The security of industrial systems has been a matter of analysis and debate for years, especially after the onset of threats against them such as the Stuxnet worm in 2010, and the recognition of the vulnerability of these systems to external attacks.
Six years after Stuxnet and in the wake of other threats that followed, such as Flame or Duqu, IT security teams face numerous challenges in the quest to safeguard critical data against threats that no longer differentiate among different types of industries.
One question becomes clear: are all these businesses and industries prepared to face future challenges?
Critical systems at risk
The importance of ensuring information security on critical infrastructure has been recognized for years, yet there are still cases that illustrate the need for improvement.
To a large extent, one of the major sources of security deficiencies is the fact that a large number of the manufacturers of these platforms do not allow the introduction of changes or updates to the hardware-controlling systems.
In summary, organizations are managing critical infrastructure using operating systems that are obsolete, vulnerable and yet connected to the internet, increasing the likelihood of a security incident.
Consequently, there is a need for manufacturers and industries to join forces to update their infrastructure and mitigate security breaches that leave the door open to potential attacks.
Common threats targeting industries indiscriminately
When it comes to cybercriminals targeting industries such as energy, oil, mining and various industrial systems, attacks are not restricted to sophisticated, complex threats such as Stuxnet, Duqu or Flame.
During 2015, several cases were reported of energy companies being attacked by malware dubbed Laziok, used to collect data on compromised systems, including machine name, CPU details, RAM size, hard disk size and what antivirus software was installed.
With this information, cybercriminals can determine if the computers are viable targets for future attacks. What is curious about these cases is that the attacks were based on emails containing an attachment that exploited a Microsoft Windows vulnerability. Even more problematic was that although a patch for this vulnerability was created in April 2012, many industries had not applied it yet.
Healthcare – among the most affected sectors
In addition to the industrial sector, the healthcare industry has been an important component of the security debate over the past year. During 2015, and as part of Verizon's Data Breach Investigations Report, analysts identified approximately 80,000 security incidents, of which 234 were healthcare-related, and 2,100 data loss breaches, with 141 occurring in the healthcare industry.
A large number of security issues have become more evident, including primarily insider abuse or bad practices, which caused 15% of security incidents in the healthcare industry in 2014, compared to 20% in 2015, according to Verizon's report.
"The healthcare sector should be more aggressive in its defense planning, and should adopt a faster pace in assessing risks."
Also, healthcare organizations have become more vulnerable to web application attacks and distributed denial-of-service (DDoS) attacks, as this industry suffers 4% of this type of attack than all other industries combined.
Add to this the findings of the Ponemon Institute report, which revealed that the root cause of security breaches in healthcare organizations has shifted from accidental to intentional. Criminal attacks are up 125% compared to five years ago, and lost laptops are no longer the most common data breach threat.
In addition, 2015’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, found that most organizations are unprepared to respond to new cyber threats and lack the proper resources to protect patient data. 45% of healthcare organizations said the root cause of data breaches were cyberattacks, compared to 40% in 2013.
Highly vulnerable medical devices
In addition to the security management issues mentioned above, new medical equipment also brings with it significant risks. Improved capabilities in these devices include the fact that they feature an internet connection, but this can be a mixed blessing. For instance, in the case of implantable medical devices (IMDs), which are intended to treat a variety of conditions, security concerns are often underestimated and even overlooked.
The threat posed by this medical gear is very real, and numerous types of device have been infected by malware, in most cases inadvertently. In fact, during 2014 over 300 different surgical devices reportedly suffered a vulnerability that might allow attackers to alter their configurations.
As is the case with industrial security, connectivity is a critical aspect. In this sense, it can be argued that the security level of wireless connections is often very low, and that the medical equipment industry continues to put off the inclusion of security mechanisms on their devices.
For these reasons, medical devices are considered an easy target, as they feature outdated applications with insufficient security. The large majority of networked biomedical devices do not enable modifications and do not support third-party-vendor authentication agents, making them vulnerable to access via web browsers.
"The healthcare sector should be more aggressive in its defense planning."
In 2015, security researchers found vulnerabilities in critical medical systems, which put them at risk of being exploited by attackers. In the report detailing their research, they said they were able to access internet-connected devices, and that they accessed the network of a US health provider and found up to 68,000 medical systems and equipment with vulnerabilities that were exposed to attacks.
This is why the healthcare sector should be more aggressive in its defense planning, and should adopt a faster pace in assessing risks, to guarantee that funds are well invested and that resources and assets are well protected. Ideally, risk assessments should be carried out continuously rather than periodically. This helps to guarantee that new assets, as well as physical and digital strategies and defenses, are promptly included in business plans and incident response plans.
Record theft: more than just exposed data
Successful attacks exploiting the flaws discussed so far allow cybercriminals to gather a wealth of information, especially from the healthcare industry, such as patients' names, health insurance numbers, telephone numbers, home addresses, email addresses and other personal data. However, even more critical data can be breached, such as medical records containing diagnoses and medication details. This information is very valuable to attackers, and if stolen, it can be sold for profit, along with the personal data mentioned above, on a much more specialized black market.
Regardless of where the information is obtained – whether it is openly-available data that was published online or very specific information stolen from medical records – if criminals manage to harvest a large amount of information, they can sell it and even steal victims' identities to commit various crimes such as creating false IDs, opening bank accounts and applying for credit cards, committing tax fraud, and even using the data to reply to security questions in order to access online accounts, thus taking the threat to new digital horizons.
"It is essential not only to have smart protection systems on the devices that hold or access them, but also to add further barriers such as encryption."
Clearly, the benefits of the internet and wireless networks are very appealing to the healthcare industry. Above all, they provide the user with immediate access to a treasure trove of information about patients' medical records from any location with an internet connection. However, these are very sensitive data, and it is essential not only to have smart protection systems on the devices that hold or access them, but also to add further barriers such as encryption and multi-factor authentication, as well as sound network segmentation and reliable incident recovery strategies.
Focusing on security to prevent intrusion
Analysis of these cases makes it clear that there is still much to do to raise awareness and provide education on information security in private and public sector organizations. Attackers are always looking for ways to access a system through any kind of gate that is left open, and once they have managed to trespass the limits, they can not only steal information, or compromise equipment so as to upload data to a malicious network and misuse it at will, but they can also alter the functioning of industrial equipment for improper purposes.
In an effort that illustrates the focus on the protection of critical infrastructure, the National Science Foundation in the US awarded Texas Christian University (TCU) approximately $250,000 in funding to help it come up with effective measures that will protect medical devices from cyberattacks. Similarly, the European Union Agency for Network and Information Security (ENISA) has revealed that it will be looking to focus on developing good practices when it comes to 'emerging smart critical infrastructure' in 2016.
The industries that use these systems with major security flaws are ones that provide essential services to the population. Their infrastructures include water treatment, electric power generation and distribution, natural gas distribution plants, and even medical record database facilities. Their systems handle truly sensitive information, which explains the criticality of the associated risks and the great impact in case of vulnerability or failure.
Although some changes that improve security have been introduced in many of these industries, there is still a long way to go in the various sectors. The number of attacks against this kind of infrastructure will rise in 2016 unless protection actions continue to be taken at a fast pace, and that is why all activities related to information security in these sectors will continue to gain prominence as a key management factor.
This article is an adapted version of the corresponding section from ESET's 2016 trends paper (In)security Everywhere.