Defending Nations' Critical Infrastructure against Cyber Attacks
Cyber crime was already bad enough: money whisked from bank accounts, intellectual property and personally identifiable information made off with. It was a nuisance to all; it was sometimes devastating to organizations–but it all stayed nicely within the realm of cyberspace. Now, cyber criminals have turned their gaze upon critical infrastructure like power grids. Suddenly, fighting hackers got a whole lot more serious.
A report from the World Energy Council states that the risk from cyber threats has increased, specifically in North America and Europe: “A clearer understanding of the nature of cyber risk and mitigation measures for energy infrastructure is necessary, in an environment of increasing interconnectivity and emerging technologies.”
We now live in a world in which hackers sponsored by nation-states or crime syndicates have the ability to disrupt the national power grid and other critical national infrastructure. And though nation-state threats, while very real, may seem like a plot for a Hollywood blockbuster, any increase in the possibility of such attacks will lead to an escalation in disruption as opportunistic attackers jump on the bandwagon and exploit vulnerabilities for their own ends.
The World Energy Council was proven right last year, when 200,000 customers lost power due to a successful attack against the Ukrainian power grid. The power companies, caught in the middle of the hack, described it as a sophisticated attack comprised of a vicious cocktail of phishing and a form of malware named “BlackEnergy.”
Though the hacker responsible for the attack on the Ukrainian grid got into the network initially via email, it’s only a matter of time before hackers find their way in via any of the many possible devices connected to the target network. Critical infrastructure today relies on data transfers between devices like water sensors and water valves, for instance. These networks now depend on machine-to-machine and person-to-machine communication between hardware devices and IT and software devices.
Expanded use of PKI has a proven track record of helping to bring resolution to high-assurance challenges
While this kind of information brings tremendous benefit, it also introduces significant cybersecurity risks. Hackers have already demonstrated that they can take over any device with an IP address—including webcams, printers and baby monitors—and a guessable password and use it for their own purposes.
Adding to the already complex environment of connected devices are the third-party vendors who need access to organizations’ networks. There are as many IoT threats as there are network endpoints, and organizations have taken notice. MarketResearchReports.biz predicts that the IoT security market will grow at a CAGR of 55 percent between 2016 and 2020. They project that the utilities sector will drive the demand due to extensive implementation of smart meters and IoT for utility management systems such as gas, energy, water and oil.
A Star is Born: PKI
The line between the digital and physical worlds has blurred due to the advanced nature of cyber attacks. It is crucial to recognize that civil infrastructure providers and heavy industry are not building their own networking, data handling and security technologies.
Mitigating risk involves creating a system to establish appropriate levels of trust between all these disparate “things.” But just as organizations can inherit security risks from using what they already have, they can also benefit from existing infrastructure. Public key infrastructure (PKI) has been playing a quiet security role for decades, issuing credentials used to perform strong authentication, validating integrity of transactions and securely exchanging keys used to ensure confidentiality of communications between systems and devices. It’s only natural, then, that the security challenges presented by the IoT are causing a resurgence of interest in PKI.
What’s needed are technologies that have demonstrated efficacy and reliability in large-scale systems–such as the global payments network and the SSL/TLS fabric we use every day; cryptography and PKI fits this bill. That’s important, because the data that systems receive must be reliable; it will be used to make decisions like which control valve to turn on or off, or when to shut off someone’s electricity. These devices must provide trustworthy information to the infrastructure provider, often employing data analytics that span millions of such devices. Users, service providers or even regulators need to authenticate that they are talking to the correct device, that the device is functioning properly and has not been tampered with, is configured correctly and that data is protected when at rest, in use or in motion.
Cryptography has a long history of success in human society, and that legacy continues in the digital world, with this critical caveat: it is highly dependent on the integrity of its key management systems and practices. Organizations can’t afford to assume that the cryptographic infrastructure that underpins the integrity of PKI’s identity assertions is solid. The idea that a utility’s keys and PKI could be compromised, resulting in a downed power grid or endangered water supply, is no longer the stuff of fiction.
Fortunately, there is a way to secure trustworthy digital identities: hardware security modules (HSMs). They have become more mainstream and relevant in the light of this very possible scenario. HSMs provide a hardened, secure root of trust to enable a higher degree of security when deploying cryptographic technology. Software-based crypto can’t touch this level of security.
For organizations dealing with a high volume of keys, HSMs are an essential component of the modern, hardened crypto system and are no longer an option. They raise the probability of deploying cryptography in a secure and unbreakable fashion.
Creating a Robust Strategy
Cyber criminals can now gain access to physical infrastructure; that’s a fact of modern life. The IoT introduces billions of new end points that raise security concerns, but it finds a natural security partner in an expanded use of PKI, which has a proven track record of helping to bring resolution to high-assurance challenges. As the IoT proliferates, PKIs and their associated digital certificates stand ready to secure the growth of internet-connected devices.
Now is the time for the nation’s CIOs, particularly those tasked with keeping critical infrastructure safe, to embrace PKI and their companion, HSMs, in order to close IoT security loopholes. HSMs provide the secure, hardware-based root of trust to ensure the integrity of digital identities and strong key management. They represent the kind of robust cyber strategy needed today to defeat malicious actors from accessing and compromising vital services.