Legacy systems in a connected world: Securing critical infrastructure

In 2017, a memo from Britain’s National Cybersecurity Centre (NCSC) revealed how the UK energy sector was likely to have been targeted and compromised by nation-state hackers, and warned that attacks attempting to compromise industrial control systems managed in facilities such as power stations are becoming more common.

The suspected attack on the Irish power grid reported through an anonymously-sourced report that hackers sent emails designed to trick Irish engineers at a power supply plant giving them access to take down parts of the power grid in Ireland, also serves as a reminder of the increasing threat to critical systems.

Whilst there was no evidence of disruption to the network, this still poses a question for many IT teams and industrial engineers. Are you prepared for a nation-wide attack?

Addressing the air gap

One of the biggest challenges to securing critical infrastructure are the industrial control systems (ICS) which underpin their operation as many run using legacy systems. In some cases these can be more than 10-15 years old and are often incompatible with more state-of-the-art security systems and IT developments. Due to their long life-cycle, it’s notoriously difficult to keep ICS secured against the ever-changing and sophisticated threat landscape.

A solution to address this, which has frequently been employed in the past, is to create an ‘air gap’. This ensures that critical control systems are not connected to, or have interaction with, internet systems in any way. Previously this was easier to practice, however today’s industrial organisations need to keep pace with digital transformation and take advantage of the benefits this can deliver. This results in this air gap being removed and modern ICS networks being connected to both the wider enterprise and third parties, opening up vulnerabilities and new pathways for attacks.

Fighting cybercriminals from the inside

It’s becoming increasingly important that operators in critical industries look to adopt strategies that enable the modernisation of operations through securing legacy systems.

Only recently, the NCSC warned that the UK’s most critical industries must increase its cybersecurity defences or face fines of up to £17 million. A simple, straightforward reporting system will be set up to make it easy to report cyber breaches and IT failures so they can be quickly identified and acted upon.

Cybercriminals across the globe are continually developing their strategies and coding, as well as behaviour, to stay ahead of market defence strategies. To attack critical infrastructure, employees are often targeted with tactics to identify vulnerabilities such as weak password storage, unsecured remote access pathways, social engineering campaigns and installing malware on USBs.

With certain state-sponsored hacking groups’ focus on the military, financial and energy sectors, it is paramount that these organisations deploy solutions that help prevent these attacks. Integrating regular and up to date security training to educate employees will ensure they are aware of the most recent tactics used to target systems and what can be done to prevent these.

In addition, implementing solutions to ensure that employees only have access to areas of the network and devices that their role requires can mitigate these types of attacks. This sounds simple, but in reality, it is an area often overlooked.

Using privileged identity and access management tools, organisations can discover and manage their privileged credentials and control what both third-party and internal users can access on the network. In addition, they provide an auditable history of what was accessed and any updates made during any sessions.

This not only secures access to ICS on an ongoing basis and removes attack pathways, but also empowers teams to identify and act on any potential untoward behaviour.

Looking to the future

Whilst automation and other modernisation strategies are necessary for organisations to deliver efficiencies and competitive advantages, they must also ensure their IT infrastructure and operations remain secure. Organisations must not look to ‘rip and replace,’ but implement practical approaches to secure existing legacy systems but ones that also safeguard future investments.

With new industry regulations and standards being implemented, it’s crucial for organisations to recognise and address the risks that connected systems introduce, looking at long-term solutions that secure ICS and critical infrastructure, while enabling the modernisation of operations and delivering efficiencies.

By Scott Walker, Senior Solutions Engineer, Bomgar