If you haven’t heard, October was National Cyber Security Awareness Month (NCSAM). NCSAM is sponsored by U.S. Department of Homeland Security and the National Cyber Security Alliance, and each week of the month has a different theme. The STEALTHbits team observed the month with a new blog post on the theme each week. So stay tuned in to catch all the NCSAM info coming your way.
The fifth week theme for National Cyber Security Awareness Month (NCSAM) is “Protecting Critical Infrastructure From Cyber Threats.” On the site they give examples like “traffic lights, running water, phone lines” to explain what critical infrastructure means. This New Jersey native who has spent his whole life living minutes from the center of Manhattan thinks first about trains and subways. Whatever example you choose, it is easy to picture the chaos – and possibly carnage – that would result from the wrong people getting their hands on the control switched for these systems. The trouble is that we also have the competing impulse to want this infrastructure to play nice with all our high tech toys. We want instantly updated schedules beamed right to our hands. We want to carry our tickets and passes on our phones and not on paper. Every inroad we build into this critical infrastructure for our gadgets instantly becomes an attack surface for the bad guys.
What NCSAM is calling critical infrastructure is a subset of the larger world of OT – Operational Technology. OT has lived an isolated life from IT for many years. Both have advanced and evolved in that time, but at drastically different paces and in different ways. The best way to illustrate this is to discuss a large city’s train system (I can’t say which for reasons that will become obvious). A friend landed a contract to help oversee the cybersecurity aspects of rolling out digital features. This would be things like these instantly updated schedules, e-ticketing, and the frills big cities are offering to their transit riders. At every station there was some OT that ran in a closet (literally) that was taking care of signaling and other functions. These systems were connected to the infrastructure (tracks, signal lights, switches,etc.), but it was not networked in any way. These were islands. They were designed like islands, and made to last using the best available technology at the time. This included a completely custom UNIX system doing a lot of the controls, and for user interface a computer running Windows 95. This was happening in 2015. The plan was to hook up that user interface layer to a wider, internet-connected network so it could pass information it normally gave onsite to a technician to the central platform they were building. The catch? That Windows 95 box could not be patched in any way without risking the core functions of the system. Think about that next time you think you’re dealing with old stuff.
How can we protect systems like that? OT was built in fits and starts. Designed to last and then frozen in place to do its job “forever” without changing. Now we want it to change. Digging through layers of OT deployed throughout the years will be like doing an archeological dig. We will find familiar things, but we can only look in wonder at them. Of course, not all systems are quite as bad as this train station tech my friend unearthed. In many cases, security pros find themselves meeting end users or the business half way on how they will deploy solutions. With the OT that powers much of our critical infrastructure, the security folks will likely need to go a lot more than halfway to meet these people. As always, the best approach will be a risk based strategy. In the case of those train stations, it was just too risky to either break the systems or risk that someone may attack them on a network. They found a new way to get the data they needed. That may sound like “retreat in failure” was the tactic, but I see it more as security getting to have a seat in the business decision and, when the risk is simply too high, being able to use that seat to steer the solution to a better place in the long run.