How can countries insulate vital industries from cyber threats?
Critical infrastructure are defined as the assets, core systems, and strategic networks, both physical and digital, that are so essential to a nation that their incapacitation or destruction could have a debilitating impact on either; physical security, continuinty of the economy, interruption to the national public health system, or any combination therein.
For these sectors to rise to the level of Critical Infrastructure they must be so vital [that] it is believed that disrupting their functions would result in a noticeable socio-economic crisis with the potential to undermine the underlying security of a society. If these sectors are compromised the political, strategic, and security consequences are nearly incalculable.
For nations to mitigate and confront the threat to critical information infrastructures they must tactfully balance the needs for prevention, deterrence, identification and discovery of the attack itself, with an effective strategy for response, crisis management, damage control, and eventually a protocol to return to regular operations. This is no small task and demands a comprehensive understanding of the intersection of malicious players and the expanding attack surface to win the battle of critical infrastructure cybersecurity.
What sectors are defined as Critical Infrastructure?
According to the US’s Cybersecurity and Infrastructure Security Agency Critical Infrastructure includes; Chemical, Commercial Facilities, Communication, Critical Manufacturing, Dams Security, Defense Industrial Base, Emergency Services,
Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare/ Public Health, Information Technology, Nuclear Reactors, Materials and Waste, & Water/ Wastewater Treatment.
Critical Infrastructure is already under attack
According to a recent report from Forescout, globally critical infrastructure has become a prime target of hackers of all levels of sophistication.
- In 2014, the “Energetic Bear” virus was found in more than 1,000 energy companies throughout 84 countries.
- In 2016, seven cybercriminals from Iran were accused by the U.S. Department of Justice of successfully penetrating the computers that controlled the operations of a dam in Rye Brook, New York, approximately 25 miles north of New York City.
- In 2017, The ‘WannaCry’ ransomware attack crippled hospitals in the United Kingdom, forcing patient appointments and operations to be canceled.
- In 2018, a distributed denial of service (DDOS) attack crippled the ticketing system of the Danish Railway
- In 2020 Iran tried to hack into Israel’s water system and poison the water supply of 12 million by increasing chlorine levels in water flowing to residential areas.
Unique challenges for critical infrastructure vs other sectors
Critical infrastructure industries face a broad spectrum of cyber challenges which are both unique to individual sectors and carry the added weight of their impact to the national economy and public health and safety.
What unifies these essential industries is often a combination of the necessary strategic planning to ensure basic cyber security and the specialized processes of operational network isolation, dedicated security protocols and a seemingly never-ending bottle neck of mission critical files requiring sanitization.
According to a recent Deloitte report: “Most critical infrastructure protection programs only address physical threats, leaving states vulnerable to cyber threats ranging from service disruption to public safety concerns.”
This segmented approach to security demands a reassessment of the risk mindset if it intends to manage the increasing cyber risks. The reconsideration must integrate a blend of statewide, public-private collaboration to focus on raising awareness and crafting a unified response to cyber threats.
Key Guidelines for Critical Infrastructure
In critical infrastructure there are a number of key process which can dramatically improve cybersecurity. These key guidelines, from better industry regulation to integration of comprehensive data sanitization and clear security protocols and clarify and streamline critical infrastructure defense.
I will highlight some of the most impactful guidelines below:
Regulation and industry Compliance
Industry wide regulations such as the North American Energy Reliability corporation’s Critical Infrastructure Protection standards (NERC CIP) and their resulting fines dictate the pace of compliance. Money speaks, and this is even more true when it comes the heightened financial consequences of non-compliance to industry and state mandated regulations. For many Critical Infrastructure sectors, the balance of complicated legal mandates and new technological solutions can leave gaps, further emphasizing the importance of intervention to mandate a standardized approach to decreasing cyber risk.
Operational network isolation
By insulating vital systems, such as Energy and waste water management from external networks the attack surface has been decrease but system wide updates become more tedious and difficult to apply.
Dedicated protocols and process to perform security operations
While sectors such as retail and basic e-commerce the risk of not having broadly articulated policy of IT governance is deeply problematic, in are often mandated by law and industry monitoring organizations to ensure maximum compliance. Unfortunately, many organizations which leaves assets and organizations vulnerable to attack
Large scale bottle neck of file sanitization
With a plethora of important data points, external media and files requiring integration into isolated networks, critical infrastructure sectors must standardize a comprehensive sanitization process to prevent malware and malicious elements compromising secure networks.
From the inclusion of multiple layers of sandbox-based security solutions, isolation from broader networks, limiting user access to vital and potentially easily compromised servers, and various levels of encryption processes there are no lack of technical solutions to decrease cyber risk.
While each of the 16 sectors of critical infrastructure faces a unique risk environment, the integration of these common security processes as well as SOAR (Security Orchestration, Automation and Response) or SIEM (Security Information and Event Management )system, can provide the strongest technical foundation for cybersecurity in many of these essential industries.
According to Kaspersky’s State of Cybersecurity 2019 “Employee errors or unintentional actions were responsible for 52% of incidents affecting operational technology (OT) and industrial control system (ICS) networks in the past year, a study shows.”
With such a large segment of cyber incidents in critical infrastructure stemming from a lack of employee awareness and understanding of common phishing and ransomware tactics, improving the time allocated to and companywide prioritization of cybersecurity must be one of the first steps to protecting critical infrastructure.
Any process that is applied to decrease cyber risk within the critical infrastructure sectors must be fully compliant with
Reducing the attack surface must go hand in hand with broader system transparency and complement on going security assessments without increasing the time required to process data. Additional security layers cease to provide value if they process of onboarding is too cumbersome or training becomes onerous.
Update and apply patches of all software & technology
Stopping the flow of malware to critical infrastructure cannot be done without the implementation of system updates and patches across the organization including servers, and endpoints.
According to CIO “57% of cyberattack victims report that their breaches could have been prevented by installing an available patch, according to a new ServiceNow study conducted by the Ponemon Institute with 34% of those respondents were already aware of the vulnerability before they were attacked.” While hackers are creating new and ever more toxic malware to let loose on any number of sectors, many are utilizing existing malware kits with dramatic results.
Ensuring Critical infrastructure continuity
While some sectors have taken a proactive approach to cybersecurity, mitigating risks and creating a clear definition of the vulnerable elements which are most susceptible to cyber-attack, the overwhelming majority of critical infrastructure sectors are willfully unprepared for the scale and scope of cyber terrorism impacting their vital systems.
For cybersecurity to become a true foundational element in the long-term defense of critical infrastructure requires the support of private sector organizations as well government legislation to impose harsh penalties for none compliance,or active application of patches and system updates, broad education for employees and system users, the implementation of diversity security tools and clear protocols to comprehensively decrease cyber risk.
An abridged version of this article was previously published on Forbes