In the wake of successful or thwarted security incidents that have made the news, similar response patterns can be seen repeatedly. More so when it comes to state infrastructures, critical systems, or companies with global visibility.
Politicians demand stricter regulations and more robust audits, operators of these systems demand more money, and software suppliers present new and extended components from their range of security systems, often combined with new concepts and many three to five-letter abbreviations.
But cyber security didn’t just start a few years ago; instead, technologies, concepts, and common-sense approaches to implementing those have existed in many cases for decades and have been successfully deployed in many organizations for just as long.
Indeed, better auditing and more money for cyber security (if used wisely) can surely help. But the root causes of the security incidents that have occurred in recent months reveal blatant conceptual weaknesses. It is by no means a matter of technically complex avoidance of highly sophisticated attack vectors; instead, it is often a matter of implementing the most basic security measures.
The undesirable access to the water treatment plant hacked in the US state of Florida was gained via an unmaintained operating system version (Windows 7) from Microsoft, which was not protected by a firewall. Remote maintenance software was left installed on this system, which was accessible based on username and password. The password in question was known to all employees.
This description of the overall circumstances almost sounds like an invitation to intrusion. The question of whether access could have been gained by guessing/trying out passwords or was done by a malicious employee or ex-employee is already irrelevant in such a case.
This highlights that the most critical steps that need to be taken now to protect critical systems are the exact steps that should have been implemented comprehensively and continuously for years. Commonly applied in enterprises already, there is often still a need for action in critical national infrastructure (CNI) and its underlying operational technology (OT).
Safeguard from the ground up
Figuratively speaking, it is not primarily a matter of repainting the house and erecting yet another fence. Instead, it’s cleaning out the basement, securing the doors well, changing all the locks, and finally making appropriate use of the existing alarm systems that were purchased (and ignored) years ago. Employ a security guard service if necessary.
Let’s start with the essential requirement that all software components, including the underlying operating system, are deployed in the latest version with all necessary patches and are configured and operated securely.
Wherever reasonable, firewalls and appropriately granular network segmentation is mandatory requirement for securing critical systems. This also includes identifying remote maintenance systems or instances of SSH access that are no longer in use or are only weakly protected. Protect all systems.