There is considerable overlap between physical security and cybersecurity, particularly when it comes to protecting critical infrastructure. Preventing infrastructure from being tampered with demands significant investment in physical security, but any device connected to the internet represents a potential attack point to the broader network. Devices that lack sufficient protections can give these adversaries a foothold in the network from which to launch costly and damaging attacks. Ransomware attacks on infrastructure targets are both popular and lucrative, as it is often easier (and cheaper) to simply pay a ransom than to suffer significant downtime. Losing power, water or heat for an extended period can be expensive — even deadly — and attackers know organizations are highly motivated to pay.
A cyberattack can also be used to lay significant groundwork for a criminal group planning to target a physical location. After all, gaining access to a surveillance system can provide them with valuable intelligence, such as when personnel are present, what pattern security patrols follow, and when buildings are occupied or unoccupied. An attacker who gains access to surveillance feeds might seize control of that entire system and launch a ransomware attack, but they could also be more targeted in their approach. Disrupting a small number of cameras in key locations might not be noticed, and could help cover up a physical attack or intrusion. Adversaries often eschew smash-and-grab tactics in favor of slow burn attacks, sitting on a network for weeks or months to conduct reconnaissance.
Fortunately, those operating within the critical infrastructure industry don’t need to accept this degree of vulnerability. Recent technological advances (and industry regulations) have put new resources in the hands of critical infrastructure organizations. Those wishing to limit their exposure to both physical and digital attacks should ensure they remain as current as possible with security best practices.
Tip #1: Don’t neglect your SBOMs
Organizations usually have a solid understanding of what hardware is in their environment: number of cameras, types of servers, etc. But it has traditionally been much more difficult to understand and catalogue what software is in use. Thankfully, it is becoming increasingly common for developers and manufacturers to include a software bill of materials (SBOM) with any new device. An SBOM is exactly what it sounds like: a list of the components, resources and processes used to develop a given piece of software. In 2021, the White House issued Executive Order 14028, which included a slate of new measures designed to improve the nation’s cybersecurity — and, as of this year, that order is being strictly enforced. The order made SBOMs mandatory for federal entities — especially working within critical infrastructure — which means it is now easier than ever for organizations to know exactly what is going into the products and solutions they use.
It’s hard to overstate how valuable this is from a cybersecurity perspective. If a vendor or individual piece of software is compromised, organizations can now identify exactly where it exists within their network environment and go directly to the manufacturer to ask about remediation or patching plans. SBOMs make it possible to monitor individual software components, and if one of those components contains a vulnerability, the organization can take the necessary steps to make sure any affected devices don’t give attackers easy access to their network.
Tip #2: Accelerate your patching and updating schedules
Staying up to date with patches and updates is often a weak link for organizations, and not just those in critical infrastructure. As technology becomes increasingly interconnected, many organizations fear that installing updates and patches will disrupt the many integrations and interdependencies that make their solutions work. Many organizations adopt an “if it ain’t broke, don’t fix it” mentality when it comes to their products, and while that might have been fine ten years ago, today’s attackers are much more adept at exploiting vulnerabilities as they arise.
Most product manufacturers release patches every 30 to 45 days, but critical infrastructure organizations often want to conduct extensive testing to be sure those updates won’t disrupt their production environment. This is understandable, but ultimately counterproductive: Cybercriminals will look to take advantage of a vulnerability the moment it becomes known, and the longer it takes to patch, the more time they have to infiltrate your network. Today’s organizations can’t afford to fall behind; timely patching and updating needs to be part of the culture.
Organizations that are particularly afraid of disruption may want to seek out manufacturers who offer a long-term support (LTS) option. The LTS model freezes feature updates while still pushing through cybersecurity patches, giving organizations the option to implement only the cybersecurity fixes while they conduct testing on the software updates and feature rollouts that make up the rest of an upgrade package. This mitigates the danger of breaking an integration while still allowing the organization to address the most dangerous security exposures.
Tip #3: Take advantage of automation and monitoring
It’s important to understand the root cause of breaches, and misconfigurations are high on the list. Modern organizations deploy hundreds — even thousands — of cameras, sensors and other security devices, and each of them needs to be onboarded, calibrated and integrated into the network. Even the most skilled technicians and integrators occasionally make mistakes, and attackers are always ready to take advantage.
Automation can dramatically reduce the odds of a dangerous misconfiguration. Instead of relying on integrators to manually configure each device, today’s devices can often be added to the network directly out of the box. With the right automation solutions in place, the network can detect what type of device is being added and apply the correct hardening configuration, obtain a signed certificate to enable encryption, and securely move the device to the production environment. Automation not only removes the potential for human error, but it also makes the onboarding process significantly faster, making it easy to add new devices securely.
The ability to automatically monitor for suspicious activity is also critical. Thanks to SBOMs, organizations can look at the specific technology they have deployed and determine what controls they need to put in place to mitigate potential attacks. Detection tools are particularly important: While it isn’t possible to prevent every attack, the sooner an intruder is detected, the faster they can be dealt with. For example, solutions like endpoint detection and response can help detect malware signatures and known processes starting on endpoint devices, letting the security system know suspicious activity has been identified. System logs are also important, as they record everything that happens on a given device, but it is important to integrate them into a broader cybersecurity system such as SEIM or SOAR capable of scanning for anomalies and issuing automated alerts. This can help organizations mitigate attacks earlier in the cycle, before ransomware can take root.
Taking control of infrastructure security
Organizations often fail to recognize the interconnected nature of physical security and cybersecurity, but neglecting either one can leave them dangerously vulnerable. For critical infrastructure in particular, protecting both physical locations and digital assets is essential. From individual actors to nation-state attackers, adversaries will continue to set their sights on high-value critical infrastructure targets, and organizations need to be ready to defend themselves. The federal government has taken steps in the right direction, mandating SBOMs and outlining other security recommendations for the industry, but it is ultimately up to organizations themselves to ensure they are adhering to best practices and putting themselves in the best possible position to repel an attack.