Rare is the element of critical infrastructure ecosystem that doesn’t contain legacy systems declared at end of life (EOL) or outdated and unsupported software or operating systems.
Any CISO in charge of safeguarding said infrastructure should aspire to know and refresh often their knowledge of where that legacy tech resides, given the length and breadth of its footprint from operational technology (OT) to information technology (IT).
The lack of this knowledge effectively creates risky blind spots for which the CISO will be held both responsible and accountable, as there is no doubt that critical infrastructure sits squarely in the crosshairs of many a potential adversary.
According to FBI Director Christopher Wray, China’s “targeting of our critical infrastructure is both broad and unrelenting.”
The hackers’ goal is disruption, not financial gain
“The fact is, the People’s Republic of China (PRC) isn’t just aimed at stealing American intellectual property,” Wray told the Vanderbilt Summit on Conflict and Emerging Threats. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing.”
Wray described a honeypot operation designed to lure PRC hackers, who took 15 minutes to take the bait and steal information relating to command-and-control systems. What made it noteworthy was that in going straight for those command systems, the hackers ignored planted business and financial documents.
In other words, the goal was potential mayhem and disruption, not financial gain.
While Wray speaks for the United States, the problem is international and there are ample warnings from other governments, such as the United Kingdom, which serve as both echo and confirmation.
The importance of critical infrastructure cannot be underestimated
If there was ever a piece of critical infrastructure that needed protection more than any other, it’s our drinking water — something we literally cannot live without. If a bad actor was able to wreak havoc with water systems, the consequences would be disastrous.
It’s pretty telling then that the US government is concerned enough about the issue to warn those safeguarding the water supply, underscoring that the threat is real and credible.
In May 2024, the US Environmental Protection Agency (EPA) issued an enforcement alert to critical infrastructure providers in the drinking water sector known as community water systems (CWS) aimed at reducing cybersecurity vulnerabilities.
The enforcement alert put the onus on those systems serving 3,300 or more people to conduct a risk and resilience assessment (RRA) and develop an emergency response plan (ERP). The alert rehashed the efforts of Iran, pro-Russian hacktivists, China and others, and offered assistance to CWSs.
It is worthy of approbation that the Biden administration signaled enforcement was on the horizon when in mid-March 2024 the EPA in conjunction with the National Security Advisor crafted a letter to all US governors to discuss the “urgent need to safeguard water sector critical infrastructure.”
One of the most chilling examples of an infrastructure breach that succeeded was the Colonial Pipeline ransomware attack carried out by the threat group DarkSide. If water is our most important asset, energy infrastructure is not far behind. The oil pipeline company was forced to shut down its operations and restart, causing regional shortages of oil and many types of fuel.
Technical debt is a big problem for infrastructure
In the early spring of 2024, a piece in the Wall Street Journal titled “The Invisible $1.52-trillion problem: Clunky Old Software” discussed in depth the scourge and magnitude of the problem known as technical debt.
Technical debt can be described as an accumulation of fixes and outdated systems badly in need of updating. And infrastructure, because of the size and cost of building and maintaining public and private projects such as water systems, electrical grids, telecommunications systems, and transportation systems, is particularly prone to an accumulation of such debt.
“Technical debt is one of those invisible issues that people either know they have a problem with, or they don’t know, and that’s worse,” Roger Williams, vice president of research at Gartner, tells CSO. “It happens because it’s cheaper and easier to put things off for tomorrow, just like anything we have at home.”
Legacy systems were a hot topic at the most recent RSA Conference, and the issue was perhaps best summarized in a presentation by Allan Friedman, senior advisor and strategist at the US Cybersecurity and Infrastructure Security Agency (CISA) aptly titled “All good things: End of life and end of support in policy and practice.”
Friedman highlighted a plethora of incidents which were possible when adversaries compromised an obsolete or EOL system. For example, Volt Typhoon threat actors compromised a small office/home office router, which the manufacturer had declared at end of service life and recommended the units be retired and replaced.
We’ve been warned before about legacy systems
This message is not new. The US Government Accounting Office (GAO) warned government agencies in December 2022 to focus on the OT and IOT within critical infrastructure, pointing the finger at various government departments and agencies in a scathing manner.
Resources were made available following the GAO report and are at hand for CISOs in the form of guidance and training from CISA, which is available to all, without national or geographic restriction.
“The guides and frameworks provided by CISA are good,” Tim Chase, CISO of Laceworks, tells CSO, “as they are prescriptive, highlighting what is expected and removes the guesswork for CISOs when dealing with government.”
Chase says CISOs need to have a solid foundational knowledge of where their information and operational technologies are and make no assumptions that they are up to date or even fully functional. The framework on materiality of incidents provided by the Security Exchange Commission provides infrastructure CISOs with added impetus to get their arms around the EOL/legacy items within their environment.
End-of-life systems are not vulnerabilities but risks
Friedman noted that in February 2024 it was shared that within the Ivanti Pulse Connect box, there were a good deal of old systems, including a Linux version from 2009 and a routine as old as 23 years. While he noted that EOL is not intrinsically a vulnerability, “It does, however, warrant a review and a plan to maintain without manufacturer or developer support.”
Friedman suggests CISOs focus on the things that really matter:
- Risk awareness
- Responsibility
- Patches and updates
- An established product security incident response team (PSIRT)
- Planning and risk smoothing
None of which is possible if one is blind to what’s inside the box. He also made a strong pitch to take on board the recent provision of numerous pieces of information and assistance within CISA’s software bill of materials (SBOM) website.
I’ve opined about SBOMs not being the panacea of supply chain security in the past, with a focus on product and software acquisition. But with respect to legacy systems, the need to dig in cannot be understated.
Chase concluded with a strong pitch for the use of frameworks by CISOs in their decision-making processes. He noted that when it comes to defending one’s actions, a framework provides the CISO with fundamental and understandable reasoning to share with the board, C-suite, and any subsequent investigators asking the question about untended legacy systems: “What were you thinking?”