Critical infrastructure systems underpin a huge range of services that are vital to life as we know it, from communications and energy supply to healthcare, education and transport.
This makes them an extremely attractive target for bad actors looking for ways in which to inflict damage. Attacks can have political, ideological and financial motivation and have the potential to cause significant disruption to national economies, and the lives of citizens.
Microsoft recently discovered stealthy and targeted malicious activity carried out by Volt Typhoon, a China-based operation with the potential to disrupt critical communications infrastructure between the United States and Asia in the future, with huge impact. The US Colonial Fuel Pipeline attack in 2021 brought the oil delivery system to an almost complete standstill and resulted in a regional emergency declaration for 17 states and Washington D.C. And the stakes can be higher still. A ransomware attack on a hospital in Germany in September 2020 disrupted emergency care, triggering a police investigation into whether the attack caused the death of a patient. Although hackers were found not to be directly responsible, the incident goes to show that these kinds of attacks can be life and death scenarios.
Critical weaknesses
As the digital transformation of all industries expands our digital footprint and the development of smart cities introduces yet more connected systems, from intelligent traffic and waste to lighting management, the vulnerability of critical infrastructure will be all the more keenly felt. Any introduction of web-enabled technologies will create a potential ‘in’ for hackers, while the continued use of legacy systems that were designed before cyber security was even an issue exacerbates their susceptibility, belying how ‘digitally advanced’ these new technologies really are.
Operational complexity, including supply chains, and the large number of stakeholders involved in critical infrastructure systems also increase vulnerability. Different equipment suppliers, software vendors, and third-party contractors can mean that control over third party products and services is often weak. The complexity of the systems can be such that no-one has the holistic and detailed view required, forcing reliance on outsourced services.
Human error is also always a strong possibility. Financial and educational institutions, utility providers and healthcare organisations all employ thousands of workers with access to sensitive systems and information. Without thorough knowledge of cyber security risks and procedures, these employees can accidently open up internal systems to vulnerabilities through the use of weak passwords, or by falling prey to phishing attacks and other security lapses.
Critical protection
In order to protect against cyber attacks it is vital to take a systemic approach and weave cyber security into daily activities. While it’s not possible to protect everything, identifying an organisation’s ‘crown jewels’ in order to prioritise their protection can be an effective strategy. This means understanding what and where the organisation’s key assets are, as well as detaching critical core systems from business systems to do so.
By hardening systems and investing in the human link by involving everyone to create a ‘human firewall’ it is also possible to go some way towards preventing mistakes which lead to vulnerabilities. Implementing a zero trust policy can help, removing inherent trust in the network and ensuring that each request is verified based on an access policy.
It’s also imperative to plan for a cybersecurity budget, and invest in exercises that help leadership and employees alike prepare for cyber security attacks. Thorough planning and preparedness allows cyber attacks to be contained as quickly and effectively as possible. Live exercises are really enlightening for an organisation in terms of their cyber security awareness, and result in a whole set of measures to implement. They can illustrate how the internal network is built up for example, or how easy it is to cause lateral movement which allows a ransomware attack to really get to the heart of the company, and how this can be prevented. They can also be used to plan for who to call in a cyber attack, defining the management’s role, deciding whether or not to inform customers, knowing where to back up and how to backup, or how backups can be used after they have been decrypted, and so on.
Realistic simulation environments for training employees on cyber security best practices, including identifying and responding to cyber threats, can be provided by cyber range technologies. Cyber ranges can also be used to play out cyber attacks on critical infrastructure systems to help identify vulnerabilities and test cyber defenses, as well as facilitating collaboration and coordination between different departments and stakeholders. Being able to document the results of these simulation events also goes a long way towards the compliance required by many national regulators.
Bad actors will always look for weak points to attack and cause problems, incurring data or financial loss, or reputation damage to turn to their advantage if they can. Given the integral importance of critical infrastructure to our economies, energy supply, healthcare and transport systems and much more, the potential for disruption is huge. It is therefore imperative to protect our critical infrastructure by equipping organisations and individuals alike with the cyber security knowledge and training necessary to ensure uninterrupted, safe service.
About the Author
Aare Reintam is COO at CybExer Technologies. CybExer Technologies provides comprehensive cyber security training solutions to increase organizational cyber resilience. Our platform offers a range of advanced cyber security training modules designed to enhance the cyber capabilities of organizations. With our cutting-edge cyber range, organizations can conduct highly realistic live-fire exercises that simulate real-world cyber attacks. This allows cyber security and IT teams to identify and mitigate vulnerabilities, thereby improving their prevention and response strategies.
Featured image: ©Sergey Nivens
