KRITIS operators lack transparency and tools for risk assessment

KRITIS-Betreibern fehlen Transparenz und Werkzeuge zur Risikobewertung

CEO of Tenable explains the security risks in critical infrastructures before the US Congress

Amit Yoran, CEO and Chairman of Tenable made the following written statement during the hearing of the House Committee on Homeland Security entitled “Mobilizing our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats”, which we summarize here briefly in excerpts:

“Understanding where the threat comes from is useful from the perspective of national cyber strategy, defense and reconnaissance. It can also help determine the priorities for remedial actions based on the attackers’ motivations. In addition, knowing where a threat is coming from has little impact on how a company reacts. For almost all companies, the risk management practices in the field of cyber security are the same, regardless of whether the attack comes from the Russians, other nation states, cyber criminals or other malicious actors.“

“Ransomware against critical infrastructure providers is incredibly profitable for cybercriminals, as the Conti ransomware data leaks show. All critical infrastructure sectors are still undergoing digital transformation, which leads to a growing attack surface for cyber attacks. New technological investments offer great opportunities to increase efficiency, as the examples of Smart Factory and Smart City show. However, these changes can lead to real security vulnerabilities. Without improvements in security and resilience, critical infrastructure providers are not prepared for cyber threats.“

Referring to the threats critical infrastructures face due to the fast connectivity and the risks of IT/OT convergence, Yoran wrote:

“A recent evaluation of an available search engine for Internet-connected devices revealed that more than 28,000 industrial control systems (ICS) as well as supervisory control and Data acquisition (SCADA) systems are directly accessible via the Internet. Even if this is not the case, countless other systems can be accessed via the increasingly frequently used service portals, which in turn can be compromised. Add to this human error and the frequency of poorly configured software, as well as fast connectivity. The latter is required to keep today’s OT environments running efficiently. With this, we may be entering an era where systemic cybersecurity failures are increasing exponentially. Systems that are interconnected in a way for which they were not designed lead to complexity and create uncertainty.“

“These systems and other OT technologies used in critical infrastructure environments are known to be difficult to patch because they need to be shut down and thoroughly tested each time they are updated. The existing operating models for most OT environments, such as power plants, gas pipelines and manufacturing plants, leave little room for downtime. These companies have tried in the past to reduce their vulnerability by highly segmenting their environments. However, the increasing IT/OT convergence makes segmentation less effective, which means that the systems cannot be patched or secured as targets.“

When asked what companies can do to better protect themselves, Yoran added:

“Providers of critical infrastructures have a duty of care, which is particularly emphasized in turbulent times. Operators must responsibly manage the services that everyone relies on. To protect yourself, you need to know what is in your network and keep it in good condition, which includes protection against known vulnerabilities.“

“As more and more people have access to these systems, security quickly breaks down when strict identity management practices are not in place. The systems must therefore be treated as if a sophisticated attacker already had access or could gain access.“

Concluding his written statement, Yoran added:

“There are basic steps that all providers must take. These range from knowing what is on your network and how these systems are vulnerable, to fixing these vulnerabilities. Other measures range from controlling user access and privileges to managing critical systems that are interconnected. This makes it more difficult for malicious actors to compromise critical infrastructures.“

“Many critical operating environments lack a formal systemic approach to risk assessments and processes, not to mention the continuous visibility required for critical services and high-value objectives. These formal processes are urgently needed, as the rapid increase in access possibilities and interconnectivity drastically increases the risk. In these cases, rules on transparency and standards of due diligence can help to improve risk management practices while encouraging innovation.”

Tech Outsourcing | Dedicated Software Team

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: