The Department of Homeland Security (DHS) issued a warning last week that the computer network of a public utility company had been compromised by a “sophisticated threat actor,” likely through a brute force password attack.
Although the utility company repelled the attack, and there is no evidence that operations were affected, the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released news of the incident in its January-April 2014 report to highlight “the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”
This attack illustrates why the infiltration of government infrastructure is such a serious national security concern. Just a few months ago, the Federal Energy Regulatory Commission reported that a coordinated attack on even just nine of the country’s 55,000 electrical-transmission substations could cause a “coast-to-coast blackout.”
Given these stakes, government agencies have a responsibility to provide the highest level of security to all endpoints, from legacy ICS terminals to employees’ personal mobile devices, especially in an era where Advanced Persistent Threats (APTs) are becoming commonplace. Every endpoint must now be secured, because hackers are constantly searching for new vectors they can exploit. At the same time, the government has to secure more endpoints than ever, as employees are increasingly connecting to government networks remotely due to the growing Bring Your Own Device (BYOD) and telecommuting trends. These converging sea changes require the government to rethink its network security approach.
In August 2012, the Digital Services Advisory Group and Federal Chief Information Officers Council laid the groundwork for this new approach, by issuing network security guidance and sample BYOD policy templates for federal agencies. But this hasn’t necessarily translated to broad BYOD adoption in the public sector. The U.S. Department of Defense, for example, has been chilly toward BYOD for some time.
What Government Organizations Can Learn from Enterprises
Even though government agencies are reluctant to support BYOD because of the accompanying information security challenges, government workers are pushing for it. Government BYOD is inevitable – IDC predicts that although currently “personal devices make up just 5 percent of the government market, that figure will grow at double-digit rates for the next three years.”
Large enterprises, having already embraced BYOD and dealt with many of its security challenges are further along than the government is at present and provide a great example of how the right technologies can work together. Faced with a need to secure myriad endpoint devices and operating systems, they have started to embrace a defense in depth approach that uses independent network and security methods to fortify critical systems and help prevent breaches.
As part of such a framework, enterprises are implementing centrally managed remote access VPN solutions, which enable network administrators to monitor the remote access infrastructure and communications with the corporate network. Forward-looking government agencies are starting to embrace centrally managed VPNs, and it is an ideal time for other agencies to follow their lead.
With a centrally managed VPN, government network administrators are able to verify that all endpoints accessing the network remotely are compliant with the government office’s policies before being granted permission to connect. And after a breach is spotted, they can limit its impact by revoking network access to affected devices. This helps to limit network exposure to the “potential intrusion vectors” mentioned in the ICS-CERT report.
Government agencies face a broad range of network security threats, but by protecting all their endpoints with the right technologies, instituting a common sense BYOD policy and doing all they can to protect citizens’ information, they’re better equipped to mitigate these attacks and protect their citizens.