If you can’t answer this question, you’re in trouble. These operating systems are well known, unsupported and vulnerable to attacks, a wide-open door. The difficulty lies in finding these systems in the ‘messy’ layers of informational technology (IT) and operation technology (OT) infrastructures. The business impact of having an unknown Windows 98 system could bring an entire service down. For organizations that operate in “critical infrastructure,” such as electric utility, water, transportation, internet, and healthcare industries (properties or services upon which society depends), this can be catastrophic. Thus, such organizations are subject to special security oversight and regulations.
Protecting the connected services of the IT and OT systems that keep critical infrastructure running 24/7 is a top local and global imperative which continues to be a challenge due to the cyber-risks that owners and managers are dealing with today. In addition, common regulations that govern security practices in these sectors add a layer of complexity.
Organizations with outdated devices that haven’t been or can’t be patched end up contributing to scrambled layers of IT and OT environments which become easy targets for hackers. Critical infrastructure has been subject to attacks, but it’s been fairly fortunate that the damage has had minimal impact to the business. However, when attacked, the potential for incurring high costs is immense.
In this blog, we’ll explain the challenges, problems, and steps to secure critical infrastructure.
Why everyone hates “Patch Tuesday”
And Patch Wednesday, Thursday, and Friday. Because of course, patches and upgrades come any day of the week, at any time, and that’s the problem. They just keep coming. Patching is crucial to securing systems, so why is there still a security update gap?
First, 72% of enterprise security professionals agree software updates could break production systems.1 Second, 52% agree applying patches disturbs our daily business processes and third, 44% say they can’t afford downtime caused by rebooting critical systems.1
Many businesses attempt to prioritize patches and upgrades, to those that are most urgent and critical. But this leaves a big window open for the bad guys. One study found that on average, 12 days were lost coordinating activities across teams for every vulnerability patched.2
More than 80% of breaches are due to poor patch management.3
In the critical infrastructure sector, organization’s OT layers run old operating systems and software can’t easily be patched. That’s because critical infrastructure has been built upon many different types of technologies over the years. Some systems are decades old—developed before the Internet became mainstream. Many depend on hardware, software, and operating systems that aren’t compatible with today’s technologies. In fact, many of these systems use legacy proprietary operating systems, languages and protocols.For all these reasons and more, a lot of patching isn’t getting done. So why do critical infrastructure organizations continue running older versions of software or firmware, especially in their OT devices?
Then there’s denial
The answer can be found in the familiar refrain: why change something that “just works”? This is particularly the case for the layers of your infrastructure in which embedded operating systems and software IoT and OT equipment still chug away at their jobs after years of successful operation.
Say you have a Windows 98 server or other outdated or proprietary piece of software running your system for controlling the flow of water through an aqueduct? Or for remotely monitoring and controlling a refrigerator car while it is on a train? These systems work just fine. Additionally, you don’t know where in your infrastructure these old legacy operation systems and un patched software applications might be lurking making the problem even worse.
And then there is fall out of connecting OT and IT systems
Then there are the security challenges that come with the increasingly connected enterprise. According to guidance developed by the UK’s National Cyber Security Centre, obsolete software creates two major security issues:4
- The software will no longer receive security updates from its makers, increasing the likelihood that exploitable vulnerabilities known by attackers do not have fixes
- The latest and greatest security technologies and techniques aren’t found in older software, giving hackers easy access to your environment
OT devices traditionally were physically separated from IT infrastructure by “air gaps.” But that is changing. Organizations are increasingly realizing efficiencies by connecting OT and IT systems, which raises their risk level. And according to a SANS Institute study, 32% of OT devices connect directly to Internet, bypassing traditional IT security layers altogether.
What you can do to protect critical infrastructure?
There are five steps you can proactively take to protect both your IT and OT network assets from being compromised, even when they are running outdated operating systems or software.
- The problem is lack of visibility, start with a solid security foundation. The problem is lack of visibility, start with a solid security foundation.Know what you have on your network by getting real-time visibility into all devices as soon as they attach to your environment.
- Ensure that all connected devices are identified, classified, and that they comply with your security policies. Also know what devices don’t comply, so you can keep an eye on them.
- Do continuous monitoring. This way, device intelligence and status are always available in real time. As you monitor, make sure you identify any anomalous behavior by either segmenting the network and quarantining older devices, or by using vulnerability assessment and management tools to alert to common threats.
- Have risk mitigating controls and have compliance. Ensure that only the right people with the right authority have access and keep it up to date. Especially in the messy, older systems and OS that hackers seem to target most.
- Segment and Micro-segment legacy equipment. This step is vitally important to protect critical operations in the event a breach occurs. ForeScout can help make this task easier and more logical.
- Scale to even the most demanding critical infrastructure environment. The numbers of IoT and OT devices on critical infrastructure environments are expanding day by day. To keep pace with this device growth, choose a solution that can scale to millions of devices in a single deployment.
ForeScout helps reduce risk. By giving you instantaneous visibility into every connected device, the ForeScout platform offers you control over who –or what– accesses your IT environment. To learn more about challenges with securing critical infrastructure and how the ForeScout platform can help, download the white paper “Gain Confidence in Protecting Critical Infrastructure from Cyberattacks.”