The security of industrial systems has been
a matter of analysis and debate for years, especially after the onset of
threats against them such as the Stuxnet worm in 2010, and the recognition of the vulnerability
of these systems to external attacks.
Six years after Stuxnet and in the wake of other
threats that followed, such as Flame or Duqu, IT security teams face numerous challenges in
the quest to safeguard critical data against threats that no longer
differentiate among different types of industries.
One question becomes clear: are all these
businesses and industries prepared to face future challenges?
Critical systems at risk
The importance of ensuring information security on
critical infrastructure has been recognized for years, yet there are still
cases that illustrate the need for improvement.
To a large extent, one of the major sources of
security deficiencies is the fact that a large number of the manufacturers
of these platforms do not allow the introduction of changes or updates to
the hardware-controlling systems.
In summary, organizations are managing critical
infrastructure using operating systems that are obsolete, vulnerable and yet
connected to the internet, increasing the likelihood of a security
incident.
Consequently, there is a need for
manufacturers and industries to join forces to update their infrastructure and
mitigate security breaches that leave the door open to potential attacks.
Common threats targeting industries
indiscriminately
When it comes to cybercriminals targeting
industries such as energy, oil, mining and various industrial systems, attacks
are not restricted to sophisticated, complex threats such as Stuxnet, Duqu or
Flame.
During 2015, several cases were reported of energy companies being attacked
by malware dubbed Laziok,
used to collect data on compromised systems, including machine name, CPU
details, RAM size, hard disk size and what antivirus software was installed.
With this information, cybercriminals can determine
if the computers are viable targets for future attacks. What is curious about
these cases is that the attacks were based on emails containing an attachment
that exploited a Microsoft Windows vulnerability. Even more problematic
was that although a patch for this vulnerability was created in April
2012, many industries had not applied it yet.
Healthcare – among the most affected sectors
In addition to the industrial sector, the
healthcare industry has been an important component of the security debate over
the past year. During 2015, and as part of Verizon’s Data Breach Investigations Report, analysts
identified approximately 80,000 security incidents, of which 234 were healthcare-related, and 2,100 data loss breaches,
with 141 occurring in the healthcare industry.
A large number of security issues have become more
evident, including primarily insider abuse or bad practices, which caused 15%
of security incidents in the healthcare industry in 2014, compared to 20% in
2015, according to Verizon’s report.
“The healthcare sector
should be more aggressive in its defense planning, and should adopt
a faster pace in assessing risks.”
Also, healthcare organizations have become more
vulnerable to web application attacks and distributed denial-of-service (DDoS)
attacks, as this industry suffers 4% of this type of attack than all other
industries combined.
Add to this the findings of the Ponemon Institute report, which revealed that the root cause
of security breaches in healthcare organizations has shifted from accidental to
intentional. Criminal attacks are up 125% compared to five years ago, and lost
laptops are no longer the most common data breach threat.
In addition, 2015’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data,
found that most organizations are unprepared to respond to new cyber threats
and lack the proper resources to protect patient data. 45% of healthcare
organizations said the root cause of data breaches were cyberattacks, compared
to 40% in 2013.
Highly vulnerable medical devices
In addition to the security management issues
mentioned above, new medical equipment also brings with it significant risks.
Improved capabilities in these devices include the fact that they feature an
internet connection, but this can be a mixed blessing. For instance, in
the case of implantable medical devices (IMDs), which are intended to treat
a variety of conditions, security concerns are often underestimated and
even overlooked.
The threat posed by this medical gear is very real,
and numerous types of device have been infected by malware, in most cases
inadvertently. In fact, during 2014 over 300 different surgical devices reportedly suffered
a vulnerability that might allow attackers to alter their
configurations.
As is the case with industrial security,
connectivity is a critical aspect. In this sense, it can be argued that
the security level of wireless connections is often very low, and that the medical
equipment industry continues to put off the inclusion of security mechanisms on
their devices.
For these reasons, medical devices are considered
an easy target, as they feature outdated applications with insufficient
security. The large majority of networked biomedical devices do not enable
modifications and do not support third-party-vendor authentication agents,
making them vulnerable to access via web browsers.
“The healthcare sector
should be more aggressive in its defense planning.”
In 2015, security researchers found vulnerabilities
in critical medical systems, which put them at risk of being exploited by
attackers. In the report detailing their research, they said they were able
to access internet-connected devices, and that they accessed the network of a
US health provider and found up to 68,000 medical systems and equipment with vulnerabilities that
were exposed to attacks.
This is why the healthcare sector should be more
aggressive in its defense planning, and should adopt a faster pace in
assessing risks, to guarantee that funds are well invested and that resources
and assets are well protected. Ideally, risk assessments should be carried out
continuously rather than periodically. This helps to guarantee that new assets,
as well as physical and digital strategies and defenses, are promptly included
in business plans and incident response plans.
Record theft: more than just exposed data
Successful attacks exploiting the flaws discussed
so far allow cybercriminals to gather a wealth of information, especially
from the healthcare industry, such as patients’ names, health insurance
numbers, telephone numbers, home addresses, email addresses and other personal
data. However, even more critical data can be breached, such as medical records
containing diagnoses and medication details. This information is very valuable
to attackers, and if stolen, it can be sold for profit, along with the personal
data mentioned above, on a much more specialized black market.
Regardless of where the information is obtained –
whether it is openly-available data that was published online or very specific
information stolen from medical records – if criminals manage to harvests
a large amount of information, they can sell it and even steal victims’
identities to commit various crimes such as creating false IDs, opening bank
accounts and applying for credit cards, committing tax fraud, and even using
the data to reply to security questions in order to access online accounts,
thus taking the threat to new digital horizons.
“It is essential not only
to have smart protection systems on the devices that hold or access them, but
also to add further barriers such as encryption.”
Clearly, the benefits of the internet and wireless
networks are very appealing to the healthcare industry. Above all, they provide
the user with immediate access to a treasure trove of information about
patients’ medical records from any location with an internet connection.
However, these are very sensitive data, and it is essential not only to have
smart protection systems on the devices that hold or access them, but also to
add further barriers such as encryption and multi-factor
authentication, as well as sound network segmentation and reliable
incident recovery strategies.
Focusing on security to prevent intrusion
Analysis of these cases makes it clear that there
is still much to do to raise awareness and provide education on
information security in private and public sector organizations. Attackers are
always looking for ways to access a system through any kind of gate that
is left open, and once they have managed to trespass the limits, they can not
only steal information, or compromise equipment so as to upload data to
a malicious network and misuse it at will, but they can also alter the
functioning of industrial equipment for improper purposes.
In an effort that illustrates the focus on the
protection of critical infrastructure, the National Science Foundation in the US awarded Texas Christian University
(TCU) approximately $250,000 in funding to help it come up with
effective measures that will protect medical devices from cyberattacks.
Similarly, the European Union Agency for Network and Information Security (ENISA) has
revealed that it will be looking to focus on developing good practices
when it comes to ’emerging smart critical infrastructure’ in 2016.
The industries that use these systems with major
security flaws are ones that provide essential services to the population.
Their infrastructures include water treatment, electric power generation and
distribution, natural gas distribution plants, and even medical record database
facilities. Their systems handle truly sensitive information, which explains
the criticality of the associated risks and the great impact in case of
vulnerability or failure.
Although some changes that improve security have
been introduced in many of these industries, there is still a long way to
go in the various sectors. The number of attacks against this kind of
infrastructure will rise by 2016 unless protection actions continue to be taken
at a fast pace, and that is why all activities related to information
security in these sectors will continue to gain prominence as a key
management factor.
This article is an adapted version of the
corresponding section from ESET’s 2016 trends paper (In)security Everywhere.