The term ‘critical infrastructure’ was first used to refer to public works such as transportation infrastructure and public utilities. The term includes sectors such as health care, energy & utilities, telecommunications, and most recently, an argument for various manufacturers – particularly germane is the example of Personal Protective Equipment (PPE) during the COVID-19 Pandemic, as too have logistics firms made their role essential. With our growing reliance on technology, the term has continued to expand to encompass technology, particularly since the 1990s, as these essential functions form the foundations of our modern existence. Critical infrastructure protection has therefore become a universal challenge that needs to be addressed, and the aggressive adoption of IoT by many facets within critical infrastructure, we need to evaluate the unique challenges and implications this presents.
To illustrate the state and challenges of IoT within critical infrastructure – given how much now falls under its umbrella – for the remainder of this article we’ll focus on key utilities; energy & water.
How IoT is Used By Critical Infrastructure
In the utilities sector, the advantages of IoT are palpable. Powered by the vast array of sensors and control devices, the assurance in the stability of both the water and power supply is increased substantially. The prevention of faults or outages through more nuanced and subtle regulations of flow, mean a more intelligent and resilient supply. The evolution in the system’s sophistication also translates to improved efficiencies and less need for manual, human involvement, leading to further resource savings for organisations. Furthermore, in the case of energy, a ‘smart grid’ can construct simple predictive maintenance models by extracting a large amount of data, hence boosting overall safety and efficacy.
IoT devices are one of the most significant breakthroughs in recent years that have altered how we live, and the impact on the cyber landscape is no less considerable. So while IoT-enabled critical infrastructure brings enormous benefit, conversely, as with any new sophistication, come new sophisticated risks. This automation and collective intelligence provides new vectors for threat actors, and because of the newness, novel attacks that don’t have standard, proven response protocols. And despite the fact that there have been more IoT devices than individual people for over a decade (a delta still accelerating rapidly), there is little more than nascent regulation or legislation to control their use.
The Threat Landscape
The issue of security has always been an area inherently under scrutiny when it comes to critical infrastructure. In the age of the connected-everything, this has been magnified and made remote. Conflicting factions have used the water supply as a strategy and a possible weapon of war since the beginning of time. Attacking armies damage rivers, wells, lakes, and other natural resources to punish residents for their lack of support, or to render the area useless if they are about to be defeated. And, by combining these resources, parties can alternatively flood or deprive opponents of water, a strategy that has historically been used by those facing unfavourable odds.
Digital threat actors are no different, as can be seen on clear display earlier this year when the water supply of Florida was compromised, and an unsafe amount of a chemical used in the treatment of water was released. This attack was only halted in the final stages due to a worker fortuitously intervening after noticing the abnormal readings. Similarly, we have seen energy and petrochemical plants compromised by the Triton malware targeting IoT enhanced Supervisory Control And Data Acquisition (SCADA) systems – a concept that easily extends to other areas of critical infrastructure as they leverage the same system.
Throughout the last decade, numerous cyberattacks and whitehat incidents have highlighted critical infrastructure’s vulnerability, and its inherently high value as a target for attacks. Whether team or individuals, we’ve seen extortion move to the digital realm in recent years, with attacks on critical infrastructure almost exclusively coming through IoT or related devices. Moreover, we’ve even seen state sponsored attacks between nation states put critical infrastructure in the crosshairs. According to a recent Ponemon Institute survey, more than 90% of critical infrastructure utility organisations are already fending off attacks specifically targeting their IoT assets. And even less targeted and sophisticated attacks like Distributed Denial of Service (DDoS) and ransomware attacks continue to target unsecured endpoints, from traditional OT to IoT devices – from lightbulbs to the very foundations of utility infrastructure. With the likely catastrophic consequences, the critical infrastructure sector must hold protecting the increasingly integral deployment of IoT in primacy.
STEPS TO REMEDIATION
While a growing number of governments around the world have started to issue regulatory requirements for IoT device security, these regulations are neither ubiquitous nor comprehensive. To keep critical infrastructure secure, every facet of the supply chain – from IoT manufacturers to the organisations deploying the solution – must work together. It’s arguable that in the case of critical infrastructure, governments have a duty of care to work towards unifying standards for critical infrastructure and IoT legislation across this supply chain, and that they enforce adherence to cybersecurity best practices built upon data garnered from other governments and even private enterprise.
Until concrete standards and regulations for protecting IoT devices are enforced, it is up to organisations that utilise IoT to secure and monitor their systems. We set out to create a method for any organisation – regardless of its scale or criticality – to protect its IoT-enabled operations.
Hassan Habibi, CTO of CyAmast
As we wait for this maturation of the industry, and indeed the operational excellence of critical infrastructure as a whole, we need to ensure reliable solutions are in place to preclude such potentially catastrophic events. CyAmast presents a new architectural enhancement of existing critical infrastructure for behavioural-based device identification that doesn’t interfere with current operations, and yet provides clear and actionable security. That way, critical infrastructure can monitor and react to any devices that exhibit any anomalous behaviour, and exclude them from the system in near real-time, potentially saving many lives without needing to throw the baby out with the bathwater supply.
