We have written before about threats to critical infrastructure. Deservedly, it now has the attention of lawmakers around the world. Critical infrastructure provides citizens with power, water, heat, lights, and communications. Few nations have the resources to function properly in an unstable environment.
Nation state actors have long targeted the critical infrastructure of their adversaries, including Industrial Control Systems (ICS) and Safety instrumented systems (SIS). In the United States, critical infrastructure security was highlighted in 2021 with the ransomware attack on the Colonial Pipeline and the subsequent issuance of Executive Order 14028. More recently we have seen the damage from cyber-attacks in the Russian invasion of Ukraine. Over 300 cyber operations have been launched designed to disrupt the country’s critical infrastructure and defenses. It is not just power plants under attack. Water supplies in California and Florida have also been targeted.
Pipedream
In April, 2022, the US the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI issued an advisory on a malware toolkit designed to target ICS, Programmable Logic Controllers (PLC), and Supervisory Control and Data Acquisition (SCADA) devices. Dubbed Pipedream, the toolkit enables attackers “to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”
Pipedream is significant in that it is a framework, not a single attack. According to Dragos, a cybersecurity firm that contributed research to the advisory, Pipedream can execute 46 percent of the MITRE ICS-ATT&CK techniques. It assists attackers across the kill chain, including “reconnaissance, command and control, lateral tool transfer, and the deployment of unsigned rootkits.”
Challenges in Defending Critical Infrastructure
While it does not appear attackers have (yet) used Pipedream successfully, it emphasizes the importance of building more critical infrastructure. Aside from the potentially disastrous results from a successful attack, the targets of these attacks can be difficult to remediate. Unlike the typical cloud application, identifying and remediating vulnerabilities in critical infrastructure presents challenges:
- Aging legacy infrastructure: Much of our critical infrastructure was designed before cyberthreats existed. In fact, many were not built to be online at all. They may not require authentication to access them and alter their state or support encrypted communication.
- Reliance on supply chain security: A power plant, water treatment facility, or industrial control system comprises hundreds or thousands of components from a variety of suppliers. A single weak link can provide a suitable attack vector.
- Always on requirements: Patching vulnerabilities can be difficult when network stability and availability is critical.
Regulatory response
In addition to Executive Order 14028, the US government is continuing to refine and improve cybersecurity requirements for critical infrastructure. This includes the Industrial Control Systems Cybersecurity Initiative. Earlier, the Transportation Security Administration issued guidelines for pipeline security. These include Security Vulnerability Assessments for “identifying, evaluating, and prioritizing risks and determining effective security measures to mitigate threats and vulnerabilities…”
In Europe, similar initiatives are underway. The Network and Information Society Directive will be updated (NIS2) for enhanced “cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure” and require “individual companies to address cybersecurity risks in supply chains and supplier relationships.”
Security Compass Helps Organizations Be Proactive
Exploitable vulnerabilities result from design, coding, and implementation errors. These errors are avoidable if weaknesses, threats, and countermeasures are identified during the design phase of the SDLC and addressed with countermeasures and security controls during build and implementation phases.
Building secure software is not a secret. There are frameworks available to help security and development build more secure software. SD Elements provides an expansive content library of threats, countermeasures, and security and compliance best practices designed specifically to address the needs of organizations building and maintaining critical infrastructure. These include EO 14028 Security Measures for EO-Critical Software Use and Recommended Minimum Standards for Vendor or Developer Verification of Code, the NIST Cybersecurity Framework and NIST 800–82, ISO 27001, FedRAMP, the ANSI/ISA 62443 and dozens of other standards.
SD Elements identifies the required threats, controls, and countermeasures required for a project based on a brief survey and automatically assigns actionable tasks – including code samples –directly to the personnel responsible for implementation through issue trackers like JIRA, ServiceNow, and Microsoft Azure DevOps.
SD Elements’ comprehensive approach to application security empowers DevSecOps teams to make software secure and compliant by design. With SD Elements, DevSecOps teams can fully “shift left,” and take a proactive, developer-centric “plan and prevent” approach to software security, which lowers software development costs and cyber risks, rather than a reactive, “find and fix” approach, which increases costs and risk.
You can learn more about how SD Elements can help deliver secure software at scale here.