We can’t be complacent about cybersecurity threats to critical national infrastructure, and every organisation has a role to play in protecting it, writes Jake Holloway, chief product officer at Crossword Cybersecurity
The Russian invasion of Ukraine began in cyberspace.
According to UK intelligence services, Russia was almost certainly responsible for an attack on a Ukrainian communications provider an hour before the invasion and cyber-attacks have continued since.
A chilling reminder of the damage a determined state actor can cause
These attacks, and others going back as far as 2017, attributed to Russia by the CIA, have shut down airports, banks, government ministries and even radiation monitoring at the Chernobyl nuclear power plant. They are a chilling reminder of the damage a determined state actor can cause to critical national infrastructure.
Major services such as power generation, telecoms, payments, water supply, public health systems and less obvious ones like traffic lights or petrol pumps are vital to keep a modern country running.
They rely on complex and often rather old systems, and because there are so many of them, there is an asymmetry when defending such services from cyber-attack. We have a lot to protect against highly motivated adversaries.
Are we doing enough to fend off attacks – and what else could we be doing?
This is a regular topic for discussion at Crossword, and came up recently in conversation with Professor Raj Muttukrishnan, director of the Institute for Cyber Security at London’s City University and Professor Tim Watson, director of the Cyber Security Centre at WMG, University of Warwick, as we drafted our recent report, Strategy and collaboration – a better way forward for effective cybersecurity.
Trapped in fire-fighting mode
Of the many reasons to be concerned, here are three that chimed with our survey findings.
First, as Prof Muttukrishnan, says, even where systems are well-built, “problems come with inexperienced employees, who might misconfigure a new product and create a vulnerability.”
Cybersecurity professionals are over-stretched
In our survey of more than 200 senior cybersecurity professionals, we found an industry that is over-stretched, making it more likely that mistakes will happen. Rather than being able to plan for potential threats, the professionals we spoke to were trapped in fire-fighting mode, constantly responding to the latest crisis.
Second, critical national infrastructure often relies on legacy systems, some of which date back to the 1970s. These might run on an obsolete programming language or use hardware which is difficult to repair or replace.
As a result, it is becoming harder, and more expensive, to find people with the expertise to work on these systems. For example, many COBOL software developers are now reaching retirement age and the programming language is not widely used enough for younger developers to learn it. In addition, these systems were not designed to connect to new online systems and are now being exposed to new threats. Finding – and fixing – vulnerabilities in these older systems, will be increasingly difficult.
But a third question is whether those who manage the systems have the incentive to fix them at all. Many systems, such as those used in power generation, are in the hands of private companies. In many companies, risk management still lacks the priority it deserves and cybersecurity teams have to constantly lobby for the budget and tools that are too often seen as an avoidable cost providing no financial return.
Professor Tim Watson adds: “They answer to shareholders, and they might not see it as financially worthwhile to go beyond the minimum where cybersecurity is concerned.”
Keeping critical national infrastructure secure
Despite these vulnerabilities, critical national infrastructure is possible to defend against attack.
Russia, with all its resources, has caused online disruption in Ukraine but hasn’t brought the country’s IT infrastructure to a standstill. That is partly because Ukraine, with the support of Western cybersecurity firms, is quickly identifying vulnerabilities and rolling out upgrades to fix them.
This is one advantage that defenders have over attackers.
As Prof Watson says: “An attacker might need to hold on to a vulnerability for a long time and, at any moment, it can be fixed with an update; sometimes an update intended to fix something else closes the vulnerability by chance. Updates happen all the time, so there’s no guarantee that an attacker has a working vulnerability to hand.”
Smart security experts are constantly working to make systems more resilient so that even if attackers can get in, the aim is to ensure there is very little they can do once there.
Prof Muttukrishnan comments: “The future is self-healing systems that can detect unusual behaviour as soon as it occurs and take action to prevent it from becoming an incident – all without involving a person.”
Giving ourselves every advantage
The picture is challenging and we should not be complacent. With this in mind, there are three key steps that every organisation can – and should – take to give ourselves every advantage.
First, we must constantly review our defensive systems and understand how they can be improved, particularly through the use of automation. Cybersecurity teams are confronted with massive amounts of data. Sifting through it is a challenge, so we need threat monitoring systems, such as the one Prof Muttukrishnan describes, that can take on more of the load. That would also lower the cost of response, which might make private companies more likely to invest in keeping their systems as secure as possible.
We also need a new mindset and approach to cybersecurity generally to take into account the scale of the threat. This must be mandated from the top and encompass not only the entire organisation but also each company’s complete supply chain with its associated third parties. This should include training, processes and policies for employees and suppliers that focus on reducing cyber risk.
Finally, we must be creative about ensuring we have people with the right skills to investigate and deal with potential threats, as well as managing and patching systems to keep them secure. We could expand the pool of potential employees by lowering the barriers to entry into cybersecurity. Many recruiters expect candidates to be educated to a degree level, but there is no reason why some cybersecurity positions shouldn’t be available to school leavers who can gain experience on the job and work their way into more senior roles.
To succeed, an organisation’s overall aim must be to ensure that cybersecurity professionals are no longer trapped in fire-fighting mode. They need to be prepared and, if an attack comes, we need them to be alert and ready to react.
Written by Jake Holloway, chief product officer at Crossword Cybersecurity
Editor's Recommended Articles
Must Read >> The road to quantum-enabled cybersecurity
Must Read >> The dawn of a cyber-physical internet
Must Read >> Cybersecurity is national security for all nations