By 2025, 30% of critical infrastructure organisations will experience a security breach that will result in the halting of an operations system or mission-critical cyber-physical system, according to Gartner.
Critical infrastructure security has become a primary concern for governments around the world, with the US, UK, EU, Canada and Australia each identifying sectors deemed ‘critical infrastructure’, for example, communications, transport, energy, water, healthcare and public facilities.
In some countries, critical infrastructure is state-owned, while in others, like the US, private industry owns and operates a much larger portion of it.
“Governments in many countries are now realising their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, Research Director at Gartner. “They are now making moves to mandate more security controls for the systems that underpin these assets.”
A Gartner survey showed that 38% of respondents expected to increase spending on Operational Technology (OT) security by between 5% and 10% in 2021, with another 8% of respondents predicting an increase of above 10%.
However, this may not be enough to counter underinvestment in this area over many years, according to Gartner.
“Besides the need to catch up, there is a growing number of increasingly sophisticated threats,” said Contu. “Owners and operators of critical infrastructure are also struggling to prepare for the coming increased oversight.”
We asked industry experts from Nozomi Networks, Macquarie Government, Panaseer and BeyondTrust to offer their opinions on the subject.
Gary Kinghorn, Senior Director Product Marketing at Nozomi Networks: “A new generation of more sophisticated and well-funded attackers from nation states and large cybercrime affiliate networks view critical infrastructure as more vulnerable than traditional IT networks because of the damage it can inflict on the business, the economy, or even a whole country. Further, ransomware payments for successful attacks against critical sites have climbed into the tens or hundreds of millions of dollars each.
“The vulnerability of critical infrastructure is well known. Its operational networks have traditionally been unreachable – or air-gapped – from IT users and the outside Internet, meaning security is not top of mind within their design. However, the proliferation of Digital Transformation and automated processes mean they can now easily be accessed by remote users and applications directly through Wi-Fi, cellular or local area networks. Many aging legacy environments have technical requirements that make them ill-suited for traditional IT security solutions, such as bandwidth and communication constraints, proprietary protocols and a lack of current research into common system vulnerabilities.
“Industrial Internet of Things (IIoT) devices are playing a larger role in critical infrastructure, including surveillance cameras and process sensors which run low-power, low-cost operating systems without the security posture and features of IT laptops and servers. And with potentially devastating consequences for bringing down a critical infrastructure provider, the geopolitical or monetary benefits to a potential attacker provide a strong motive.
“But governments worldwide are starting to act. In the US, funds are being allocated – along with guidelines and mandates – to shore up the nation’s cyberdefences in critical industries, starting with the utility and oil and gas sectors. Globally, law enforcement organisations like Interpol, Europol and the FBI are collaborating to take down massive international ransomware gangs, seize funds and recover data. But how can critical infrastructure providers best respond to mitigate potential future damage?
“Nozomi Networks Labs’ semi-annual report on the state of critical infrastructure cybersecurity covers emerging attack trends and remediation tactics from the second half of 2021. Recommendations include deploying network segmentation as a way to contain the spread of malware, and a Zero Trust network philosophy to limit malicious activity in a more connected world. Organisations should also look to reduce the available attack surface by removing known vulnerabilities, seldom-used services and applications, and reducing the number of credentialed users that can access systems.
“Finally, improving network reconnaissance and monitoring with an understanding of normal process activity can help quickly identify potential threats and correlate anomalies to more efficiently prioritise alerts and remediation efforts. A multi-pronged approach to cybersecurity, including knowing devices on your network, what versions of software and third-party libraries they are running with known vulnerabilities, and who or what they are communicating with, is vital to staying ahead of emerging threats in 2022 and beyond. This is the year to not get left behind.”
Aidan Tudehope, Managing Director for Macquarie Government: “Australia’s critical infrastructure is the reason we have food on our tables, light in our homes and healthcare in our hospitals. The fact that we have seen hospitals, energy companies and food processing organisations fall victim to devastating cyberattacks over the past year demonstrates the urgent need to protect these vital pillars of our society and economy.”
“Imagine if the cyberattack launched against JBS Foods – which took the meat processor’s systems in Australia and the US offline for days and threatened to delay supplies and increase meat prices – was replicated against a major supermarket chain today? With our supply chains already stretched due to worker shortages as a result of the Omicron variant, the additional damage inflicted as the result of a cyberattack could lead to major crises affecting public health and social cohesion.
“For this reason, Macquarie Telecom Group sees the merits of the Australian Government’s amendments to the Security of Critical Infrastructure Act 2018 (SOCI). The expanded definition of ‘critical infrastructure’ (CI) and the new legal requirements for CI organisations around physical, cyber and supply chain security, are a vital step towards ensuring our future national resilience.
“Unfortunately, the SOCI amendments don’t go far enough. A big gap in the amendments exists where they do not extend to third parties that store and maintain ‘critical business data’ outside Australia, putting that data beyond Australia’s jurisdictional control and protection.
“This legislative loophole could even act as a perverse incentive for CI organisations to move their critical data storage, and/or the suppliers they use to store and maintain that data, offshore to avoid compliance with the legislation and the associated costs.
“CI providers, which rely on critical data to operate, can reduce the risk of intentional and unintentional security threats by having their data stored, transmitted and processed onshore in Australia, where they can rely on legislative regimes that are designed to help protect their data.
“The Australian Cyber Security Centre (ACSC) has thrown its support behind this option, encouraging organisations ‘to either choose a locally owned [IT services] vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders’.
“While storing and securing data onshore is no panacea against cyberattacks, it does ensure the information, supply chains and physical storage locations are easily accessible and subject to local laws. When a rapid response is required – for instance, in the event of a cyberattack – organisations are much more likely to quell the issue before it escalates if information is situated locally, and they don’t have to wait on the expertise of support staff located in a different time zone.
“To successfully emerge from the pandemic, ready and prepared to face future challenges, we need to ensure our most vital data assets are fully protected, just as we are doing with our critical physical assets. The highest levels of sovereign protection for critical data is the only way CI organisations can have full confidence in the controls and protections available to meet the cyberattacks of the future.”
Nik Whitfield, Chairman, Panaseer: “In 2022, we rely on critical infrastructure more than ever. As national and global services are adopted, we increasingly rely on those services to operate our daily lives.
“So, protecting critical national infrastructure, and I would argue critical global infrastructure, is a concern if we want to continue living in a joined-up, digitally enabled world. So how at risk is this infrastructure? Risk is typically defined as the negative impact x likelihood of impact. The fact it’s described as ‘critical’ gives us the clue as to the possible impact of an outage. The likelihood is more complex. Yes, we’ve seen infrastructure attacks, both by foreign nation states and by organised crime. But there seem to be relatively few cases when compared to the thousands of successful attacks on commercial organisations.
“Is it because critical national infrastructure is much better protected than commercial organisations? I’d argue there’s a wide range, from the most protected to the least, and certainly when defending decades of legacy technology, some operations are handicapped in attempting to win a ‘best-protected’ prize.
“Ransomware is great for extorting cash, however, when it’s critical infrastructure, the host national government may get involved and that’s an unfair fight. When an attacker is after cash, picking on CNI makes their RoI less appealing.
“So, the organisations most likely to attack CNI are those belonging to, or at the command of, foreign nation states. So why don’t we see more? My personal view is that every nation with a military and intelligence service is obliged to create attack plans for any potential adversary. The work will be done to constantly reconnoitre, probe and create blueprints for attacks. But, fortunately, in most cases, nations aren’t publicly at war despite rowdy headlines and sabre rattling. So those plans are kept at the ready, until the environment is such that it’s politically acceptable and strategically valuable to use them. Proportionality counts – if, in peacetime, I switch off your electricity grid, is that an act of war? When does a cyberattack warrant a military response? What can I get away with? How much provocation is acceptable?
“I suspect CNI attacks are still at a relatively low level due to the less favourable RoI for criminal attackers, and a not-quite-hostile-enough political climate for state actors. But I expect that might change in a hurry, and at scale, if and when there is more heated conflict between state actors. Things look like they’re hotting up in the Ukraine so we may see this sooner rather than later.”
Morey Haber, Chief Security Officer, BeyondTrust: “A true cyberwar that includes the exploitation of critical infrastructure could be nearly as devastating as conventional bombs and weapons to infrastructure and human lives. Nations of the world have the technical means to commit to a cyberwar without even firing a single munition.
“The results could be equally as devastating even if their physical military (adversary) would be no match for the target nation since these weapons are electronic, low-cost and intellectual in nature.
“Most US industries are already under regulatory pressure to modernize and safeguard their IT security systems to provide some layer of defense. And, recent presidential executive orders are designed to push modernization and security along to adapt to these modern threats.
“We will never be able to stop 100% of attacks but how we respond or limit their success will be crucial in our ability to survive an attack against critical infrastructure. Therefore, consider these recommendations to protect critical infrastructure from a cyberattack:
- Discover all managed and unmanaged assets across your interconnected corporate and ICS infrastructure across all zones and levels.
- Automatically discover inventory privileged accounts used internally by employees and contractors and externally by all third-party vendors.
- Provide central control by securely storing all credentials and SSH keys in a secure database that is hardened, encrypted and strictly monitored for access.
- Reduce the risk of lost or stolen vendor credentials by systematically rotating passwords for all managed systems based on time and employee retention.
- Implement secure vendor enclaves to isolate industrial control systems and vendor devices to reduce the risks of malware and attack. Consider using Zero Trust architectures for these environments.
- Verify that no default passwords exist on any managed system or device. Full stop!
- Manage all managed devices automatically and store a unique password per each device. Passwords should never be reused.
- Automatically rotate each device’s password based on age, after each remote vendor session, or an identified risk.
- Provide a complete workflow for device access, including an approval process for when a remote vendor or employee access is required.
- Record all or select remote sessions with playback to document and review what occurs when a device is accessed and approve appropriate behavior.
- Provide detailed reporting of all privileged credentials used regardless of location.
“History has shown us how these attacks could occur and best practices from information security have allowed us to build a resilient strategy for protecting critical infrastructure. Based on recent geopolitical changes, we should all be concerned and take precautions now.”
Click below to share this article