Only fools think closed networks are secure

Rethinking Closed Networks: Why Cybersecurity Threats Are Still Real in Today’s Evolving Landscape

It’s amazing that in 2024 we’re still having the debate around cybersecurity and the effectiveness of closed networks, with some people and organisations still feeling like this is a suitable justification for using technologies that we know have inherent problems that have been well publicised. “We know the risk, but it’s okay; we have a closed network.” While many organisations have long adhered to the belief that keeping systems isolated from the internet or outside networks, what we commonly call “closed networks” provides a blanket of protection from cyberattacks, times have changed. Although this approach worked well in the past, the evolving nature of cyber threats and the integration of new technologies have rendered this view increasingly outdated. Cyber risks remain real and relevant, even for closed networks, due to a range of factors such as poor device security, the insider threat, and the inevitable changes to network infrastructure over time.

In this article, I will discuss why organisations need to reconsider the security of their closed networks, address the evolving risk landscape, and explore how emerging practices like threatcasting are shining a light on vulnerabilities that could have a significant impact on security if overlooked.

The Myth of Closed Networks as a Safe Haven

At the core of the closed network concept is the belief that restricting access to outside connections inherently mitigates security risks. For many years, this approach has been the go-to strategy for industries that deal with sensitive data or critical infrastructure, such as energy, utilities, and transportation. In theory, a closed network isolates systems, keeping out potential cybercriminals who might exploit internet-based vulnerabilities.

However, in practice, this model is no longer as secure as it seems. As more devices are integrated into industrial systems often referred to as the Internet of Things (IoT) many of these devices lack proper security features, introducing vulnerabilities into what was once a controlled environment. A closed network only mitigates external risks; it does little to address internal vulnerabilities such as poor device security, human error, or insider threats, which are increasingly common entry points for cyberattacks.

The Reality of Internal Risks

1. Poor Device Security Even in closed networks, the devices themselves may present security vulnerabilities. For example, many IoT devices and industrial control systems were not built with cybersecurity in mind. Manufacturers often prioritise cost and functionality over security, leaving gaps that hackers can exploit. If a vulnerable device is installed within a closed network, the absence of external internet connections is of little consequence. Once a threat actor gains access—whether through an insider or a compromised supply chain—the entire network is at risk.

2. Insider Threats Closed networks do not protect against internal bad actors. Insiders, such as employees or contractors, often have direct access to sensitive systems and may intentionally or unintentionally compromise security. This makes insider threats one of the most challenging cybersecurity risks to mitigate. According to several studies, insiders, whether malicious or negligent, are responsible for a significant portion of data breaches. A closed network may provide a false sense of security, allowing organisations to overlook the necessity of monitoring internal activities and implementing strong access control policies.

3. Honest Mistakes Human error is another risk factor that closed networks fail to address. Even the most well-intentioned employee can make mistakes, whether it's misconfiguring a device, using weak passwords, or failing to apply critical security patches. These mistakes can inadvertently create vulnerabilities in a closed network, which, if exploited, could result in significant downtime or data loss.

The Limitations of Closed Networks for Future Infrastructure

Beyond the immediate risks of poor device security, insider threats, and human error, another reason to question the long-term viability of closed networks is their inherent inflexibility. As technology evolves, organisations are increasingly adopting cloud-based solutions, remote monitoring, and connected devices to enhance operational efficiency. These shifts in infrastructure may require opening parts of the network to outside systems, thereby eroding the “closed” nature of the network over time.

The shift toward more connected infrastructures is inevitable, and organisations that rely on closed networks risk being caught off-guard if they do not plan for this transformation. It’s not just about today's security risks, it's about understanding that the network infrastructure of the future will be more open, dynamic, and interconnected. In this context, continuing to rely on outdated security models leaves organisations unprepared for the threats that accompany these changes.

The Role of Threatcasting in Cybersecurity

To anticipate and prepare for future cyber threats, some organisations are adopting the concept of threatcasting, a forward-looking approach that explores potential threats and their implications over time. Threatcasting is more than just forecasting; it’s about imagining the future risk landscape and understanding how the technology being deployed today could be exploited in unforeseen ways.

Threatcasting exercises often reveal risks that are not immediately apparent but could have profound consequences if left unaddressed. For instance, consider a scenario where an organisation deploys IoT devices with weak cybersecurity protections in a closed network. In the future, due to changing operational needs, the organisation might integrate these devices with external systems, inadvertently exposing them to external threats. Without foresight into how network configurations may evolve, organisations can unknowingly create vulnerabilities that cybercriminals could exploit.

A Real-World Example: Stuxnet

One of the most well-known examples of how a closed network can still be vulnerable is the Stuxnet attack. Stuxnet was a sophisticated worm designed to target Iran’s nuclear facilities, specifically their industrial control systems, which operated in a closed network environment. Despite the isolation of these systems, the malware was introduced through infected USB drives, highlighting how insider threats or human error can bypass the closed network perimeter. The attack had significant operational impacts, serving as a cautionary tale for the limitations of relying solely on closed networks for cybersecurity.

Moving Beyond Closed Networks: A Holistic Cybersecurity Approach

In light of the risks discussed above, it’s clear that organisations must move beyond the outdated notion that closed networks are inherently secure. Instead, a more holistic approach to cybersecurity is needed, one that accounts for both external and internal threats, anticipates changes in network infrastructure, and incorporates emerging tools like threatcasting to prepare for future risks.

Here are a few strategies organisations should consider:

• Device Security: Ensure that all devices, including IoT and OT, are designed with cybersecurity in mind, and regularly update firmware and software to patch vulnerabilities.

• Insider Threat Mitigation: Implement strict access controls, continuously monitor internal activities, and provide ongoing cybersecurity training to employees and contractors.

• Human Error Prevention: Develop protocols for securely managing passwords, updating systems, and configuring devices to minimise the potential for mistakes.

• Future-Proofing: Acknowledge that network infrastructure will evolve and prepare accordingly by incorporating flexible security measures that can adapt to future changes, such as cloud adoption or remote access.

The age-old argument that closed networks are the best defence against cyberattacks is no longer sufficient in today’s rapidly changing threat landscape. While closed networks may reduce the risk of external attacks, they do not address internal vulnerabilities such as poor device security, insider threats, or human error. As organisations increasingly adopt more connected technologies, the concept of a truly closed network is becoming outdated. Instead, embracing forward-looking approaches like threatcasting and adopting comprehensive cybersecurity strategies can better protect critical infrastructure and prepare for evolving risks. One such strategy is the zero trust security model, which fundamentally shifts the traditional perimeter-based security paradigm. Under this model, no user or device is inherently trusted, regardless of their location within or outside the organisation’s network. Emphasising the principle of “never trust, always verify,” zero trust requires continuous authentication and authorisation for every access request. By implementing granular access controls, organisations can significantly reduce their attack surface, making it more challenging for cybercriminals to exploit vulnerabilities. Furthermore, zero trust enhances visibility into user activity and device behaviour, enabling quicker detection of anomalies that may indicate a breach. As organisations increasingly adopt cloud services and remote work arrangements, the zero trust model provides a robust framework for safeguarding sensitive data and maintaining compliance, ultimately fostering a more resilient cybersecurity posture.

“We know the risk, but it’s okay; we have a closed network.” This outdated mindset places organisations in jeopardy. Relying on closed networks as a justification for using technologies with inadequate security measures is no longer acceptable. Failing to conduct due diligence on the technologies being implemented only exacerbates the risk. If this perspective hasn’t already posed a threat to the business, it is likely to do so in the future. It’s time to recognise that cybersecurity requires a proactive and comprehensive approach, rather than complacency.