On January 4 the U.S. Department of Homeland Security issued a National Terrorism Advisory Alert cautioning U.S. targets that Iran may carry out physical or cyber attacks in retaliation for the US strike that killed Iranian IRGC-Quds Force commander Qassem Soleimani in Iraq. The alert pointed out that Iran has a robust cyber program able to bring about – at the very least – temporary disruption of U.S. critical infrastructure and other targets, and possibly much worse.
What to do about this threat? The alert suggests measures such as sharing information and very elementary cyber hygiene: backups and multi-factor authentication. By recommending these measures, the alert implies they would effectively protect against a concerted Iranian cyber assault.
Well, this is a government alert and so, I guess, it needs to be phrased “diplomatically.” Business culture in the U.S.A. is such that most industrial enterprises don’t like the government to tell them what to do. That and the government (usually) works very hard to avoid giving the impression of “favoring” any individual vendor, technology or approach to cybersecurity in a highly competitive marketplace.
I have no such limitations.
If Iran is going to launch a cyber attack against a U.S. target, how are they going to do it? Are they going to fly their operatives into the country and have them drive up to power plants and refineries, cut their way through barbed-wire perimeters and stick USB drives into PLCs?
This is, of course, nonsense.
If Iranian state actors launch a real cyber retaliation, they will launch their attacks through the Internet, while sipping coffee in the comfort and safety of their offices in Tehran. They will route their attacks through unsuspecting third parties to frustrate attribution. They will use zero-days and custom malware to bypass even sophisticated software-based protections.
What is the most robust protection against such remote attacks? Well, it’s not “data backups and employing multifactor authentication” as the alert diplomatically suggests. Nor is an intrusion detection and information sharing the solution, though these approaches do have a role to play – in terms of the NIST Framework, intrusion detection is a detective security control, not a preventive one.
The most robust and most practical protection against remote attacks is unidirectional gateway technology, such as Waterfall’s own Unidirectional Security Gateways. Unidirectional Gateways are physical, hardware-based protection for industrial sites. The gateways render interactive remote-control attacks completely impossible while enabling safe IT/OT integration, straightforward visibility into industrial operations, and disciplined control of such operations.
This class of technology is used nearly-universally at critical infrastructure sites in “high risk” jurisdictions such as Israel, Singapore and (increasingly) South Korea. But – are these jurisdictions really at any greater risk of cyber attacks than are American targets? Or Western European targets?
I’m sorry, but the Iranian and North Korean regimes hate us all, and the Internet reaches everywhere. “High risk” jurisdictions are not deploying Unidirectional Gateways because they are at greater risk of crippling cyber attacks than other targets – these nations deploy Unidirectional Gateways because they have a deeper understanding of our enemies’ motives and abilities than is the case in most of the western world.
Robust, unidirectional protections against Internet-based cyber attacks are standard in threat-aware jurisdictions. The threat against us all is clear. The time has come for the vast majority of American and European critical infrastructure sites to adopt these standard protections.