Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Protecting Critical Infrastructure from Cyber Threats

Written by Joseph Carson

November 1st, 2017

Today we are truly living in the world of IoT—the Internet of things—with approximately 9 billion things, or devices, connected to the internet, many of which are powering and enabling our critical infrastructure. Every day billions of employees power up their devices and connect to the internet to plug into their everyday world, all of them depending on the critical infrastructure that keeps it running. They check social media, receive and respond to emails, chat with colleagues, pay invoices, work, shop, listen to music, stream the news—the list goes on and on.

Once a futuristic dream, the connected world has become a reality

In the past few years we have seen so much new technology connected to the internet, collecting vast amounts of data and sending it across the world to be analyzed. This includes health devices, engines, power stations, wind turbines, transportation, medical and financial information, CCTV and even appliances and children’s toys.

What’s next? The industrial internet: smart cities connected online using sensors and data, monitoring every move we make; autonomous vehicles communicating with traffic lights, weather conditions and road traffic to ensure the most efficient traffic flow.  We’ve already seen everything from payment systems and medical records to energy and infrastructure systems being connected, and the data being continuously analyzed to improve the services these companies provide or to stay innovative.  It’s not much of a stretch to visualize the industrial internet.

Ease of use and robust design has been prioritized; security has been sacrificed

What’s the challenge we’re facing? The challenge with critical infrastructure and the IoT is that the companies that produce and manufacture the systems that make the IoT possible–Industrial Control Systems (ICS), Supervisory control and data acquisition (SCADA), Sensors and Programmable Logic Controllers (PLC’s)—typically prioritize ease of use and a robust design, and in almost all scenarios security has been sacrificed, usually only being considered at the end if at all.

Additionally, the long production life cycle, usually between 7 and 20 years, renders any security considerations obsolete before the design makes it off the production line.

Many of the systems and devices still being introduced:

  • are running legacy operating systems (in some cases Windows 7 and even Windows XP)
  • have firmware with hard coded passwords
  • use web interfaces running over HTTP
  • have security controls with very basic with simple PIN numbers
  • have no authentication integration or encryption

All of these might have of been fine in a complete air-gapped system in which the perimeter could be controlled and tightened. But with today’s cloud and mobile usage, and high rate of connectivity, this is almost an impossible task—and these systems are being exposed to the public internet.

The lack of security by design means that the risks and threats against critical infrastructure systems is extremely high, and all companies considering deploying the IoT should seriously weigh the increased risks against the benefits.

Imagine what will happen when the lights don’t come on, the alarm does not sound, the temperature stays cold and there is no water to make the coffee or brush your teeth? Panic sets in fast. You look at your phone and you have no charge, you cannot call anyone or find out what’s on the news.

It has already happened. In Ukraine 86,000 homes lost energy resulting from a cyber-attack.  This is a reality we must prepare for now.

Here are some recent real-world examples of cyber-attacks against critical infrastructure:

  • Texas – tornado alarms were set off causing panic across the city
  • Germany – a blast damaged a furnace in a steel mill
  • Ukraine – the power grid was taken off-line impacting 86,000 homes
  • UK and USA – hospital devices were hit with ransomware which resulted in states of emergency being declared because the hospitals where unable to continue critical services
  • Multiple locations – IoT devices have been turned into BOTs which were then controlled and used to participate in a DDOS (Distributed Denial of Service) attack like the one that targeted Dyn, throwing popular websites like Netflix, Twitter, Amazon, AirBnb, CNN and the New York Times offline and bringing the companies to their knees.

Per Scott White, Professor of Homeland Security and Security Management and Director of the Computing Security and Technology program at Drexel University, “The potential for an adversary to disrupt, shut down (power systems) or worse, is real here.”

What do these devices have in common? Several things: they all collect data, they communicate across the internet, and in most scenarios they have credentials and passwords to protect the configuration or to enable it to be used to communicate across networks.

When deploying IoT and smart devices it’s most important to ensure that the default credentials and passwords are correctly configured. You must also manage your privileged accounts to protect these devices, and ensure only authorized access is permitted.

Use an enterprise-level privileged access management solution to ensure that all your privileged accounts are discovered and reported.  Then, enable automatic management of your accounts to add additional security controls and prevent your devices from being compromised, either to gain access to your network or to attack another target.

Protect Smart Cities and the IoT by using privileged account management, and establish secure access, auditing, monitoring and continuous security of these devices.

Here are 10 tips to help make sure your privileged accounts are protected and critical infrastructure secured:

Discover and protect privileged credentials with an extensive audit to identify IT admin use of credentials.

Check that credentials are always up to date and set alerts so you know when an admin changes a password.

Continuously audit privileged accounts.

Keep your credentials well hidden.

Enable 3rd party access in a secure manner.

Practice password randomization, cycling and checkout.

Record and monitor sessions.

Monitor privileged analytics and usage trends.

Choose a privileged account management solution that’s easy to integrate.

Remove and deprovision unused privileged accounts.

Get started by trying our free Windows Discovery Tool:

Windows Discovery Tool

FREE Windows Privileged Account Discovery Tool

What will you find?


Like this post?

Get our top blog posts delivered to your inbox once a month.