How Demanding Conditions Impact Critical Infrastructure Security
Enterprises already understand how important a role physical security plays in protecting their staff, work environments and privileged information from outsiders. Fences, walls, security guards and RFID-controlled doors all help organizations protect themselves, but these measures are far from sufficient when it comes to protecting critical infrastructure environments from cybersecurity incidents. The increasing demands for connectivity across all environments can make that protection even more difficult.
Critical infrastructure organizations, in particular, face many challenges. The Cybersecurity and Infrastructure Security Agency (CISA) outlines the sixteen critical infrastructure sectors that are vital to the United States and how to strengthen and maintain secure, resilient and functioning infrastructure. Many of these critical infrastructure industries rely on operational technology (OT) and industrial control systems (ICS) that are isolated via air-gapped networks, thereby reducing the risk introduced by internet-connected devices. That isolation can introduce different problems, however, because these systems must be updated, reported on and audited using portable media devices such as USB thumb drives, CDs, SD cards and other devices.
Portable media has long been a concern for cybersecurity professionals because it can easily be used to introduce threats in the form of infected files, malware and malicious hardware or firmware. Once they enter OT and ICS environments, these vulnerabilities can propagate to the rest of the network and cause potential downtime, outages and even catastrophic damage to critical infrastructure–impacting the systems we rely on every day. But demanding environmental conditions introduce other challenges that can be difficult to manage.
Physical Environments Pose Additional Challenges
Offshore Oil Rigs
Oil rigs have increasingly complex control systems and are collecting and analyzing more data than ever. As these systems include more technology, they increase the attack surface and the level of risk. If your security team is under pressure to install a software update on an offshore oil rig in the middle of the ocean, how are you planning to test your portable media to ensure you are not introducing any malware or vulnerabilities into the closed system?
Chances are that both the portable media containing software updates and the tools needed to test them will be exposed to cold ocean spray, heat, sun and wind. Your tools to secure portable media must be able to withstand those demanding environmental conditions and still securely and efficiently inspect all media for vulnerabilities, malware and sensitive data.
Nuclear Power Facilities
Similarly, nuclear power facilities are air-gapped environments, but security teams must still transfer data into and out of these operational networks to make required vendor software updates; these updates all provide potential pathways for an attack. The often discussed Stuxnet incident, for example, is famous for targeting supervisory control and data acquisition (SCADA) systems, and many believe it caused serious damage to Iran’s nuclear program.
These facilities are highly restricted and regulated, and the update process for all software and equipment using removable devices is highly controlled. When updates are needed, there are many policies in place to ensure that security professionals can safely scan portable media.
Manufacturing
The COVID-19 pandemic makes it all too clear why our manufacturing processes must be secure. Shortages were seen across industries from toilet paper to technology, and many were unable to receive the goods we often take for granted on a daily basis. These manufacturers provide items we need, including pharmaceutical research and the creation of medications and medical supplies that are vital to national public health. In research and production areas, organizations must ensure that the environment is appropriately controlled. Yet these facilities and production areas also contain systems that must be kept up-to-date and it must be easy to collect data for analysis at these sites safely and securely without impacting the much-needed goods produced in this environment.
Far beyond the limited personal protective equipment (PPE) most people became familiar with over the last few years, in pharma, there are more robust requirements designed to protect both the health of workers and ensure that there is no possibility of contamination to experiments or work products. In these types of sensitive controlled environments, it can be difficult to scan portable media to ensure that it is safe to use to collect data or install security updates while wearing appropriate protective equipment. A security solution must be able to function reliably and accurately even when you are wearing gloves, a full hood or a mask respirator.
Defense
In the defense space, there are many different uses for removable storage devices. In the armed forces and other areas of the military, personnel must frequently collect laptops, thumb drives, cell phones and other portable and removable media that may have been used by terrorists or other criminals. These devices must be handled with extreme care to ensure that no harm comes to the staff processing them and collecting information. And it is essential that all data be scanned to ensure the secure nature and safety of systems are maintained.
Secure Portable and Removable Media in all Conditions and Environments
Many assets in critical infrastructure environments rely on removable media to update and patch software to maintain security standards even in air-gapped and strictly controlled environments. This media must be checked carefully, but in many critical infrastructure industries, physical conditions pose an additional challenge to testing removable media devices and content before performing updates. Rugged testing solutions can help organizations ensure secure updates and data collection even in challenging conditions.
