Expert: Not Having Internet Connections Doesn’t Necessarily Protect an Organization
ICS can still be hacked if best security practices are not applied within closed systems
A few days ago, the US Department of Homeland Security revealed that in the last three months of 2012 malware infections were identified in the industrial control systems of two power companies from the United States. The malicious elements made their way onto computers from USB devices.Experts highlight the fact that although organizations in charge of handling critical infrastructure try to protect themselves against cyberattacks by not having internet connections, this approach is not worth much if best security practices are not applied within the closed systems.
Jeff Hudson, CEO of Venafi, a leader in enterprise key and certificate management, explains that the lack of such best practices has allowed cyber strikes to surface via compromised trust instruments and USB devices within organizations.
“It is time for those that run our critical infrastructure to understand that it is no longer a question of ‘if’ there will be an advanced attack, but rather ‘when,’” Hudson told Softpedia in an email.
“Organizations must evaluate their vulnerabilities from outside sources as well as insider threats, whether innocent or not, and establish safe practices for employees as well as implement proper security precautions and effective control management to reduce the attack risk.”
The expert emphasizes that these latest attacks demonstrate the fact that actors with knowledge on how the software from these plants works can successfully execute a cyberattack.
“History has taught us that malware such as Stuxnet, designed specifically to target industrial facilities, leverages social engineering and stolen digital certificates to remain undetected and authenticate on the secure network,” Hudson added.
“There was simply no reason for these plants, or any others at this point, not to be prepared for this type of attack.”
The DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has often provided advice for such organizations on how to protect themselves against cyber threats. However, it’s likely that some proper legislation must be set in place before we see any visible improvements.