Securing Critical Infrastructure against Emerging ThreatsExperts Debate New Strategies to Respond to Targeted Attacks
The year started with reports of the cyberattack on the Ukrainian power grid confirming the security community's worst fears about the vulnerability of critical infrastructure. This was followed by the Israeli Ministry of Power reporting a malware campaign against its network. The spectre of critical infrastructure attacks is increasingly rising, and CISOs protecting these targeted organizations are under increased pressure to identify emerging risks and prepare appropriate response.
What are India's unique challenges to protect critical infrastructure elements such as power grid, energy, defense and transportation? Where do critical infrastructure components stand against current threats? These questions were discussed recently at the Data Breach Summit Asia 2016 in Bengaluru, hosted by ISMG. Sanjay Sahay, Additional Director General of Police, Government of Karnataka, was the moderator. The panel included: Rudra Murthy, Chief Information Security Officer, Digital India, Ministry of Home Affairs; Rishi Mehta, Senior Group Manager-Information Security, Target; Subrahmanya Gupta Boda, Group CISO, GMR Group; Manoj Sarangi, CISO, HCL Technologies; and Harsha Sastry, industry expert, business continuity & crisis management.
"It's not an overstatement to say we are not in a state of responding to the increasing sophistication of cyber threats of the 21st century and innovative mechanisms of attackers," says Sahay of the Karnataka Police. "It's essential to go beyond ISO standards and benchmarks to tackle growing threats."
"While an attempt is being made to secure India's critical infrastructure, there are huge gaps in understanding the components of critical infrastructure, execution of strategies," maintains Murthy of Digital India. "There's a lack of architectural framework and no common enforcement policy."
Infrastructure Protection: Where Does India Stand?
Security leaders say India is in an infancy stage of assessing the national inventory of critical infrastructures, identifying key resources and coming up with a concrete plan to protect them against the rapid growth in dangerous malware invading our systems.
"While there's the huge challenge of identifying the components of critical infrastructure, given the spread of these across public and private sectors, the bigger task is to define the roles and responsibilities of industries and organizations in taking the onus of protecting these infrastructure," says Target's Mehta.
Some argue that security practitioners of most organizations are unaware of the mechanism hackers use in gaining a foothold and taking control of the commands to penetrate into the network - a big concern that no amount of advisories or alerts can help.
The cyberattack on the Ukrainian power grid stands testimony to the challenge of how vulnerable any critical infrastructure could get - a typical kill chain using phishing malware, they say.
Given that over 90 percent of the critical infrastructure is owned and managed by the private sector, HCL's Sarangi says these are under threat from various dimensions.
"The threats are originating from neighbouring states who are using three simple applications from Google to steal information - a hacking community stealing identities for the heck of it, insider threats and external individual threats which are becoming a menace, and the human element enhancing threat opportunities, resulting in poor defences due to the lack of an information sharing mechanism," Sarangi says.
While little has been done to secure critical infrastructure, mainly because of lack of skills, proper communication and awareness, critics say that this is also why boards do not take ownership of the critical infrastructure protection, nor hold security teams accountable for any untoward incident.
Sahay argues that most security breaches are a result of human intent or error, which accounts for approximately 80 percent. "These include misconfigured systems or applications, vulnerable code, end-user error, targeted attack exploited or undetermined factors," says Sahay.
According to Murthy, the challenge is that Indian organizations don't have prescribed policies or procedures or standards to provide clear direction for protecting infrastructure, unlike in other countries that have addressed the issue. "So, security practitioners are constrained in identifying risks associated with critical infrastructure," he argues.
Where to Start?
The immediate task, the panel recommends, is to identify risks, leverage threat intelligence through information sharing, tighten command controls and reduce breach detection and recovery time.
The Indian government has set up National Critical Information Infrastructure Protection Centre to assess risks associated with India's critical infrastructure. Experts say the process of taking stock of national inventory must be expedited.
To start with, Sahay recommends:
- Build a risk-aware culture;
- Automate security hygiene and manage incidents with intelligence;
- Protect the network and end-points.
Mehta says moving beyond traditional controls is vital. "Collaboration become very critical in investing on R&D, information sharing and defining the security and risk framework in responding to emerging threats."
Harsha Sastry sees the need to approach the issue with a business continuity and disaster recovery perspective to protect the nation's assets and build resilience. Sastry recommends four key imperatives:
- Asset inventory: Know the assets on the network on a real-time basis;
- Business impact analysis: Annual is a mandate, but he advises quarterly, monthly and daily analysis;
- Continuity and crisis management plan: is critical, as convergence is key. Write what you do, and do what you write;
- Disciplined exercising and testing: Test for extended periods and in worst case scenarios.
Besides investing in cybersecurity programs, evolving a security governance structure to assess risks with critical infrastructure is key, Sarangi says.
"Having a robust business continuity plan and focusing on end-point, data leakage solutions are important, but educating users on the best and right practices, besides thrust on actionable threat intelligence is critical," he says.
"Reporting the incidents to the concerned authority can help in seeking experts' help in responding to threats," Sarangi says.