Carl Weinschenk spoke with Brad Bauch, principal in the PricewaterhouseCoopers Energy, Utilities and Power Generation Practice. The firm today released a report on these threats.
In an ever-more connected world - and one in which malware and other forms of nefarious activities are great - the need to protect critical infrastructure grows. Bauch tells IT Business Edge blogger Carl Weinschenk that a mix of old and new techniques should be used to prevent these attacks from succeeding.
"[State-sponsored groups] may reuse some of their tools and have toolkits, but the attack is focused on your company, your system and likely is not detectable because there is no virus or malware signature on those attacks, since they were custom written for you."
Weinschenk: What did the report find?
Bauch: There are three key points. The first is the threat to critical infrastructure is a real threat. We've seen media reports of some advanced threats that have developed worldwide and we see more and more vulnerabilities being identified in real time and operational systems, such as SCADA [supervisory, control and data acquisition] systems.
The second is that the threats are more advanced than in the past. The Stuxnet virus or worm, whatever you want to call it, was very sophisticated and took a lot of time and effort to develop. Most people don't have those capabilities available, but it does highlight that there are some advanced techniques that can be leveraged to compromise systems.
The third is that the game has changed in how we need to monitor and try to detect these threats and how we respond. We can't use techniques and technology that we've used in the past. We have to think of more sophisticated ways of dealing with the threats.
Weinschenk: Are there are more attack vectors?
Bauch: The number of potential entry points are greater. It is fairly well established that Stuxnet entered by being physically walked into the facility, likely on a USB drive. So physical media and ability to [infect] otherwise isolated networks is definitely a risk. Operational networks have been more interconnected with business networks and other networks over recent years. Traditionally they have not been connected to anything else. As we want to get more information off those systems, we poke a hole and push information out. As a result there is now a connection.
A lot of those systems were proprietary or did not rely on IP-type routing. Now, with more IP-type devices being deployed, we are seeing more of the standard vulnerabilities in operating systems and networks.