Patrick Kennedy, Security Evangelist, at Claroty discusses how to protect critical national infrastructure in the digital age
In the last few years, owners of critical national infrastructure (CNI) have accelerated digital transformation initiatives to keep up with the country’s growing demand for energy, transportation, and water services. Many providers have recognised that automating operational processes is essential to gaining the level of efficiency and reliability they will need in the coming decades. As any security professional is aware however, with increased connectedness comes increased cyber risk which must be managed proactively.
Managing cyber risk to a connected infrastructure
For all of the benefits, digital transformation can deliver, and there are many, a connected infrastructure also carries risks that CNI operators may not be well equipped to address. While all enterprises must consider cyber threats as a risk of doing business, and put forth protection to manage that risk, those involved in CNI must consider the risk more broadly. As CNI operators are responsible for delivering essential public services, the interruption of those services can have a far-reaching impact on the population.
In data-oriented sectors such as retail or finance, a severe security incident can impact the company’s ability to process information and conduct business, it may put personal information or trade secrets at risk, and it can cause lasting reputational damage. A successful cyberattack on CNI such as a power grid, on the other hand, could lead to nationwide disruption and potentially put lives at risk.
The potential impact also makes CNI a prime target for malicious nation-state activity. A successful cyber strike against critical infrastructure has become a less dangerous alternative to the use of military force and sends a powerful message to both the targeted state and the international community.
Most of us recall the attacks in December of 2015 and 2016 in which Ukraine suffered major cyber attacks on its power infrastructure. In 2015, the information systems governing three energy distribution companies were hit with a multi-pronged attack which included the powerful specialised malware BlackEnergy. The incident left an estimated 225,000 Ukrainians without access to power for several hours. The country was hit again almost on the anniversary of the first attack, with the second strike leaving more than a fifth of Kiev without power for close to an hour.
Given the conflict between Ukraine and Russia at the time, both attacks have been attributed to the Russian advanced persistent threat (APT) group known as Sandworm.
Balancing risk and opportunity
While cyber attacks present a very clear threat to CNI, digitalisation does present the industry with several impressive benefits, both on a national and global scale. Embracing a more interconnected infrastructure, which combines advanced computing with industrial automation, can increase both productivity and output. This also makes it possible to use powerful strategies such as predictive and remote maintenance, making it easier to identify and resolve issues early before they have a chance to deteriorate and become more serious.
As a result, many organisations working in CNI have sought to find a balance between harnessing the benefits of interconnectivity without significantly increasing their exposure to cyber risks.
This challenge is exacerbated by the fact that much of the world’s infrastructure was never designed to be defended against cyber attacks, relying instead on a highly secured environment to keep them safe from intrusion. It also tends to be difficult to gain a coherent, unified view across different systems as they will often be running on a wide variety of old and obscure protocols that are not designed to work together. This means that it is often far too easy for cyber attackers to exploit security vulnerabilities while remaining undetected.
Visibility is the answer
One of the most drastic solutions to be proposed has been to “go retro”, moving some systems away from digitalisation entirely. In June of this year, the US Senate passed the Securing Energy Infrastructure Act (SEIA) to study ways of replacing automated systems with low-tech redundancies to protect the country’s electric grid from hackers.
No one is suggesting stepping back from digitalisation completely is a realistic solution, the benefits are too great. There may be certain, very specific CNI processes in which any risk of compromise is too high, and special measures must be taken to protect them. But across the broader CNI landscape, the priority must instead be to close the visibility gap that allows cyber aggressors to prepare and implement complex attacks without being detected.
Because a significant amount of CNI is governed by the private sector, it falls to organisations to equip themselves with the visibility into their own networks required to discover and mitigate cyber attacks.