Targeted Attacks On Critical Infrastructure On The Rise

by Priyanka Pugaokar    Feb 28, 2017

sridhar

The increasing adoption of automation and the Internet of Things [IoT] has put the industrial security at stake. While the industries are focused on achieving a higher level of business agility, they somewhere ignore the crucial aspect of security. Considering the increasing targeted attacks of Critical Infrastructure Industries (CIIs), it is time to provide the visibility to the critical components of IT and OT infrastructures. It is important for CISOs and OT heads to understand that their role is now not restricted to just approve a check-the-box compliance report and a greater level of collaboration is needed to lay the foundation of a holistic security for industries. NCIIPC is taking crucial steps by outlining the standard regulations for industrial security, as there is a greater scope for improvement in this space. 

In a candid interaction with CXO Today, Sridhar Namachivayan, Regional Director - India & SAARC, Skybox Security, gives crucial insights about the current state of industrial security in India and the steps needed for holistic security of critical infrastructure in the country. 

CXOToday: How will you describe the current cyber threat landscape in India? How do you observe the cyber security preparedness of enterprises? 

India is experiencing a shift in the threat landscape that’s being felt across the world. For all the attention APTs and zero-day attacks have received over the last few years, the vast majority of attacks that organisations are dealing with are motivated simply by money. Cybercrime makes up roughly 80% of the attacks we see today.

Cybercriminals have developed a business model to distribute their attacks across the widest set of targets, often using pre-packaged tools or services readily available on the dark web. The skill levels of these attacks are low because advanced skills aren’t required – they are looking for “low-hanging fruit” in individuals or organisations with weak security. 

In the criminals’ eyes, it’s very effective and has made them a lot of money. The lucrative nature of the attacks is what’s turned cybercrime into a genuine industry where ransomware, banking Trojans, exploit kits and traffic direction systems are easily bought and sold, sometimes even coming with customer support or peddled in marketing campaigns.

Reports on ransomware alone have identified 60 new ransomware families over the last two years with around 45,000 new variants. There’s undoubtedly dozens more being created every day. To expect organisations to identify and track that kind of constantly evolving threat is nearly impossible. A new approach analysts and vendors are using to counteract this is to focus on the vulnerabilities these attacks leverage, which are fewer than 1,000, according to Verizon’s Data Breach Incident Report.

CXOToday: How according to you, the cyber threat landscape has changed post demonetization?  

Demonetization has driven massive amounts of Indians to shift to digital banking transactions. Considering that India ranks third in terms of countries affected by online banking malware, cybercriminals were bound to use this post-demonetization surge to their advantage. 

The amount of endpoints in online transactions – point-of-sale terminals, ATMS and customer devices – greatly complicates the attack surface of financial institutions and retailers. In India particularly, these endpoints are notoriously running outdated software or have unpatched vulnerabilities, making them key targets to malware. 

These kinds of lax security practices indicate many organisations are not prepared to take on the increased cyber threat; however, gaining visibility of their unique attack surface, the systems they are running, the security controls they have in place and the associated risks is the first and fundamental step to overcoming that challenge.

CXOToday: How will you describe the current state of critical infrastructure security in India?  What key recommendations will you give to NCIIPC for industrial security? 

I would describe Indian critical infrastructure security as improving. NCIIPC has made it a national priority, and it’s distinct in that – similar to PCI compliance – they are not just laying out regulations, but prescriptions. This is intended to set an acceptable baseline for institutions that are crucial to our economy, health and safety.

However, critical infrastructure is increasingly becoming a target for cyber-attacks and cybercrime – the bar keeps getting raised on what counts as “adequate security”. Just this month, researchers demonstrated how ransomware could be used to take over devices in a water treatment facility, holding it hostage under the threat of releasing dangerous amounts of chlorine into the water. It’s a proof of concept, but it shows the real threat to the notoriously vulnerable systems and devices on which critical infrastructure depends.

What I would recommend that the NCIIPC push to help critical infrastructure organizations achieve holistic security is visibility. These organizations need to understand the components of their IT and OT infrastructures, and how they relate to one another. This visibility provides the foundation to improve security, and not just a check-the-box compliance report. It enables critical infrastructure organizations to mature their security programs, act strategically and adapt to a constantly changing threat landscape, because they can better understand the impacts on their environment.

CXOToday: On the lines of proposed CERT-Fin, do you feel need for sectorial CERTs for different industries?

In cyber security, information is gold. The more insight we can gain on cybercrime behaviour related to specific industries, the more we can understand how to respond to and even be proactive against such attacks.

CXOToday: What is an engagement of Skybox Security in India? What are your key solution offerings?

Skybox Security partners with 15 top-tier channel partners in India. Our Indian-based business grew 154 per cent in year-over-year revenue in 2016; our success combined with the cyber security challenges India faces, the available market, and the power of the Indian economy, are driving further expansion. We recently opened our first Indian support centre in Bangalore to serve customers in the country and the APAC region, and to provide follow-the-sun support to our global customers. 

The entire Skybox Security Suite was built for enterprise scalability from the beginning. We deliver solutions for vulnerability and threat management, firewall and change management and security policy management on a common platform. We also include in our platform an attack surface visualization layer to create a visual, interactive model of an organization’s network infrastructure, its connections and its exposures most likely to be used in an attack.

CXOToday: What growth prospect do you see in the government domain? Which are your key focus verticals in the country? 

We are proud to count several state-owned enterprises as our customers, and we have developed programs to address the particular challenges faced by government bodies, due to the constraints imposed upon them by their tasks, their scale, and their increased threat levels. Our key market segments are financial services, ITES & BPO, national critical infrastructure and telcos.

CXOToday: What are your key thrust areas in 2017 in terms of business expansion and getting strategic enterprises on board? 

SAARC and the APAC region are definitely strategic focus areas for us this year and in years to come. There’s great potential to help organizations mature security and compliance programs, improve efficiency and intelligence and increase the ROI of their existing solutions.