Issue link: https://fhpublishing.uberflip.com/i/690456
NETWORK / 12 / JUNE 2016 There has been speculation recently that the late 2015 power outages in Ukraine were in fact the result of a deliberate attempt to knock the power grid offl ine. One way or another, the threat to critical infrastructure is defi nitely something that governments and companies responsible for such installations must take seriously. With the majority of cyberat- tacks, a hacker's motivation is driven by fi nancial gain. But on other occasions, hackers aim to disrupt the lives of as many people as possible – and successfully infi l- trating a power supplier would be a perfect way to do this. One of the main problems is that organisations in an industrial and/or critical infrastructure setting gener- ally place a much higher priority on continuity of processes than on data protection. So software and systems often go unpatched for extended periods, with their operators relying on air-gaps, fi rewalls and sandbox- ing to protect from malefactors – and neglecting or deprioritising good security hygiene at an endpoint level. This not only makes them attrac- tive targets for cybercriminals, but increases their risk of becoming collateral victims of rogue malware. In fact, it's estimated that up to 80% of control system security incidents C R I M I N A L M O T I V AT I O N Russ Madley explains why energy networks are in desperate need of a culture change are unintentional. It's clearly important that systems are secured effectively, to prevent them being compromised. Yet the truth has always been that, despite all efforts, there's no such thing as 100% security. For example, in 2011, after the targeted attack on RSA, there was an attempt to breach the systems of Lockheed Martin: this highlights the dangers of 'stepping-stone' attacks, in which information stolen from further along the supply chain of a company can be used in a sub- sequent attack (sometimes using a smaller, potentially less secure organisation to gain access to a larger one). It is no longer about protecting corporate endpoints, networks and traffi c with a robust security solution – it's about a deep, multi-layered, tailored and continuous approach to security. Partner networks, education and training all play a critical role in protecting critical infrastructures, but governments must step up too. Regardless of whether cyberattacks on critical infrastructure are moti- vated by politics or piracy, they will continue and increase unless they are stopped, and stopped now. Russ Madley head of B2B at Kaspersky Lab Seeing the threat Many IT professionals in the US energy sector are blind to cybercrime A survey of IT professionals in the US energy sector by global security specialist Tripwire has revealed the lack of awareness of cyberattacks. Tripwire surveyed more than 150 IT sta• in the energy, utilities, oil and gas industries. "The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cybersecurity," says the company. These threats are not going away. They are getting worse. We've already seen the reality in the Ukraine mere months a- er this survey was completed. There can be no doubt that there is a physical safety risk from cyberattacks targeting the energy industry today. While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyberattacks." Tim Erlin, director of IT security and risk CYBERSECURITY Source: Tripwire,Inc 35.4 5.1 8.1 16.2 35.4 strategy, Tripwire Does your organisation have the ability to accurately track all the threats targeting your OT networks? Yes, we are able to track all the threats targeting our network No, we aren't able to accurately track all threats; there are just too many We don't have the visibility necessary to track all threats I only track threats that directly affect my department and can't say what our entire organisation does