By 2025, 30% of critical infrastructure organisations will experience a security breach that will result in the halting of an operations system or mission-critical cyber-physical system, according to Gartner.
Critical infrastructure security has become a primary concern for governments around the world, with the US, UK, EU, Canada and Australia each identifying sectors deemed ‘critical infrastructure’, for example, communications, transport, energy, water, healthcare and public facilities.
In some countries, critical infrastructure is state-owned, while in others, like the US, private industry owns and operates a much larger portion of it.
“Governments in many countries are now realising their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, Research Director at Gartner. “They are now making moves to mandate more security controls for the systems that underpin these assets.”
A Gartner survey showed that 38% of respondents expected to increase spending on Operational Technology (OT) security by between 5% and 10% in 2021, with another 8% of respondents predicting an increase of above 10%.
However, this may not be enough to counter underinvestment in this area over many years, according to Gartner.
“Besides the need to catch up, there is a growing number of increasingly sophisticated threats,” said Contu. “Owners and operators of critical infrastructure are also struggling to prepare for the coming increased oversight.”
We asked three industry experts from Nozomi Networks, Macquarie Government and Panaseer to offer their opinions on the subject.
Gary Kinghorn, Senior Director Product Marketing at Nozomi Networks: “A new generation of more sophisticated and well-funded attackers from nation states and large cybercrime affiliate networks view critical infrastructure as more vulnerable than traditional IT networks because of the damage it can inflict on the business, the economy, or even a whole country. Further, ransomware payments for successful attacks against critical sites have climbed into the tens or hundreds of millions of dollars each.
“The vulnerability of critical infrastructure is well known. Its operational networks have traditionally been unreachable – or air-gapped – from IT users and the outside Internet, meaning security is not top of mind within their design. However, the proliferation of Digital Transformation and automated processes mean they can now easily be accessed by remote users and applications directly through Wi-Fi, cellular or local area networks. Many aging legacy environments have technical requirements that make them ill-suited for traditional IT security solutions, such as bandwidth and communication constraints, proprietary protocols and a lack of current research into common system vulnerabilities.
“Industrial Internet of Things (IIoT) devices are playing a larger role in critical infrastructure, including surveillance cameras and process sensors which run low-power, low-cost operating systems without the security posture and features of IT laptops and servers. And with potentially devastating consequences for bringing down a critical infrastructure provider, the geopolitical or monetary benefits to a potential attacker provide a strong motive.
“But governments worldwide are starting to act. In the US, funds are being allocated – along with guidelines and mandates – to shore up the nation’s cyberdefences in critical industries, starting with the utility and oil and gas sectors. Globally, law enforcement organisations like Interpol, Europol and the FBI are collaborating to take down massive international ransomware gangs, seize funds and recover data. But how can critical infrastructure providers best respond to mitigate potential future damage?
“Nozomi Networks Labs’ semi-annual report on the state of critical infrastructure cybersecurity covers emerging attack trends and remediation tactics from the second half of 2021. Recommendations include deploying network segmentation as a way to contain the spread of malware, and a Zero Trust network philosophy to limit malicious activity in a more connected world. Organisations should also look to reduce the available attack surface by removing known vulnerabilities, seldom-used services and applications, and reducing the number of credentialed users that can access systems.
“Finally, improving network reconnaissance and monitoring with an understanding of normal process activity can help quickly identify potential threats and correlate anomalies to more efficiently prioritise alerts and remediation efforts. A multi-pronged approach to cybersecurity, including knowing devices on your network, what versions of software and third-party libraries they are running with known vulnerabilities, and who or what they are communicating with, is vital to staying ahead of emerging threats in 2022 and beyond. This is the year to not get left behind.”
Aidan Tudehope, Managing Director for Macquarie Government: “Australia’s critical infrastructure is the reason we have food on our tables, light in our homes and healthcare in our hospitals. The fact that we have seen hospitals, energy companies and food processing organisations fall victim to devastating cyberattacks over the past year demonstrates the urgent need to protect these vital pillars of our society and economy.”
“Imagine if the cyberattack launched against JBS Foods – which took the meat processor’s systems in Australia and the US offline for days and threatened to delay supplies and increase meat prices – was replicated against a major supermarket chain today? With our supply chains already stretched due to worker shortages as a result of the Omicron variant, the additional damage inflicted as the result of a cyberattack could lead to major crises affecting public health and social cohesion.
“For this reason, Macquarie Telecom Group sees the merits of the Australian Government’s amendments to the Security of Critical Infrastructure Act 2018 (SOCI). The expanded definition of ‘critical infrastructure’ (CI) and the new legal requirements for CI organisations around physical, cyber and supply chain security, are a vital step towards ensuring our future national resilience.
“Unfortunately, the SOCI amendments don’t go far enough. A big gap in the amendments exists where they do not extend to third parties that store and maintain ‘critical business data’ outside Australia, putting that data beyond Australia’s jurisdictional control and protection.
“This legislative loophole could even act as a perverse incentive for CI organisations to move their critical data storage, and/or the suppliers they use to store and maintain that data, offshore to avoid compliance with the legislation and the associated costs.
“CI providers, which rely on critical data to operate, can reduce the risk of intentional and unintentional security threats by having their data stored, transmitted and processed onshore in Australia, where they can rely on legislative regimes that are designed to help protect their data.
“The Australian Cyber Security Centre (ACSC) has thrown its support behind this option, encouraging organisations ‘to either choose a locally owned [IT services] vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders’.
“While storing and securing data onshore is no panacea against cyberattacks, it does ensure the information, supply chains and physical storage locations are easily accessible and subject to local laws. When a rapid response is required – for instance, in the event of a cyberattack – organisations are much more likely to quell the issue before it escalates if information is situated locally, and they don’t have to wait on the expertise of support staff located in a different time zone.
“To successfully emerge from the pandemic, ready and prepared to face future challenges, we need to ensure our most vital data assets are fully protected, just as we are doing with our critical physical assets. The highest levels of sovereign protection for critical data is the only way CI organisations can have full confidence in the controls and protections available to meet the cyberattacks of the future.”
Nik Whitfield, Chairman, Panaseer: “In 2022, we rely on critical infrastructure more than ever. As national and global services are adopted, we increasingly rely on those services to operate our daily lives.
“So, protecting critical national infrastructure, and I would argue critical global infrastructure, is a concern if we want to continue living in a joined-up, digitally enabled world. So how at risk is this infrastructure? Risk is typically defined as the negative impact x likelihood of impact. The fact it’s described as ‘critical’ gives us the clue as to the possible impact of an outage. The likelihood is more complex. Yes, we’ve seen infrastructure attacks, both by foreign nation states and by organised crime. But there seem to be relatively few cases when compared to the thousands of successful attacks on commercial organisations.
“Is it because critical national infrastructure is much better protected than commercial organisations? I’d argue there’s a wide range, from the most protected to the least, and certainly when defending decades of legacy technology, some operations are handicapped in attempting to win a ‘best-protected’ prize.
“Ransomware is great for extorting cash, however, when it’s critical infrastructure, the host national government may get involved and that’s an unfair fight. When an attacker is after cash, picking on CNI makes their RoI less appealing.
“So, the organisations most likely to attack CNI are those belonging to, or at the command of, foreign nation states. So why don’t we see more? My personal view is that every nation with a military and intelligence service is obliged to create attack plans for any potential adversary. The work will be done to constantly reconnoitre, probe and create blueprints for attacks. But, fortunately, in most cases, nations aren’t publicly at war despite rowdy headlines and sabre rattling. So those plans are kept at the ready, until the environment is such that it’s politically acceptable and strategically valuable to use them. Proportionality counts – if, in peacetime, I switch off your electricity grid, is that an act of war? When does a cyberattack warrant a military response? What can I get away with? How much provocation is acceptable?
“I suspect CNI attacks are still at a relatively low level due to the less favourable RoI for criminal attackers, and a not-quite-hostile-enough political climate for state actors. But I expect that might change in a hurry, and at scale, if and when there is more heated conflict between state actors. Things look like they’re hotting up in the Ukraine so we may see this sooner rather than later.”