By Andrew Jefferies
Over the last year, I’ve had critical infrastructure protection on my mind. Critical infrastructure (CI) is an area that is increasingly getting attention from both the IT industry and the hacker community. Bulletproof has been part of a strategic partnership with CyberNB and some major industry players to create a collaborative critical infrastructure operations centre. This “CI-SOC” will be a first-of-kind facility to protect CI assets.
Critical infrastructure is a category that includes power systems, water, food supply and transportation. These verticals are increasingly being targeted by attackers because of both their susceptibility to attacks, as well as their overall value as a target, since successful attacks can have they a massive societal impact. Protecting these CI organizations is important business!
How does this relate to gaming systems? It is obviously hyperbole to call gaming systems critical infrastructure, but as I have been researching CI protection, I have come to realize that there are many technical and organizational parallels between critical infrastructure and gaming systems. Turns out, critical infrastructure systems can be used as a model for how to protect our gaming infrastructures.
First of all, let’s talk about the similarities. Here are five areas where both gaming systems and CI systems are similar:
High value: When thinking about value, from a security perspective, you need to think about replacement value, lost revenue or the impact of the loss of functionality, and the value of the data. For both CI and gaming systems, all these tick-boxes in the valuation equation are checked. Gaming systems not only have an intrinsic value in terms of revenue, they also contain high value patron data. A high percentage of attacks today are not about stealing cash, but about stealing data.
Targeted: Any high value organization is a target and the gaming industry is no stranger to highly sophisticated and targeted attacks — technology is just the new vector for attacks. Similarly, critical infrastructure is increasingly being targeted because of the high impact and the opportunity for leverage it provides.
Highly integrated: Gaming systems, like CI systems, are highly integrated. There is no doubt that integration provides value. For example, being able to integrate gaming and patron management systems, or entertainment and hotel management systems, provides both a better customer experience and more value to the operator. Similarly, integration of CI infrastructure with management platforms also provides high value to CI operators. However, whenever integration occurs, risk is increased.
Poor vendor support: Typically, vendors of specialized equipment, whether it is a gaming system, centrifuge, or an MRI machine, are really good at engineering their systems for the task required, but they are not great at maintaining those systems in a secure way. This is especially true when integration comes into play. Updating these systems is often difficult, to say the least.
Compliance-driven: In any compliance-driven industry, security is more challenging. Compliance plays an important role in ensuring that systems perform as they are designed. However, compliance creates a challenge in a dynamic situation like cyber security, where new vulnerabilities and attack techniques are released daily. Having compliance-driven systems that can’t be easily updated for security creates an opportunity for problems.
Given the similarities between critical infrastructure and gaming systems, we can draw upon experience with CI to better protect ourselves in gaming environments. Below, we get into the key points that you can use to protect your network:
Don’t trust users
Like with CI, we know that user screening and monitoring is key. From a prevention perspective, education is the key to preventing user-based security issues, but you also need to protect your critical systems from your users. Users should be segmented by role, and permissions should be granted accordingly. This will limit the exposure of data and systems if a user makes a mistake or maliciously tries to gain access to your data.
Users should also never be given admin rights on their standard user accounts. If you have administrators that require administrative rights, give them a separate account for admin tasks. Do not allow them to use that for normal day-to-day tasks. Despite what your technical team will tell you, they do not need admin rights on their day-to-day account.
Zone your systems
While testing networks, we often see that organizations have flat, unprotected networks. Logically they are all on the same plane, without any barriers. This type of flat structure means that both attackers and malware can propagate unabated in your network. Breaking up your system into logical networks, protected by a firewall, allows you to maintain optimal control over what is happening in your network.
Zoning becomes more important when you have systems that are highly sensitive, poorly supported by vendors or that cannot be updated because of compliance requirements. If you cannot update your systems at least monthly (or quicker when there is a critical patch released), you need to have them highly segregated.
It is a best practice to zone your systems based on business function and the sensitivity of the system. Your gaming systems are an obvious first choice for segmentation, but what about your patron systems, your HVAC control systems or your cash counting machines? Internet-enabled devices are another common example of poorly managed and patched systems. If you have a lot of them in your environment, you should be protecting yourself from them by segmentation. Critical Infrastructure operators tightly segregate their systems because they need to control interactions and attacks. You should do the same.
Monitor your systems
Just like you monitor your game floor activity with guards, you need to monitor your network, systems and user behaviour for suspicious activity. This needs to be done 24/7, regardless of your business hours, because your systems are still turned on. It also needs to be done by experts. For the same reason that you use trained security guards, you also need to use trained security analysts for monitoring your network. When things are discovered, you need to be prepared to act on them quickly.
Similar to critical infrastructure clients, gaming operators often have systems that do not inherently allow for monitoring. You can’t necessarily put a log collection agent on your slot machines. In these scenarios, you can still do monitoring, but it might be at a gateway level, or at an upstream control system. In most cases there is a way to monitor a given system.
Don’t assume you’re physically secure
Critical infrastructure operators know that restricting physical access is key, but they assume that it will be breached. Systems need to be secured independent of physical controls. This is part of a “defense in depth” strategy. For example, can an attacker walk into your back office and plug in a laptop? No? Our penetration testers are frequently able to do just that! We have done the exact same thing in a police agency data center! Just because you think you have good physical security doesn’t mean that it is infallible. Assume that your physical security will be breached when you design your security.
In a recent webinar on incident response in gaming systems, I described some of the trends in attacks against gaming clients that we see in our security operations centre. I also described that in many ways our industry has been lucky. Like the CI industry, we haven’t traditionally been a focused target of hackers. Most attacks are still using generic attack techniques. While these are still devastating to the victims, it is the targeted attacks that need to be keeping you up at night. When the focus swings to our industry, it will be a ripe fruit to be picked.
The critical lesson
Casino operators need to treat your systems similar to critical infrastructure, because to you, your team and your clients, it is critical infrastructure. Could you recover from a two week outage due to a breach? Could you recover if all of your client data and was stolen and you had to notify them? Treat your systems like critical infrastructure and you’ll have a better chance of not needing to answer these hard questions.
Andrew Jeffries is co-founder and vice president of security services at Bulletproof, an IT security firm and subsidiary of Gaming Laboratories International.