Critical infrastructure: a role model to protect normal businesses?



By Andrey Suvorov, Head of Critical Infrastructure Protection at Kaspersky Lab

After many years of working with clients trying to protect their industrial systems - from oil refineries to railway systems - you learn one thing: critical infrastructure needs special attention. Like normal companies, industrial facilities depend on computers and software, but the range of solutions in use is very different from a typical office. You can find ten-year-old machines still working as though they are as good as new, and operators are not worried about the cost of replacement. Instead, they ask how much it costs to stop those machines for just an hour, because industrial operators face million-dollar losses from downtime on one side and compliance failure fines ranging from $1K to $1M per day on the other.

The importance of reliability and continuity is so high in this environment, that a fraction of the strict SLAs they face will, in fact, boost the operations of a regular business. So, do companies with traditional infrastructure have something to learn from critical operations? The answer is ‘yes’ and ‘no’ at the same time.

When we were developing our specialized security software for industrial facilities, there were some unique requirements we had to meet. Let me name a few here.

  • Observability mode. Security solutions are deployed extremely carefully in critical industrial environments. Solutions should be able to monitor activity and detect threats, but leave the decision to block an attack up to the operator. Industrial systems rely on customized software, so even the potential conflict between a security solution and, let’s say, operations of a railway system cannot be allowed. For a typical IT infrastructure this provides us with a good example of the careful deployment of a new feature – such as application control. Run it in the background, collect all of the stats, analyze and refine and only then – roll out full functionality.


  • Security assessment. Critical infrastructure always works together with traditional IT, and the fact that different teams are usually responsible for security of those two entities is challenging. An independent look by security experts proficient in both industrial systems and general IT helps to identify potential weaknesses usually found at the meeting point between two systems. This is also true for any traditional IT infrastructure. In fact, the variety of endpoints, mobile devices, on-site servers and cloud services is no less complicated than a power plant.


  • Exploit prevention. Technologies designed to identify attacks using previously unknown vulnerabilities is one level above traditional anti-malware systems. As we learned from Stuxnet, critical infrastructure may be targeted with the most advanced cyber weapons. Unlike traditional malware, targeted and advanced attacks require special tools. As we know, targeted attacks put businesses in danger even more than industrial facilities. So if you ask me, it was time to start protecting businesses from APTs yesterday.

These are the positive examples of critical infrastructure specifics that may be adopted by traditional businesses right away. But here are a few things that would be better if they stay within the manufacturing and energy sectors.

  • Older hardware. It costs millions, it is reliable, and you can find fully operational machines still working under Windows 98. While there are reasons to use this hardware this in critical infrastructure, this is not an excuse to use outdated software and hardware in the office. When IT reaches its end of life, it’s worth replacing for the sake of security.


  • Isolated operations. Letting a SCADA system directly connect to the Internet is the worst thing that can happen with an industrial system. For security it presents problems, especially in terms of the delivery of security updates. They can be solved but isolating traditional infrastructure without changing the security approach leads to a lot of trouble.

The best takeaway from mission-critical experience is the need to have the right attitude. When you know that the wrong software update can cause an hour’s outage and losses of thousands of dollars per minute, you must alter your approach. Traditional IT is usually more relaxed, although it is possible to lose anything from $66K (SMBs) to $1,4M (enterprises) due to downtime from a security incident. Given this, adopting a ‘critical’ attitude when thinking about IT security seems to be a wise choice.

Like us in Facebook


Latest News

UBS gears for sustainability in its global operations

  By Rose de la Cruz   UBS, the leading investment in the Philippines and consistently ranked top 2 among international investment banks, is... Read More...
NEDA commits to stronger collaboration among developing countries

    By Rose de la Cruz   Socioeconomic Planning Secretary Ernesto Pernia today said the Philippine government, through the National Economic and... Read More...
Bong still unsure of Senate run

Should he stay or should he go?  This is the question that Special Assistant to the President Christopher “Bong” Go is trying to answer and... Read More...
IMAGE In the know: Solar Philippines

Solar Philippines is currently the country’s – and Southeast Asia’s – largest solar-energy company. Founded in August 2013 by Leandro... Read More...
Stupid Name Giver and Other Laughs

Stupid Name Giver Late one night, a burglar broke into a house. While he was sneaking around he heard a voice say, "Jesús is watching you."  He... Read More...
Confession Code and other laughs

Confession Code AN old priest who became sick of all the people in his parish who kept confessing to adultery said one Sunday, in the pulpit,"If I... Read More...

Photo courtesy of Top Gear Philippines Officials of motorcycle-sharing service company Angkas must be grinning all the way to the bank. After a... Read More...

MABUTI naman at tuluyan ng nagpasiya ang pamahalaan na sampahan ng karampatang kaso ang mga sangkot sa kontrobersyal na Dengvaxia anti-dengue... Read More...

Our Guests

This week5406
This month18011

Visitor Info

  • Your IP:

Who Is Online


Saturday, 20 April 2019
© 2016 OpinYon News Magazine Online. All Rights Reserved.

Please publish modules in offcanvas position.