- SOAR 101
The Patriot Act was passed in 2001 in response to terrorist attacks on American soil. However, we don’t usually think about how it helped define cybersecurity and how it continues to inform the framework for defining critical infrastructures and how we protect them in the US. With a growing number of connected devices, systems, as well as methods for monitoring and maintaining critical infrastructure, it has also become crucial to apply proper protection, prevention, detection, response and recovery measures.
Although the groundwork for protecting critical infrastructure was laid in 1996, the Patriot Act took the lead on protection in an increasingly digital and connected world. The Act defined critical infrastructure as “those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (source: https://en.wikipedia.org/wiki/Critical_infrastructure)
Presidential directives dating from Bill Clinton’s initiatives in 1998 have also helped shape how we in the US define Critical Infrastructure Protection (CIP) and cybersecurity. Today the main sectors as defined by the CIP are; Banking and Finance, Transportation, Power, Information and Communications, Federal and Municipal services, Emergency Services, Fire, Law Enforcement, Public Works, Agriculture, and even National Monuments.
In light of these definitions, the Patriot Act gave us an even clearer definition of what consists of critical infrastructure and the mandate to protect it. However, technology often evolves in ways that are unanticipated and the need to define how to protect that critical infrastructure was further laid out in 2014 by the National Institute of Standards and Technology (NIST). With the establishment of the NIST Cybersecurity Framework we now have a policy framework and guideline for how to protect critical infrastructure.
It goes without saying, but considering the breadth of what is covered under CIP definitions and how losing any aspect of critical infrastructure could impact our lives, protecting these infrastructures is very meaningful. As we become more digital, connected, and reliant on control of systems through IT infrastructure it is so crucial to protect critical infrastructure. Maintaining its livelihood directly affects everything from public utilities to health and human services to chemical production. As someone who lives here in Atlanta, I hate to think of how we would be impacted by a breach into the critical infrastructure of the Center for Disease Control and Prevention.
Since we now have a framework on how to keep critical infrastructure secure thanks to the NIST, I will look in more detail at how to develop and maintain proper safeguards according to the Cybersecurity Framework and how to enact incident response practices and recovery from potential attacks.
When proper incident response measures are not in place and a playbook for remediation is not readily available, critical infrastructure that is left unprotected is vulnerable to crippling cyber attacks.
But the challenge isn’t only in preventing an attack. Even the best protective services cannot guarantee prevention of a successful attack 100% of the time. Implementing the right tools for threat detection, incident response, and forensic case management are all crucial elements in the fight to stay secure before and after a breach. Without these tools, systems can be lost for days at a time. And when it comes to critical infrastructure that could mean power outages, loss of millions of dollars or private information being captured and sold on the black market. A successful cyber attack that goes undetected will fail to notify proper resources for remediation and timely response. Furthermore, without security information event management (SIEM) tools and a proper case management solution, time to recover can be dragged out for days or weeks.
The first aspect of protection of critical infrastructure requires taking a mix of cybersecurity, physical security and human resource management to secure who has Access Control. Protecting assets in this manner means giving access to a limited number of individuals and regulating how and when they access assets. On the cybersecurity front this means strictly regulating and monitoring which devices can gain access to critical assets and limiting when and where they can connect. In spite of some best efforts, employees with access to assets have been known to sabotage a company’s infrastructure. In 2013 Citibank had a disgruntled employee who decided to shut down 90% of the company’s network.
Although anomalies like the Citibank shut down are difficult to prepare for, proper security training and management is key to heading off internal breaches and compromises. Employees are simultaneously a company’s best asset and biggest vulnerability. Spear phishing still remains the biggest threat to security and can only be mitigated through proper training and even running “fire drills” that test employee competency and awareness. Completing regular cybersecurity training and awareness is the best way to get in front of security concerns and keep employees from unintentionally introducing harm to an organization’s critical infrastructure. Organizations are encouraged to participate in partner education through webinars, vendor training, and company best practices. To maintain consistency with training and education it is important to have employee agreements and acceptable use policies written around cybersecurity and agreed to by personnel.
Important data security measures also need to be taken to keep information from leaking that could be used to gain access to critical infrastructure management or protected information and records. This is done by locking down or limiting USB access, blocking shadow applications, and limiting what files and data can be easily uploaded to a third party through desktop applications or mobile devices. Proper data security ensures that critical infrastructure is protected and managed in a way that is consistent with the company’s security strategy to protect the integrity and accessibility of data.
Many critical infrastructure systems are still maintained and operated on legacy software and operating systems. Often this is because of the fear of disrupting critical systems during a glacial upgrade. Yet allowing unsupported legacy systems to run a critical machinery, utilities, or applications is a huge threat to security. Despise the fear of disruption it is imperative that this vulnerability gap be bridged by laying out a proper upgrade path. The only way for an upgrade initiative to be as least disruptive as possible is to engage with the proper vendor channels, security partners, and by laying out well documented plan with a timeframe.
Finally, when it comes to protective measures processes and procedures need to be written out and documented that include roles and responsibilities or personnel depending upon their specific duties within an organization. Policies for protecting information need to be standardized and proper security systems need to be put in place. This may include biometric devices, entry door key fobs, and secured dongles for workstations but also implementing security agents on connected devices. Next generation protective technology can provide advanced security for endpoint devices and this is highly important when it comes to ensuring users and connected devices are not introducing attacks to a management network.
Detection within cybersecurity of critical infrastructures the NIST guidelines instructs “Develop(ing) and implement(ing) the appropriate activities to identify the occurrence of a cybersecurity event.” These events can be anomalies or direct threats but it imperative that the activity is detected in a timely manner and mitigated as quickly as possible. This can be managed through proper threat detection software as part of a Security Operations Center (SOC). Employing a SOC with threat detection allows for monitoring of anomalies, events, threats and measure the effectiveness of said detection. Detection processes also need to be maintained and audited to ensure adequate awareness for all threats and anomalous events.
Developing and implementing which activities to take when a cybersecurity activity is detected is the next step in ensuring proper protection of critical infrastructure. Incident response requires the employment of a SOC but also proper planning for which processes and procedures will be employed when events are detected. Even if a complete SOC is not employed proper tools can be put in place to implement proper incident response but at the very least it is highly recommended to have a documented procedure in place when an event occurs. This means having a tiered line of defense, an on call support team or even scripted remediation tasks that can be carried out.
A good incident response platform will gather intelligence and create alerts and workflows around system failures, information theft and loss, malware infection or even the threat of a rogue employee. Even APT’s (Advanced persistent threats) can then be protected against and proper resources notified to ensure the security and resilience of systems and assets that make up the protected infrastructure.
Response activities also need to be delegated amongst stakeholders, staff, and strategic partnerships. In lining out its response imperatives, the Cybersecurity Framework dictates that analysis, mitigation and improvements be documented as part of a comprehensive Incident Response plan. Crafting a proper Incident Response playbook and workflow is critical. Integrating a threat intelligence solution allows for a process to be created around containing and eliminating threats. When you automate intelligence, data can be quickly collected, quickly scaled and increase the time to respond to an incident. Proper analysis from automated intelligence and automated action guided by a playbook will allow you to identify and eliminate threats quickly. Also, even less experienced technicians can quickly be brought up to speed when playbooks and incident response workflows are employed.
Outages like the one Delta experienced this month may still occur but a recovery plan must be in order to mitigate attacks, downtimes, and loss of crucial services. As with any good Disaster Recovery plan, it’s only as good as its documentation, review, and communication system. The important questions that must be asked regard:
Managing these crucial systems and keeping utilities, flight schedules, financial systems intact is a responsibility that requires full operation at all times. With the ongoing threat of attack on the horizon at any moment promising to disrupt systems and render critical infrastructure inoperable it has never been more important to properly stay secure. You can find the more about the NIST Cybersecurity Framework here.
Click the button below to schedule your one-on-one demo of the D3 Incident Management Platform.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW