Properly protecting CNI demands specificity

by Jeremy

When we think of critical national infrastructure (CNI), we tend to think of power, water, and transport industries. Although CNI also includes communications and finance, it is the heavier, safety-critical industries that we think of first. Typically, these involve sizeable industrial control systems (ICSs) that operate 24/7, 365 days a year, which we all depend on in our daily lives.

Security Think Tank heroSuccessful attacks on these systems could cause serious injury or death, as illustrated by the recent attack on a water purification plant in Florida. The threats to these systems may come from actors with similar motivations as IT systems, but the risks and how to address them can be very different.

The first thing to understand is that while IT systems are all much the same, using similar components and architectures, ICS solutions are all very different from each other. Industrial designs are not physically secured in a friendly, air-conditioned room. Still, they are often spread out over several square kilometers, or even many kilometers along a pipeline, making them highly vulnerable to tampering.

Also, they cannot be shut down quickly for maintenance and have very high availability requirements. Therefore, the risks and their mitigations must be specific to each system and underpinning this, and there should be an excellent understanding of the system and the processes it supports.

Therefore, the first steps to securing an ICS system must be to create an accurate plan of the system and its interconnections (as it exists, not how it was designed) and document the processes it supports. This will allow a risk assessment to be carried out to identify, analyze and evaluate the risks before determining measures to mitigate them.

Suppose the IT and operational technology (OT) systems of an organization are connected. In that case, this exercise must be applied to both IT and OT as a single overall system, and, critically, this must involve the people on the shop floor who run the system and understand how it works. As things will change over time, the system and risk assessment must be reviewed and updated regularly.

It is nearly ten years since Eric Byres first presented his paper Unicorns and air gaps: do they exist?. The mythical air gap does exist today, but only in highly critical control systems such as those for a nuclear reactor. A genuinely air-gapped system can only accept data from outside through a physical device (such as a keyboard) and output data through another (a printer, for example).

Related Posts

Leave a Comment