Slide 01
Slide 11
Slide 02
Slide 03
Slide 04
Slide 05
Slide 06
11 1 2 3 4 5 6

Home > Awareness-Themen & Blog > Interviews

Interview mit Bitdefender

IT-threats in Critical Infrastructures

Das Interview wurde mit Herrn Bogdan Botezatu (Senior E-Threat Analyst at Bitdefender) am 16.06.2014 geführt.

Über Bitdefender

Logo Bitdefender  
Bitdefender ist ein internationaler Hersteller für Sicherheitssoftware im Privat- und Business-Bereich. Das Portfolio umfasst u.a. Antiviren- und Antispyware, Firewalls, Tools zur Privatspähreneinstellungen, Benutzerkontrolle und Backuplösungen.

Los geht's

Fragezeichen Quiz  

Question 1:

What are the biggest IT-threats in Critical Infrastructures today and in the near future?

Despite the fact that these infrastructures are labeled as "critical" and required for the proper functionality of society, they are often overlooked when it comes to security. Most of the times, these infrastructures are running outdated software or are configured in inappropriate ways that date in the pre-Internet era.

Some of the industrial control devices running in power-plants, water and sewage stations and so on are directly exposed to the internet and improperly secured. Script-kiddies can easily stumble upon these devices during "regular" netblock scans, for instance.

Let’s add to that the cyber-component: mission-critical infrastructures are frequently targeted by competing nation-states, as we saw in the Duqu, Stuxnet and Flame incidents. These attacks often rely on zero-day exploitation and state-of-the-art code that can fly under the radar. Most of the times though, it takes a human operator to act as a vector of infection, so yes, the human factor is also one of the notable threats. After all, deploying a high-performance firewall and securing the perimeter are worthless if some employee just walks in with an infected USB drive.

Fragezeichen Quiz  

Question 2:

What are the consequences of your forecast in worst case scenarios?

.Critical infrastructures are named this way for a reason: they provide utilities to a large pool of population, such as water, power and sewage. Shut down a power-plant in a major city and you’re setting everything one hundred years back, since everything runs on electricity. The financial system stops working (ATMs, transactions, banking, stock exchange), communications stop working, transportation and food supply stop working as well. You’re going to have people rioting in the streets and competing for food and other resources as soon as panic sets in. It is a horrible scenario.

Fragezeichen Quiz  

Question 3:

What are today's measures to safeguard networks and systems of Critical Infrastructures?

Most of the measures include the complete isolation of the critical network from the Internet. This ensures that nothing goes in and nothing goes out. And it works for preventing data exfiltration or the misuse of network resources, but, as the Stuxnet incident shows, it does not work very well with inside sabotage. Stuxnet was brought into an isolated network via USB drive, most likely. Once installed, it slightly altered the parameters of the centrifuges in the Natanz facility and forced the centrifuged to disintegrate.

Fragezeichen Quiz  

Question 4:

What could be done in addition to that to provide a higher level of security?

The measures taken should be multiple. First of all, there is the need to control everything that physically goes in and out of the facility. Strong policies about the use of own hardware and software should be enforced in order to disallow any interaction with the critical machines. Human operators should undergo extensive training on social engineering and phishing, so they have a better understanding on what is going on.

Another aspect that needs urgent remediation is the use of outdated technology. Stuxnet wouldn’t have been possible without the zero-day vulnerabilities in the facility’s software. Some of these zero-days vulnerabilities had been known and patched when the incident happened.

Last, but not least, IT teams running critical infrastructures should implement layered defense mechanisms: firewalls, IDS devices, network monitoring and anti-malware solutions where possible.

Fragezeichen Quiz  

Question 5:

Do you think, operators of Critical Infrastructures learnt about the attacks of Stuxnet, Duqu, Flame and Gauss?

It’s hard to tell, but the outcome is the same. Such breaches cost millions or hundreds of millions of dollars in operational loss. If they indeed learn the lesson, this was the price for the oversight. And, to continue on a negative note, the next attack will definitely not look like the previous. Let’s remember that state-sponsored cyber-warfare has next-to-limitless budgets and the next generations of threats are becoming more sophisticated, much less noisy and more effective.

Fragezeichen Quiz  

Question 6:

Which of your products are very suitable to safeguard networks and systems of Critical Infrastructures?

I’d go with the enterprise-level product offering, the Gravity Zone solution. It provides security for endpoints, mobile clients that allow comprehensive enforcement of policies per user and also packs solutions for virtualized environments.

Fragezeichen Quiz  

Question 7:

What is your opinion about this statement? "Many security administrators don't realize, that they became a victim of a cyber-attack. They are going to replace a broken system without doing any forensics, because they think, it crashed as a result of a 'normal' failure."

It’s even worse. Most malware used in high-profile cyber-attacks don’t even crash or overload the victim system. An attack can go on indefinitely without the system administrator being able to tell what is going on. Another approach taken by cyber-criminals is to voluntarily disguise their payload as a common piece of malware (adware, a keygen, a generic Trojan etc). If it is detected by the locally installed security solution, it would be classified as a threat one would expect to hit the network from time to time. In this case, the IT department won’t call for forensics, so the exact extent of the damage remains unknown. My advice here is to always treat any type of infection as a potential game breaker. It’s better to spend a couple of hours investigating an incident than missing a large scale attack directed at your organization.

Fragezeichen Quiz  

Question 8:

Which advices do you give to the following roles to raise the level of IT-security within Critical Infrastructures?
a.) System and network administrators
b.) Management
c.) (Normal) employees
d.) Business partners

a.) System and network administrators

Create a comprehensive patching process that minimizes the window of opportunity.

Pay extra attention too machines that need to use outdated software and take the appropriate measures (sandboxing, DMZ, network monitoring).

Implement security policies and don’t let the user override these. Don’t expect them to obey these policies, but rather enforce them as possible.

b.) Management

Be receptive to the needs and problems reported by the IT teams.

Be ready to sacrifice dollars for updates and upgrades in order to save millions in the medium to long run.

c.) (Normal) employees

Follow the policies enforced by the IT teams on site. They are there not to prevent you from working "normally" but to protect the organization from inside threats or from accidental misuse.

Pay equal attention to what you’re doing at home. Your home computer can be much easier compromised than the one you’re using inside the organization and can be misused to facilitate a breach.

Segregate your work from your spare time and don’t forward any business e-mails to your personal account so you can catch up with work at home.

Don’t share your devices with children or other family members. They might not have your technical skills and might involuntarily compromise your device.

d.) Business partners

Make sure your employees follow your client’s requirements. Your employees with access to the client’s network can as well turn into vectors of attack for the third party.

Don’t sacrifice security for convenience. There have been cases where companies have been breached via a contractor’s infrastructure and it was for way less than access to a critical network.

An dieser Stelle möchte ich mich nocheinmal recht herzlich bei der Bogdan Botezatu für das Interview bedanken.

Andreas Rieb

Sie wollen mehr?

Thumb zum Thema und vieles mehr

Weitere Interviews

zum Thema Mitarbeitersensibilisierung

Pfeil Thumb zum Thema Interview mit Christoph Willer
Macht Awareness IT-Forensiker arbeitslos?
mehr ...

Pfeil Thumb zum Thema Interview mit GermanPersonnel
Wie Live-Hacking die Systemsoftware Brain v.1.0 bei einem IT-Dienstleister patcht?
mehr ...

Dr. Andreas Rieb
Kirchbergstraße 3
83607 Holzkirchen