Proactive Cyberdefence for Critical Infrastructure

10 January 2014 · 14:57

Exposure to external attacks

Critical infrastructure networks are increasingly using Internet protocols and communicate with external resources, sometimes over the public Internet. The transition into Internet Protocol (IP) based networks helps reduce costs and improve efficiency, but it also exposes these previously isolated networks to external attacks. Most systems and protocols used in critical infrastructure networks were developed for closed networks with trusted devices and no connection to the outside world. They contain very little security features, and more worryingly, they have never been hardened. The biggest threat are devices, such as programmable logic controllers (PLCs) that control physical equipment like pumps and valves. When connecting industrial control networks to corporate networks and introducing other forms of connectivity, it is important to understand what the risks are and perform the necessary actions to mitigate the risks.

Cyberthreats: Probing and cyberextortion

The increased connectivity enables cyber adversaries to have access to network areas that they would otherwise not have access to, unless they were physically inside a facility. Cyber adversaries are putting more and more effort into critical infrastructure networks: they are doing more research and are writing more malware addressed specifically towards the exploitation and disruption of industrial control systems. Cybercriminals use vulnerability intelligence to extort power companies: if they companies do not pay the ransom, the criminals carry out an attack. US intelligence has attributed several power outages around the world to cyberextortion. Electric utilities and other critical infrastructure are also the target of constant probing. Probing is a part of cyber-reconnaissance and it is used to map network infrastructure and locate vulnerabilities for future attacks.

Strategic partnerships with the private sector

Given the importance of critical infrastructure networks, ad hoc responses to cyberattacks are not enough. As nations are prepared for natural disasters, they must also have a national cybersecurity strategy. In most countries, the majority of the critical national infrastructure and cyber infrastructure is owned and operated by the private sector. They know their systems best, they have the technical expertise, and most importantly, they have access to their own networks. Thus, a cybersecurity strategy will only be effective, if the private sector is committed to it and they will not commit to it, unless they can see the business benefits.

From a business perspective, the transition into all-IP networks makes sense: it reduces costs and improves efficiency. From a purely security perspective, critical infrastructure networks should not be connected to the Internet, because it exposes the networks to outside attacks. However, keeping your networks isolated is not necessarily something you can do, if you want to run a successful business. The challenge is combining these perspectives and finding solutions that improve cybersecurity, but are also good for business. After all, Company CEOs want to make a profit, not defend a country.

Proactive cyberDefence

In all types of cyberattacks the initial access into a system is enabled by a vulnerability in the system. These vulnerabilities are simply errors made by the coders during development. Ideally, they should also be fixed during development, because after deployment the errors become exploitable vulnerabilities. Security researchers, security companies and hackers, discover some of the vulnerabilities. If they report their findings, software developers can create patches for the found vulnerabilities. These vulnerabilities are now known vulnerabilities. The biggest cybersecurity threat are the unknown, zero-day vulnerabilities still remaining in the code.

Improving basic cyberhygiene

The risk of cyberattacks can be reduced considerably by implementing basic cyberhygiene measures, such as deploying patches in a timely manner or using vulnerability scanning to test software products before release. Good cyber-hygiene also covers the use of signature-based security Defences, such IPS/IDS solutions, vulnerability scanners and firewalls. They are fairly efficient in defending against known attacks. However, they can only detect pieces of malware, for which an identifier, known as a signature, already exists and has been deployed. Attacks exploiting zero-day vulnerabilities can completely bypass these Defences. Advanced attacks, like Stuxnet, exploit multiple zero-day vulnerabilities making them extremely difficult to defend against.

Proactive cyberDefence against advanced attacks

Fuzzing is a security testing technique that can find previously unknown, zero-day vulnerabilities by triggering them with unexpected inputs. By incorporating fuzzing best practices into their development and procurement processes, organizations can significantly improve the security and robustness of their networks. The less vulnerabilities there are in the system, the harder it is to attack it. However, not all attacks can be prevented, thus organizations must be able defend against attacks.

The longer attacks stay undetected the more damage they can cause. Good abuse situation awareness, or Internet threats awareness, is key to establishing systematic and efficient processes for responding to cyber incidents. Organizations can improve their abuse situation awareness by automating information collection, processing and reporting and engaging in timely information sharing with their cybersecurity partners.

Improving cyberthreat situation awareness

Comprehensive situation awareness is achieved by combining threat and vulnerability intelligence from internal and external sources. Most organizations employ SIEM systems and IPS/IDS solutions, which provide valuable insight into incidents within networks. However, even serious cyber threats can be dismissed as random attacks, if the security personnel lack the global abuse situation awareness needed to examine events in coordination with other security incidents. Similarly, external abuse information requires network-specific intelligence to be applied into practice.

CyberDefence best practices

The majority of critical infrastructure is privately owned, and it is the private companies that need to make sure that their networks are robust and secure. However, due to the importance of these networks the protection of critical infrastructure cannot be left to the private sector. An effective cybersecurity strategy is based on partnership between government and the private sector, including both private companies and industry organizations, as well as international partners.

The role of critical infrastructure operators

Complex supply chains are typical for industrial control systems. Systems purchased by critical infrastructure operators, such as power utilities, are typically compiled by system integrators from devices and software they purchase from a variety of device manufacturers. These device manufacturers, in turn, purchase parts of their software from third-party software developers. The industrial control systems they produce often contain a software development kit (SDK), which can be used to modify the software to better meet the needs of the critical infrastructure operator. Additionally, open-source software is widely used in critical infrastructure.

Develop better software

If a company is developing its own software, the best way to ensure the security and robustness of the software they develop is to identify and eliminate vulnerabilities during software development. Large software houses already include fuzzing as a part of their secure development lifecycles: Cisco’s CSDL, Microsoft’s SDL and the Adobe Product lifecycles are good examples of this. Giants like IBM and Google also promote fuzzing. Software development for industrial control systems (ICS) would benefit greatly from the same approach. The earlier the vulnerabilities are found, the easier and cheaper it is to fix them. Indeed, by building security into your software you can avoid costly, critical, and embarrassing software blunders.

Only buy robust software

Many vendors are in a hurry to push software onto the market, and often times it is the user who ends up doing the testing. By insisting on using fuzzing as an acceptance condition, you can make vendors claim responsibility over the quality and security of their products. Operators are already starting to use fuzzing as entry criteria for their network suppliers. Why not use fuzzing to ensure that all equipment you accept into your network is robust and secure? In critical infrastructure networks, patching can be difficult. The more vulnerabilities you can fix prior to implementation, the less patching you will need to do later on.

The role of industry organizations

Engaging industry associations and industry leaders in the development of a cybersecurity strategy helps to ensure that adopted policy is one that the private sector can commit to. Industry associations play a major role in motivating the private sector and in ensuring that the proposed cybersecurity policies also make business sense. The North American Electric Reliability Corporation (NERC) introduced a set of eight critical infrastructure protection (CIP) standards (CIP-002 to CIP-009). These standards are mandatory in the US and Canada, and NERC has the authority to audit energy producers and distributors and fine them up to $1M per day per violation. The challenge with standards is keeping them up-to-date.

Cybersecurity: A national priority

The mandate for cybersecurity must come from a high level. Protection must be implemented by the network owners because only they have access to their own networks, but governments must use their authority to make cybersecurity a national priority. The role of the government is to build partnerships with the private sector and to get the private sector to understand that cybersecurity is not only a means of insuring against malicious compromise, but also a necessary component of business continuity. The private sector will only commit to the cybersecurity effort if they can see the benefits (i.e., if the efforts also make sense at a business level).

Timely information sharing

National actors play a key role in promoting information sharing, which is essential to successful partnerships between the private and public sector. The ability of a nation’s core cybersecurity units to produce and share relevant cybersecurity information is an indicator of its cyberDefence capability. Technological solutions increase automation and enable organizations to do more with the resources they have. However, the main goal is increasing cybersecurity awareness within the organization and partner network, and improving cyberDefence processes. For example, by collecting abuse information from internal and external resources, over the years, the organization creates a valuable database, which helps it monitor networks even more effectively.

Global cooperation

Cybercriminals act globally, but national borders restrict the jurisdiction of law enforcement. To catch cybercriminals and to prosecute them more effectively, cooperation between national and international law enforcement is needed. This is only possible through the harmonization of cybercrime laws and the timely sharing of information between partners. Cybercriminals move fast, so law enforcement must also work at “Internet speed”. Timely information sharing also helps build a culture of transparency and trust between global partners.

Conclusion

Cyberattacks can never be fully avoided, but with the correct cybersecurity strategies the risk of cyberattacks can be reduced considerably. By improving the resilience of your critical infrastructure networks, you can make it significantly harder for the bad actors to attack your system. Proactive Defence is all about improving national cyberDefence capabilities, i.e., a nation’s ability to prevent and detect cyberattacks.

By using fuzzing to test your systems, you can find and fix vulnerabilities, before your cyber adversaries have a chance to exploit them. By collecting the latest threat information you can improve your abuse situation awareness and detect attacks at the earliest possible moment. However, proactive cyberDefence is not just about implementing new technologies; it is about improving internal processes and building strong partnerships.

Timely information sharing is an important part of proactive cyberDefence, because transparency strengthens partnerships. Transparency also serves another purpose: it ensures that the efforts we make to secure cyberspace do not compromise the openness of the Internet, which is the very source of its success.

Proactive Cyberdefence for Critical Infrastructure

News

NAVANTIA to provide life-cycle support for the Turkish Navy amphibious ship Anadolu!

SAHA 2026 to Convene Global Defence and Aerospace Stakeholders in Istanbul as Türkiye Expands Its Strategic Industry Role

PAKISTAN NAVY CONDUCTS SUCCESSFUL SEARCH AND RESCUE OPERATION IN NORTH ARABIAN SEA

Exercise MAVİ VATAN-2026 - The Turkish Naval Forces’ Largest Joint Force at Sea

Updated İnformation about the ongoing Technical Investigation into the C-130 Crash

Exercise MAVİ VATAN-2026 Continues

25 Years Experience of IT solutions and Criminal/Forensic Medicine Laboratories by VERISIS

Selex ES; Partnering to Fight Modern Cyber Threats

Why has Cybersecurity Become Such an Issue?