As threats and cyber-attacks on critical infrastructure are expected to intensify in the near future, cyber-security experts believe that companies and government agencies should be prepared to operate networks even if there’s malware or a threat actor on the network or not.
The idea is that cyber-attacks should not cause downtime of any form, and networks should be designed in a way that an attacker’s presence does not affect the network’s availability for end users.
Experts who believe in this approach are Major General Robert Wheeler, retired US Air Force, and former Deputy Chief Information Officer for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC), US Air Force.
Also: State Department shamed for poor adoption of multi-factor authentication
The Major General expressed this viewpoint in a webinar organized this past week by California-based cyber-security firm Virsec.
“That’s where we have to go,” Maj. Gen. Wheeler said. “Many of the networks of our lives, whether it’s critical infrastructure or whether it’s going to be networks in the future, in smart cities, they’re going to have to operate whether it’s malware or in or not.”
“That’s a different concept,” Maj. Gen. Wheeler added, referring to the fact that most networks weren’t even designed with security in mind, let alone to working with threat actors present on them all the time.
“We had networks that were designed to move data around to be helpful, so we played all the quirks that were required at that particular time. [The networks] weren’t designed to protect you from cyber-security [threats], and as soon as we thought there was a bad guy in it, we shut it down. It was that simple,” he said.
“You can’t do that anymore. They are critical to our command and control, they are critical to our common operating picture, they are critical to the control of different systems within there.
“So given that particular aspect, we have to operate on this. We have to operate; whether it’s a critical infrastructure, whether it’s an election, […] or a bank, we can’t shut their doors for two weeks why they try to figure it out. They’re gonna have to operate with a bad guy on the network,” he added.
“How are they gonna do that? They have to isolate it, they only have to execute those execution pieces that are part of their operation and they’re not gonna be able to rely on perimeter defense,” the Maj. General added.
Also: Data breaches affect stock performance in the long run, study finds
But Maj. General Wheeler also touched on what attackers are doing when they break into these networks, while also expressing some fears of how the attacks are evolving and what type of damage these cyber-attacks could cause in the future.
“They used to be kind of obtrusive in the past, smash-and-grab, as I call them. Like in a store where you go and grab all the jewelry, and go. That was always kind of what they were doing, grabbing all the data.
“Now, they’re spending a lot more time observing, spending time in there digging deep, having multiple backdoors, […] and having it that even if you’re aware what happened it’s very difficult for you to actually figure out how to stop them. That’s one that bothers me,” the Maj. General said.
“The other one is more of a data attack,” he added, “and I don’t mean a data attack cause they’re exfiling the data, or stealing intellectual property, but changing the data.
“So, if you’re a bank or something, and you’re worried about something, and somebody is trying to get back at you, one of the ways they’ll do that, obviously, is to continuously change the bank account numbers, and scramble them.
“Those kind of things, where you change the data, scare me,” Maj. General Wheeler adds. “I think you’re going to see that, and not only in banks but in all sorts of things.”
“In the future, when it comes to big data, as big data becomes more and more important, scrambling the information coming from sensors is a really new technique to get the answer [result] that you want.
“And that’s a problem. It’s not a traditional attack, but it’s one that’s extremely sophisticated and has the ability to make some high changes. Whether it’s the elections, which scares me to death, whether it’s actual evidence-based, whether it’s climate, whether it’s some kind of other large pandemic issue, and these kind of things can cause massive damage at one point.”
Also: Apple, Amazon, Google, others called to testify on consumer privacy protections
Asked by ZDNet what he regarded as the biggest problem to securing these critical infrastructure networks, the Maj. General replied.
“The biggest challenge is that there is a general lack of understanding of the threat across the government. For many, if they can’t see it, and if they haven’t been directly affected yet, it doesn’t exist,” the Maj. General told ZDNet via email.
“Before we can improve our tools and training, or adopt meaningful legislation, we must bridge this fundamental knowledge gap.
“We also need to establish stronger standards (through organizations like NIST), a rapid response group and a set of policies that can deal with other countries/entities that attack our infrastructure.”
“The attacks in the Ukraine have certainly raised concern for those managing critical infrastructure across industries,[1, 2]” Gen. Wheeler added. “We are seeing increased investment in security technology, but there’s a long way to go. The is a big gap between IT and OT (operational technology) in terms of security. Most of our critical systems were built with the idea that they are air-gapped – not connected to the outside world and therefore inherently secure. In practice, air-gaps are an anachronism and are increasingly bypassed by advanced attacks.”
All in all, the idea that Maj. Gen. Wheeler is trying to get across is that attacks on critical infrastructure networks are bound to happen at one point or another, as threat actors are starting to comprehend the type of damages they could cause by attacking these weak points in every nation’s defenses, weak points that have been increasingly exposed online in the past two decades.
Changes are needed in the way these networks are being built, managed, and protected so an attacker should never have the ability to trigger a downtime.