In recent years they have been subject to specific and prolonged attacks, opening up long standing vulnerabilities.
Difference of priorities: CIA to AIC
The standard information security triad consists of confidentiality, integrity and availability. The priorities for many business information systems will follow the CIA approach in that order. Confidentiality is still the number one priority, with things like access management, network perimeter security and data loss prevention strategies still the number one budget grabber. The main driver behind such decisions, is often related to the protection of intellectual property, client records or monetary transactions. The output of many service related organisations, obviously takes on a more intangible nature, placing a greater reliance on digital management, storage and delivery of the processes and components that make that organisation work.
From a critical infrastructure perspective, I would argue the priorities with regards to the security triad, alter, to focus more on availability, with integrity and confidential being less important. An electrical generation plant has one main focus: generate and distribute electricity. A hospital has one priority: keep people alive and improve their health. These types of priorities, whilst relying on information systems substantially, are often managed in a way that makes their delivery more important than the component systems involved.
This difference in attitudes towards how security policies are implemented, can have a significant impact on vulnerability and exploit management.
Vulnerabilities - nature or nurture?
Vulnerability management from a consumer or enterprise perspective is often applied via a mixture of preventative and detective controls. Preventative comes in the form of patching and updates, in an attempt to limit the window of opportunity from things like zero-day attacks. Detective defence comes in the form of anti-virus and log management systems, which help to minimise impact and identify where and when a vulnerability was exploited. The many basic steps often associated with enterprise protection, are often not always available within critical infrastructure environments.
Critical infrastructure is often built on top of legacy systems using out dated operating systems and applications. These environments often fail to be patched due to the lack of downtime or out of hours permitted work. ICS and energy generation systems, generally don't have a 'downtime' period, as they work 24 x 7 x 365. Outage is for essential maintenance only and preventative patching wont necessarily fall into being an essential outage. Due to the age and heterogeneity of such systems, a greater focus on additional patch management would seem natural. Many critical infrastructure environments are also relatively mature in comparison to modern digital businesses. Mechanisation of industrial and energy related tasks is well over a century old, with computerization coming only in the last 35 years. This maturity, has often resulted in cultural and personnel gaps when it comes to information security.
Basic security eroded
Some of the existing security related policies that have been implemented in critical infrastructure environments are now starting to erode. The basic, but quite powerful and preventative measure, of using air gapped networks to separate key systems from the administrative side of the organisation, is now being eroded. The need for greater management information, reporting and analytical systems, has lead to cross network pollution. The low level programmable logic controllers (PLC's), used for single purpose automation of electromechanical tasks, are now being exposed to the potential of the public network. Through the connection of desktop and laptop devices to previously secured networks, has brought the risk of infection from internet related malware a lot higher.
Recent attacks and a change in cultureThe two major exploits, focused specifically on critical infrastructure related environments in the last couple of years, have probably been the Stuxnet and Duqu attacks. Whilst the motives for these attacks are maybe different to the standard monetary or credibility drivers for malware, they illuminated the potentialfor mass disruption. As with any security attack, post-incident awareness and increased focus often result, with several new attempts at securing critical infrastructure now becoming popular. There are several government lead and not-for-profit organisations that have contributed to security frameworks for critical environments. Kasperky labs also recently announced plans to develop a new build-from-the-ground-up secure operating system, with a focus on critical environments.
Whilst previously only focused on the availability and delivery of key services and products, critical infrastructure environments, now have to manage the increasing threat posed by cyber attacks and malware exposure.