Based on your experience, how fragile is the security of critical networks in general?
It is very fragile. So fragile indeed, that it makes you wonder why we do not get to see a lot more reports on security breaches and incidents every week. Presumably, there are a large dark number of undetected incidents and most of the discovered ones are being hushed up.
Virtually all of the automation components deployed in critical networks today are designed for exclusive use in secure environments with little to none built-in security capabilities. Many of them have vulnerabilities that cannot or have not been mitigated by patches. And the secure environments that these components would require for their protected operation are not stringently established everywhere.
There's a variety of regulatory mandates for organizations in the critical infrastructure sector. How do these influence information and hardware security?
Most of these regulations and the underlying standards focus around the establishment of an appropriate security management system and related processes. That is a reasonable approach to start with but typically fails to enforce specific measures and metrics, lack of the latter being a fundamental problem. In contrast to the area of functional safety where a mathematical model exists and safety integrity levels (SILs) can be defined and calculated based on component failure probabilities, a quantitative model and measurements for cyber security levels do not exist.
As a compromise, security certifications typically resort to resilience of the device or system under test against a defined test bench as their pass/fail criteria, thus actually providing more of an evidence for their robustness than for their security. Also, while the hardening of individual components can make valuable contributions, meaningful security assessments are only feasible at the system level. Therefore, regulations run the risk of ending as a paper tiger where asset operators and their vendors focus their efforts on process compliance without achieving significant objective improvements of their security posture.
What advice would you give to those appointed to increase the security of a critical network running outdated software/hardware?
First of all understand and document the necessary and intended behavior of your system components and how they communicate with each other on the network. Then restrict the potential behavior and communication as much as possible to what is necessary and intended by hardening measures, shutting down unused services and interfaces, and deploying distributed firewalls for the protection of critical endpoint devices. Establish demilitarized zones (DMZs) and VPNs with strong authentication for necessary secure remote services to prevent unauthorized remote access. Finally, monitor your system for deviations from its expected state and behavior.
If whitelisting solutions and real-time anomaly and intrusion detection techniques are not available and/or too expensive, do at least monitor the integrity of your system components in regular intervals to detect any unexpected manipulations promptly. Remember the worst thing about Stuxnet was that it went undiscovered by all anti-virus software on the planet for more than 15 months whereas a simple integrity check would have detected its manipulations on day zero.