing). If critical infrastructure doesn’t act to prevent further attacks, there could be devastating consequences for governments and its people. Imagine a nuclear power plant that doesn’t have proper cooling controls in place because hackers have disabled them (or the alarms that should be triggered when temperatures climb too high). Such attacks can be further prevented, but network traffic analytics is a critical component to the equation.

To learn more about network traffic analytics visit our Scrutinizer page. With better security and network traffic analytics, critical infrastructure attacks could be a thing of the past (just like those old analog controls).