Protecting Critical Infrastructure
Five industry experts weigh-in on this month’s big question: “How would you improve protection of critical infrastructure from cyber-attacks?”
Isolate critical areas
One of the most regularly proven methods of protecting national infrastructure is to isolate critical data and operations of the network. In 2017, a global shipping company, responsible for 76 ports and vessels representing close to a fifth of the entire world’s shipping capacity, came under a debilitating ransomware attack that caused significant financial and reputational damage for the business and logistical problems around the world.
Although a cyber resilience strategy had been in place, IT staffers tasked with rebuilding the shipping giant’s network had one seemingly insurmountable problem. Although they had backups of almost all their individual servers, they could not locate its domain controllers — the map that governs the rules that determines which users have access to which systems. Mercifully, a lone surviving domain controller in Ghana was eventually found. Days before the ransomware attack, a blackout had knocked this solitary data centre offline and remained disconnected from the network until days afterwards. By complete accident, the singular known copy of the business’ domain controller had been ‘air-gapped’ allowing IT to bring the shipping giant’s core services back online.
The organisation had in effect air-gapped a copy of its most important data — a lifeline that allowed them to begin the difficult process of recovery.
More sophisticated technology solutions have since entered the market that create an offline, air-gapped copy of data, storing valuable business data sets in a vault. This vault is physically and logically isolated from the production network, leaving it virtually impossible to penetrate or attack. Engaging in measures such as data-vaulting is not a fatalistic approach to cybersecurity. In the wake of a targeted, sophisticated cyberattack, air-gapping critical infrastructure ensures that the data most critical to resuming operations — such as high street banking, public food and energy supply– can continue while full recovery procedures continue.
In our latest GDPI survey, we found 89% of UK IT decision makers were concerned existing data protection solutions wouldn’t meet all future business challenges. A further 72% lacked confidence that business-critical data could be recovered in the event of a destructive cyber-attack or data loss. With threats from cyber criminals increasing in number and sophistication, these statistics are concerning, especially when we consider that the technology both exists and is in operation safeguarding national infrastructure around the world.
Last year, the UK’s National Cyber Security Centre issued a warning about attacks on millions of routers, firewalls and devices used by infrastructure operators and government departments. Despite this, many businesses continue to view investing in proactive, reactive and failsafe cybersecurity measures as a ‘sunk cost’, rather than a strategic investment. The ramifications of cyberattacks on national infrastructure go far beyond the usual reputational and financial damage felt by non-essential businesses. National infrastructure providers should implement air-gapped data vaults as one measure in a wider arsenal so that if a catastrophic incident occurs they can keep cash in people’s hands, keep their fridges stocked and keep the lights on.
Define and act on vulnerabilities
Thwarting cyber-attacks against critical national infrastructure (CNI) should be seen as a crucial national and international issue. The events of the past 18 months, during which healthcare services have been stretched to near breaking point, have only made the situation more overt. The ransomware attack suffered by the Irish Healthcare Service in May was serious enough to interrupt operations and appointments, showing that cybersecurity risk can literally have a life or death impact. This was also a stark reminder that, even during a global health crisis, healthcare remains in the crosshairs, with key facilities worldwide being constantly probed by cybercriminals for weaknesses.
This year, we also witnessed an attack against Oldsmar’s water supply in the US, which was widely seen as precisely the kind of assault on CNI that cybersecurity experts have been fearing for years. It is frightening to think what might have happened if it was not for the vigilance of one of the plant’s operators. Fortunately, the incident went down as yet another near miss, but it is clear that CNI will remain a key target for hackers — inaction can no longer be tolerated.
Unfortunately, a significant number of CNI organisations are still running on out-of-date and vulnerable IT systems. For those still running obsolete technology, it is a case of when, not if, cybercriminals will exploit the weaknesses in their systems. In order to improve protection of CNI from cyber-attacks, organisations must prioritise patching their systems and addressing vulnerabilities.
In today’s highly volatile and increasingly sophisticated cyber landscape, organisations also need to understand the nature of the evolving threat. Crucial to this is ensuring that the employees responsible for operating and managing CNI are aware of the threat. By implementing simple measures, such as avoiding opening attachments or clicking on links unless they are from a legitimate source, can go a long way to reducing the risk of potential breaches of CNI security.
Finally, on a larger scale, organisations must take responsibility for the securing of the CNI itself, ensuring that a layered approach to cybersecurity is in place. Security teams within CNI organisations must focus on installing the most appropriate technology to manage the risk that they face, supplemented by investment in both people and process.
Through these measures and the right combination of safeguards, we will observe a shift in the security of CNI, and reduce the risk of a calamitous cyber breach in the future.
There’s no silver bullet
With the scope and sophistication of those attacks increasing all the time, it’s unlikely that anyone can prevent all attacks on infrastructure. But with the right tools, policies, and procedures in place, it can ensure that any attacks it does experience aren’t crippling and that infrastructure can be rapidly returned to service when attacks do happen.
The best hope of preventing and mitigating cyber attacks on critical infrastructure relies on a mix of the right technology, employee education and communication. While the right use of technology can go some way to preventing breaches, it’s important to remember that the technology used by cybercriminals is advancing all the time too.
Many infrastructure attacks begin with phishing attempts and email is the most popular channel for these to be delivered. With cybercriminals increasingly capable of spoofing both internal and external communications, it’s imperative that organisations in the infrastructure space remind employees and customers of what they’ll never ask them to do via email or any other form of communication. Additionally, organisations should emphasise that employees be doubly cautious of any email that asks them to click a link, open an attachment, or verify their details.
It’s also important that organisations make it clear how and where to report suspicious emails. The faster an organisation’s security team is alerted, the more quickly it can respond and intervene to warn employees and shut down spoofed websites.
This kind of education shouldn’t just be policy at the organisational level, but should be baked into cybersecurity prevention and mitigation efforts. To avoid simple errors that could lead to attacks and data theft, organisations should also make it a habit to deploy regular security audits to identify vulnerabilities and other suspicious behavior, allowing them to ensure sensitive data is routinely being backed up.”
Finally, given that half of European infrastructure attacks in 2020 were ransomware based, the importance of backing up cannot be overstated. Your backup provider should be able to address the unique needs of laws such as GDPR and any others that impact the jurisdiction you operate in. This includes, but is not limited to, its choice of data centre, data encryption, at-rest and in-transit rules, and the ability to purge backups. Additionally, adopting a backup provider shouldn’t impact on your organisation’s ability to do business.
The solution you choose should therefore offer simplified employee on-boarding and off-boarding with bulk activation, automated addition and deletion of users, and backup of inactive accounts. Additionally, it should offer an out-of-the-box setup with zero adoption effort, no matter what SaaS platform you use.
A 360 view is essential
Just because an incident hasn’t happened within a nation’s critical infrastructure environment, doesn’t mean that it won’t happen in the future or that you can postpone or underfund cybersecurity activities. While I wouldn’t say we’re facing any sort of “Cyber Pearl Harbor,” I do believe organisations operating both IT and, particularly, OT systems need to put a conscious effort into securing these systems — not only from a security standpoint, but also in terms of quality, safety, and reliability.
Although OT industries face a similar set of problems as traditional IT, the overall application of security programs and technologies is quite different in OT, and there is even more differentiation based on the characteristics of each vertical. That said, there are best practices in key areas, both technical and organisational, that can help mitigate risk to infrastructure environments.
An organisation is at a substantial disadvantage if it doesn’t take the time to inventory its systems and assess the security posture for a given environment. It is nearly impossible to secure an environment if you’re unaware of what is in it, how everything is connected, what data it uses (or generates), and how it affects your bottom line.
And then there’s patch management. One of the prevailing issues in operational technology (OT) networks is the lack of technical solutions and organisational practices for patching. This is particularly relevant if the application sits on a commercial OS, as most do. Developing and maintaining a strong patch management strategy is one of the most effective activities an organisation can undertake. It’s also a daunting undertaking.
We must also consider network segmentation. Many OT systems are deployed in a flat network topology or without any segmentation between systems that should not be able to interact. There are two reasons for this. First, due to a misunderstanding about which systems need to communicate with one another, and the second, as a result of deploying systems from multiple vendors or integrators over time. After assessing the network topology and data flows, you will need to develop network segmentation policies, which are similar to various industry standards language describing the zones and conduits of controlling access. The goal of these policies is to mitigate the damage potential of breaches or issues related to anomalous network traffic.
One ever-growing concern involves the supply chain. In many OT environments, vendors maintain an aspect of control over the technical implementation of the solutions they provide through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.
Multi-layer approach is key
The grim reality of cyber-attacks should be well known with frequent headlines about businesses locked out of their systems, having valuable customer data stolen and leaked, or suffering serious losses through invoice fraud. That has not stopped a stubborn and significant minority of businesses adopting an ostrich strategy, sticking their heads in the sand and hoping the multiple threats will pass them by.
Cyber risk is now one of the key existential threats to business and its slow take up is increasingly mystifying. Casting a long shadow across this already very mixed picture is the last year of lockdowns, office, shop and factory closures and working from home.
In terms of frequency, the main risks remain ransomware and business email compromise. However, the scale and sophistication of higher end attacks is increasing with incidents like SolarWinds, Accellion, and Microsoft Exchange. Incidents such as the Blackbaud hack also show that cloud-based providers can be vulnerable despite assurances to the contrary.
In insurance, every day deal with data from clients’ driving licences, passports and utility bills often sitting in their systems alongside bank details, making us ready-made identity packages. So, a multi-layered approach to cyber protections is highly recommended. The combination of a series of barriers to cyber-crime, is far more effective than any one part on its own, however strong, and up to date.
Examples include use of firewalls and anti-virus to stop intrusions. Detection software to alert the business to any infiltrations. Password complexity and management to keep that form of authentication strong, and a further randomly generated code, to form multi factor authentication, making access as difficult as possible to criminals.
Additional methods include restricting user privileges, so staff can only access what they need to perform their duties. Stopping use of users own equipment and blocking use of removable media stops vulnerabilities being introduced.