The Need for Endpoint Protection in Critical Infrastructure

Lionel Jacobs


This post is also available in: 简体中文 (Chinese (Simplified)) 繁體中文 (Chinese (Traditional)) 日本語 (Japanese) 한국어 (Korean)

As cyberattacks against ICS and SCADA systems become commonplace, the need for robust endpoint protection grows. The rapid growth of the internet, with its ever-increasing need for data, has made it almost mandatory that information be made available at all times. This gluttony of data results in the need for corporations to provide connections to devices within their process control networks without fully understanding the potential outcome of such actions.

Reasons for the increase in attacks

Thanks to trends like the internet of things, aka IoT, and Industry 4.0, the rise in attacks against critical infrastructure is becoming more prolific and targeted. This is seen in both the recently unsuccessful attack against a petrochemical company in Saudi Arabia during 2018 and the infamously successful Ukraine power grid breach of 2016. Cyberattacks against critical infrastructure are becoming prevalent, partially due to the increased number of networks connected and business-accessible devices, along with the need for the data they generate. Combine this with the demand placed on companies to do more with less staffing and more outsourcing as they attempt to lower yearly operational expense, and the potential for gaps in security grows – in some instances exponentially resulting in a number of worst-case scenarios for operators. With the need for remote access for employees and third-party support, businesses are facing more access to the environment and missing or misconfigured security policies that provide hackers with ideal attack vectors.

It has also come to light that critical infrastructure assets are becoming easier to find and identify, without any direct interaction from potential attackers. Using open source intelligence-gathering techniques, internet databases like Shodan, and geo-stalking, attackers are able to find these assets without exposing themselves or their intent – a clear example of too much information being readily available and unsecure.

Regardless of the reason for the lapse in security, all incidents of breach of a controls network shows us just how disruptive and dangerous these endpoints can be to our daily lives when under the control of those with malicious intent.

Why attack ICS and SCADA endpoints

Motives for attacking these systems can be grand in scope, ranging from corporate espionage with the intent to destroy a competitor’s brand to political in nature, such as the intent to influence the inner workings of a rival nation’s government. We also see examples of attacks that have a more simplistic purpose like financial gain or a script kiddie proving he or she can take control, earning them bragging rights. Regardless of the attacker’s motivation, the need to protect these critical infrastructure assets is of the utmost importance for the companies that run them and the community at large.

Current research into the matter shows that the number of vulnerabilities related to ICS and SCADA systems is doubling on a yearly cadence. As of this year, the estimated number of identified critical infrastructure-related vulnerabilities is roughly around 400, a number that will continue to grow due to the nature of how these systems operate and the security challenge they create. Legacy operating systems and the high uptime mandates of these systems make them some of the most difficult to secure.

There is hope

Despite all the advancements attackers are making to breach and control critical infrastructure, it is possible to defend and protect these highly targeted assets.

True advanced endpoint protection must be capable of preventing known and unknown threats by leveraging features such as:

  • Machine learning, which is capable of providing an instant verdict on an unknown executable before it runs on any of the systems in a process network.
  • Virtual sandboxing technology that can determine if an executable file is malicious before it executes on the machine.
  • Identifying software packages from vendors that are trusted in the environment and blocking those that are not.
  • Support for the various operating systems that controls systems run, including some that are end-of-life.
  • Cloud-readiness.

ICS/SCADA systems require advance endpoint protection capable of disrupting known and unknown cyberattacks while not impacting production. The approach must be lightweight, scalable, innovative and capable of integrating both existing and new technologies while complementing other best practice procedures and offerings. Most importantly, it must be powerful and ICS/SCADA-friendly.

To learn how Palo Alto Networks can help operators of ICS and SCADA networks protect their critical infrastructure, download this whitepaper on advanced endpoint protection for ICS/SCADA systems.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.