It sounds naive to think of critical infrastructure having been built without cybersecurity in mind – but with isolated machines in power-plants whose lifespans exceed the existence of the internet –itself once an almost entirely benign place – physical security was once considered sufficient.
As Robert Hinden, Check Point fellow, described in his Wednesday RSA session, Protecting Critical Infrastructure, hacking physical infrastructure is something that can affect us all, and like IT systems, there are many vulnerabilities, but the consequences are much greater, and the attacks have begun.
From Stuxnet to German steel mills, it was emphasised that we know physical things can be impacted via cyber means. Hinden also cited a 2014 government report from CERT that included 79 cyber-attacks on energy infrastructure, with manufacturing also high at 65, healthcare at 15, water at 14, communications at 14, transportation at 12, and equally worrying, but lower, nuclear at 6. And it is suspected that there are more who are not aware of being attacked. For most attacks, their type was described as unknown, though the familiar spear-phishing, weak authentication, network scanning and probing, abuse of access authority, and SQL injection also figured.
Worryingly, most malware discovered was focused on collecting data, not causing crashes – collating and exfiltrating data, information on devices, topology, protocols, etc, - often to the same command and control, which it is believed will be used to enable future attacks.
Vulnerabilities include PLCs (programmable logic controllers – which are simply programmable as remote terminal units - but programmable)
None of these assumptions are true now.