All devices connected to a network represent potential back doors that hackers could exploit to gain access to a network and the various systems it’s connected to. Therefore, as evidenced by the number of high-profile breaches that seem to be occurring with alarming regularity, cybersecurity is a top priority for everyone.
Unfortunately, all networked devices and systems can be vulnerable, and in our connected world, the cybersecurity of a network is only as strong as the weakest device connected to it. When those devices are used in high-risk environments like critical infrastructure, the consequences of a breach could be more far-reaching, with the potential to take down much more than just a substation or other facility. Therefore, it is essential that networked devices in these applications provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.
Joe Morgan, Business Development Manager, Critical Infrastructure, Axis Communications Inc., and Ryan Zatolokin, Business Development Manager, Senior Technologist, Axis Communications, Inc., recently discussed why cybersecurity is vital in critical infrastructure, potential risks and how organizations can mitigate risks in these networks.
What are some common cybersecurity concerns or types of attacks with critical infrastructure and other high-risk environments, and how likely are they to occur?
Ryan Zatolokin: Different attacks could happen. I think what people are most concerned about when it comes to IP surveillance cameras is that cybercriminals might try to use them as a platform to breach other parts of the critical infrastructure system. In turn, this could then be used as a hopping point to gather data to take down the system or used as a launching platform for taking over various types of controllers.
Joe Morgan: We haven't seen a lot of breach attempts in the oil and gas industries, but we’ve certainly seen situations where hackers have breached a network and created all sorts of problems on electrical substations and even some enterprise co-generation plants in Russia. If they’re able to shut down the grid, there’s naturally going to be a trickle-down effect. Shutting down a main component will start that cascade, and what I’ve heard from the FBI and other reliable sources is that’s the main concern in the utility sector.
Why should customers really care about cybersecurity? What could happen if they don’t consider it?
Joe: From a cyber standpoint, the energy and power-generation are among the most targeted sectors because they’re the motor that runs other sectors. If the power goes out, that quickly impacts water, agriculture, transportation, telecommunications and the many other sectors that rely on power and energy to operate. So once that component is down, you have a total collapse.
Ryan: Without taking appropriate actions to harden the system and put security policies in place, organizations could be exposed to the point where someone could take down or significantly impact a system, including causing catastrophic failures that would affect people's lives. At that point it can literally become a life-safety issue. Just look at the disruptions caused when storms knock out power systems. If somebody deliberately took down a system, it would have a similar impact, plus the fear factor that would come into play if it were a man-made phenomenon.
What are the first steps organizations should take to ensure the highest level of protection for these sites?
Ryan: As much as we want to talk about strong features and tools to support cybersecurity, which Axis offers, it’s important to not forget about setting and applying standards across systems. Organizations also need to have policies that ensure that best practices are followed throughout the organization—best practices that affect the selection and configuration of devices used in those environments. That means making sure they offer appropriate security features and can be hardened and updated through firmware, and that policies are in place to mitigate risk from vulnerabilities.
Joe: Just like facilities develop a security site plan (SSP), which is typically based on physical security, companies are now implementing a cyber SSP as well. That's a bit different because physical security is fairly fixed. You have a facility and you know the boundaries and the vulnerability points. With cyber, it's more difficult because threats are ever-changing.
The desired result is common. Hackers want to cause a shutdown, and they are constantly developing new ways to get in, so the difficulty with cyber is staying on top of that. The first step is, as Ryan mentioned, to assess processes and look at vulnerabilities—just like you would in an SSP—from a cyber standpoint, and then be diligent in keeping up with trends and changes with your cyberteams.
From a technology perspective, any device connected to a network could be a potential entry point for hackers. When evaluating solutions for critical infrastructure locations, what key factors should organizations look for to reduce the risk that they will not be the “weakest link” on the network?
Ryan: Look for products that offer a variety of features that can fit into the organization’s security policy. Axis offers encryption and the ability to specifically restrict who can talk to that device using IP address filtering. This year we're taking it to another level by protecting devices as they go through the distribution channel and are shipped to the customer using secure boot, which halts the boot process if any foreign code is introduced to the device. We’re also providing signed firmware to protect what is running that product. When you download firmware from the Axis website, it is digitally signed by Axis. In the highly unlikely event that someone had the technical resources to reverse engineer and tamper with our firmware, digital signatures would prevent it from being loaded on the device.
These are just additional layers of protection Axis is implementing to take device protection to the next level.
Joe: Along with what Ryan noted, it’s also essential to understand what's in a hardening guide. End users need to evaluate what is in that guide that can help mitigate (and hopefully prevent) cyberbreaches. We’ve worked hard to make sure the Axis hardening guide outlines the features and benefits that we provide.
Looking forward, we have to be aware of the next generation of tools used to hack into networks, and we're always striving to come up with definitive ways to defend against emerging threats.
Obviously, partnering with the right provider is vital for cybersecurity. What traits should organization look for and what questions should they ask of a prospective partner?
Ryan: A main factor in cybersecurity is working with partners that have a good reputation, follow best practices, and are open and transparent. That’s a base level for evaluating a potential partner. Also look for partners that have technology that addresses real-world use cases.
Axis devices are just one part of the solution. We offer a certain level of security at the edge, but we also have to communicate with many other devices across the network. So we have partners that help us protect that network traffic and even hide devices that are on the network so there's very little chance of them being compromised. For example, our VMS partners take advantage of the encryption technologies that are built into our products, such as HTTPS or even SRTP (secure real-time transport), which allows full encryption of the video stream across the network.
Think of it like different layers of protection. With a lot of effort, someone can penetrate a single layer, but when you start putting multiple layers of security on top of that, it becomes much, much less likely that all those layers can be penetrated or at least can be penetrated in a timely way. Having partners that can integrate at a deeper level helps Axis raise the level of security for the entire system.
Joe: In our ecosystem we select only high-quality, progressive partners because it's a reflection on us. For instance, if we’re using a partner’s software as a system component as a solution, we want it to be reliable, we want it to be the best in the industry. We look for partners that offer cutting-edge solutions and the flexibility to come up with a patch or a solution in real time. The ability to adapt and overcome potential problems like malware is important as Axis seeks to partner with providers within our ecosystem.
While technology is certainly integral in cybersecurity, even the best solutions could be undermined by one person’s actions. How can organizations create an environment where the “human factor” is less likely to compromise cybersecurity?
Ryan: That's a great point because the human factor is almost always the weakest link in cybersecurity.
As I mentioned earlier, policies play an integral part in overcoming this. The other factor is having tools that make it easy to maintain consistency when deploying cybersecurity features in products. For example, if someone has to individually configure hundreds of different devices one by one—especially if you have multiple people doing it—the human factor takes over, and mistakes can be made.
On the other hand, device management solutions can build templates that enable operators to push out the exact configuration to all devices, not only those that are deployed as part of an installation. This ensures that as new devices are added, you can make sure they offer the same level of security as those that are already deployed.
Joe: Something else to consider is how cybersecurity is headed toward an artificial intelligence (AI) or machine learning process that will eventually allow everything to be handled through the cloud. A sensor will detect or discover malware or a breach attempt, and it will shoot up to the cloud, where there will already be a solution in place to instantly send out patches to all devices simultaneously. Once that type of solution is developed, it will take the human aspect completely out of cybersecurity. And there are already companies that are writing code for cyber AI processes.
What one piece of advice would you give organizations pursuing cybersecurity for critical infrastructure sites?
Ryan: I have two answers that go together. First, figure out what you have deployed, which is one of the biggest challenges organizations face. Sites should then develop processes and procedures for securing them, whether that is segmenting them, hardening them or isolating them in some way that protects them to the best of their ability. You also have to continually re-assess those policies and procedures to make sure they’re adequate for the threats that continue to emerge daily.
Joe: I'm going to take a simple approach and say it’s important to be diligent with your passwords. The first layer of preventing a hack is being able to prevent someone from getting in, and using strong passwords is a simple process for making it more difficult for someone to breach a device, system or network. Passwords can be a pain to remember, and it takes a little bit of added effort to change your password when needed and to not come up with common passwords. A good way to do this is to utilize phrases as opposed to regular passwords.
Cybersecurity is about the depth of your defense.
The potential fallout of a network breach at a critical infrastructure facility or location could be catastrophic, with effects that could be felt across a number of critical segments.
When it comes to securing devices and networks used in critical infrastructure, one of the biggest factors is to source equipment from companies that have committed to adhering to the highest level of best practices to ensure security—and have a track record of doing so.
Another key to ensuring end-to-end cybersecurity of all interconnected devices and systems is forming strong partnerships with like-minded companies that offer complementary technologies and are equally committed to securing their products.
A third main component of securing networks and devices is to implement and enforce strong policies and procedures to reduce or remove the likelihood that human error will undermine strong security.
Finally, as noted, device management tools can make it easy to ensure all devices are configured identically in accordance with established policies and procedures.
Effective cybersecurity is about constantly assessing risks and taking appropriate steps to mitigate those threats. It’s about working with the right people, using the right products, taking advantage of the appropriate technology and implementing (and adhering to) the correct policies. By keeping these in mind and cybersecurity in focus, you can be in better position to protect your critical site and its assets.