Protecting critical infrastructure: Mapping and patching CVEs is not enough for robust defense

Protecting critical infrastructure: Mapping and patching CVEs is not enough for robust defenseDefault blog imageDefault blog image
26
Aug 2021
26
Aug 2021

Cyber-attacks targeting water facilities, pipelines, and other forms of critical infrastructure pose a serious threat to national and economic security, as well as public and environmental safety. In response to recent high-profile attacks, the Biden administration spearheaded several initiatives for protecting US critical infrastructure. These efforts include the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems and the cyber security funding in the bipartisan infrastructure bill.

While increased public focus and funding are urgently needed, they are only the first steps in achieving stronger security for critical infrastructure. For these efforts to be successful, the Biden administration needs to turn its focus to cutting-edge capabilities and direct its funding toward sophisticated technologies that can achieve these ends.

Focusing on achieving the right security capabilities

For years, the security community for operational technology (OT) and Industrial Control Systems (ICS) has put a strong emphasis on mapping and patching common vulnerabilities and exposures (CVEs). While this vulnerability tracking is often necessary, mapping and patching vulnerabilities alone is not a sufficient strategy to arm organizations against attacks.

First, known vulnerabilities simply do not represent all risks, as attackers frequently leverage unknown vulnerabilities called zero-days and misuse legitimate operations in ways that cannot be trivially recognized as malicious. This is particularly true for control system environments, with one-third of ICS flaws designated as zero-days when disclosed.

Devices with zero or few known vulnerabilities may also simply lack specific research into them, rather than being more secure. For example, millions of devices are put at risk by a recently discovered vulnerability in control systems used in building systems — including heating and air conditioning — and this also affects PLCs widely used in manufacturing and energy utilities.

Rather than merely tracking and patching CVEs, Biden’s recent National Security Memorandum realigns OT security to place focus onto the right security goals. The memorandum candidly addresses the problem with vulnerability tracking and other legacy security approaches, as this document affirms that “we cannot address threats we cannot see.”

Investing in the right security technologies

The memorandum specifically focuses on “facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities” for ICS and OT. The next step in achieving these aims is to identify the technologies that can provide these capabilities.

By learning a sense of ‘self’ from scratch for every human, device, and the whole ecosystem of an organization, Self-Learning AI autonomously implements machine-speed detection, investigations, and response. This solution is particularly effective at stopping ransomware before operation disruption, which would have allowed Colonial Pipeline to avoid manual shutdowns.

AI is also uniquely capable of thwarting insider threats. It could have immediately identified the threat in the Florida water facility incident, as its understanding of the ‘pattern of life’ for every user, device, and all the connections between them would have illuminated the insider’s subtle unusual behavior.

The sensitivity and essential nature of critical infrastructure demand the most sophisticated technologies for robust cyber defense. Fortunately, Self-Learning AI technology is already available and currently used by all 16 critical infrastructure sectors designated by CISA. As the threat continues to grow, and the Biden administration’s efforts are pursued more aggressively, Self-Learning AI stands ready to safeguard the systems that our society relies on.

National Security Memorandum goalsDarktrace capabilities
Threat visibilityVisibility across entire ecosystem, including all Purdue levels and into/around the DMZ.

Protocol and technology agnostic, adapts to bespoke environment.
IndicationsThreatening activity highlighted, even when this doesn’t align with pre-defined IoCs.

Understands context in addition to content of human and machine-to-machine communications.
DetectionsSelf-Learning AI understands unusual behavior, rather than rules and signatures.

AI detections ranked by criticality, such that most threatening behavior is foregrounded.
WarningsAI investigations stitch together events into incident reports with attack phases.

Incident reports surface the scope and severity of a security incident, including possible consequences and advice for remediation.
Facilitating responseAutonomous Response surgically neutralizes threats at their earliest stages.

Response is highly configurable, available in active or human confirmation mode.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Oakley Cox
Analyst Technical Director, APAC

Oakley is a technical expert with 5 years’ experience as a Cyber Analyst. After leading a team of Cyber Analysts at the Cambridge headquarters, he relocated to New Zealand and now oversees the defense of critical infrastructure and industrial control systems across the APAC region. His research into cyber-physical security has been published by Cyber Security journals and CISA. Oakley is GIAC certified in Response and Industrial Defense (GRID), and has a Doctorate (PhD) from the University of Oxford.

COre coverage
This Article
Protecting critical infrastructure: Mapping and patching CVEs is not enough for robust defense
Share
Twitter logoLinkedIn logo

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.