Posted by Bryan Vale / January 29, 2018
In September 2017, Wired reported that hackers had gained access to multiple electrical power facilities in the U.S. Conceivably, the hackers could have shut off the power for thousands of citizens and companies, much like how hackers shut down parts of Ukraine's power grid in late 2015.
In March 2016, Verizon released a data breach report that described a horrifying scenario: a water utility plant was successfully hacked, and the attackers took control of industrial equipment within the plant.
Every critical infrastructure organization wishes to avoid incidents like this, but not all critical infrastructure facilities are able to do enough to stop determined and ingenious threat actors. Even network-isolated and air-gapped environments are vulnerable to a variety of attack methods, from infected USBs to insider compromise.
Here are six common gaps that may be found in the file transfer process at critical infrastructure facilities.
1. Not Enough Anti-malware Engines
Many facilities have users scan all files entering secure networks with at least one anti-malware engine, and possibly two.
This is not enough. Even the most effective anti-malware engines will miss some threats, and that's why multi-scanning solutions are the best options, especially in such high-stakes environments. Using multiple anti-malware engines covers up for some of the threats that one engine might miss on its own.
2. No Visibility into Vulnerabilities Introduced into Network
Organizations need to allow users to install new applications in order to function, but every new application, or application update, introduces new vulnerabilities into the corporate network. If the IT department does not have sufficient visibility of the vulnerabilities introduced and their severity, they will not know the network's cyber security weak points and cannot monitor patching.
3. No CDR Solution
Content Disarm and Reconstruction (CDR) is nothing short of essential in the modern threat environment. Attackers regularly use common files, such as Word documents or Excel spreadsheets, that contain malicious scripts, macros, or embedded objects. They then trick users into opening the files, often via phishing attacks.
Wired, citing a security vendor's report, noted that major U.S. power grid breaches in 2017 "began with [spear phishing] emails that tricked victims into opening a malicious attachment." Many, if not most, of these attacks can be prevented with CDR.
4. Not Enough Accountability to Prevent Insider Threats
Insider threats are a huge point of vulnerability for many organizations, especially since IT admins and CISOs often spend much of their time defending against outsider threats. For this reason, it is extremely important to log when files entered the network, and who brought them in.
5. Verification for Portable Media
Organizations need an automated way to ensure that portable media is scanned by anti-malware engines before it is connected to devices within the internal network.
This prevents scenarios such as an employee accidentally leaving a USB thumb drive in their pocket, entering the secure facility, and then connecting it to their workstation without scanning it, or a malicious insider doing the same thing on purpose.
6. Files and Data Scanned Only Once
Many strains of malware wait for a certain amount of time to activate in order to escape initial detection. Tripwire notes that "[t]iming-based evasion is the third most common technique" for evading detection by anti-malware software.
Perhaps all files are scanned before they can enter the network. But if files are then transferred into the network and not quarantined, analyzed, or scanned again, it is possible for malware using this evasion technique to be transferred into the network.
As organizations improve their secure file transfer processes, we can hope that the nightmare scenarios such as the ones described at the top of this article can be avoided – instead of becoming commonplace.
OPSWAT has developed secure file transfer solutions with these challenges in mind, and Metadefender Kiosk, Client, and SFT fill these gaps. OPSWAT products use data sanitization (CDR) to remove exploitable content in files, and multi-scanning and vulnerability detection to identify known threats and vulnerabilities.
Contact OPSWAT today to learn how to increase security for file and data transfers.