Data breaches are now a daily occurrence, but for the most part they pass by unnoticed. Although businesses may get hit, there isn’t usually a catastrophic or even tangible impact on our day-to-day lives that generates a significant public response.
However, the game is changing, and the potential impact hackers can have on wider society is starting to be felt with increasing frequency. This is because of the growing threat to our critical national infrastructure.
Earlier this year, the well-publicised ransomware attack on the Colonial Pipeline in the US brought fuel supplies to a halt, thereby impacting the consumer dramatically. The chief executive of the UK’s National Cyber Security Centre stated that ransomware is now one of the greatest threats that the country’s people and businesses face.
So why is critical national infrastructure more under threat and why should those in charge of reducing the risks it faces put cybersecurity and resilience at the heart of their strategy?
Critical national infrastructure can now be accessed digitally, which brings many of the advantages of increased effectiveness and efficiency. However, a significant proportion of it was built before the widespread adoption of the internet and was never designed to be connected. As technology has developed, critical infrastructure has increasingly been brought online to improve reliability, reduce costs and improve services. Take the utilities sector: the stability of both water systems and power supply has increased substantially due to the vast number of sensors and control devices now in commission.
By connecting these systems, it is easier to analyse and predict potential faults before it is too late. This can dramatically save on the time, costs and resources needed to repair these systems when something does go wrong. Additionally, through the data generated companies can better understand, predict and therefore prepare for potential peaks in customer usage, thereby boosting overall efficiency.
“The biggest issue with the current approach to protecting critical national infrastructure is that many organisations just use tried and tested cybersecurity strategies previously developed for data-centric IT systems”
The digital transformation of critical infrastructure has also been accelerated as a result of the pandemic. Although many of these systems require workers to be on site, others have had to adopt remote access protocols due to access limitations and social distancing guidelines. Remote working has meant that an increasing number of employees are accessing company systems outside the traditional network perimeter, thus making those systems more vulnerable to targeted cyberattacks.
Hackers gaining access to critical infrastructure could have potentially devastating consequences and not only as a direct result of disruption. The increased interdependence of one sector on another means that attacks on the likes of water or power plants have the potential for cascade effects where interdependent systems and services are interrupted. These effects are difficult to model and predict, but they are critical in understanding the real impact of unexpected outages.
Another growing issue is that the operational technology of critical infrastructure is increasingly connected to the information technology or enterprise architecture of the business. These links provide the potential pathway for intentional or ‘accidental’ incursions to critical operational areas where an attacker may not set out to cause catastrophic damage but, through cause and effect, achieves such an outcome. The Colonial Pipeline attack originated in a disused virtual private network by remote access from a user account into the enterprise. Once the account was compromised, the ransomware triggered a series of events that shut down the pipeline, with all of the consequences that followed. Again, this is where preparedness and the development of resilience by design can help minimise these cascading and indirect effects.
Treating OT and IT separately
The biggest issue with the current approach to protecting critical infrastructure is that many organisations just use tried and tested cybersecurity strategies previously developed for data-centric IT systems. Critical infrastructure is run on operational technology, connecting physical systems. As such, organisations must approach OT as its own entity and put in place the procedures that mitigate the impact of an attack.
This means understanding what is connected, who has access to it, what applications and code are trusted and what else might be at risk should that system be compromised. This understanding really needs to be the first step, because organisations cannot possibly protect themselves if they do not know what is connected in the first place. Once that baseline is established, organisations must secure access through protocols like access management controls, ‘passwordless’ authentication such as biometrics and careful architecting of fail-safe systems. A key part of this is also protecting the data within the OT system itself. More often than not, data is the target hackers are after – whether it is to steal, encrypt and hold for ransom or, even more worryingly, to manipulate. Hackers can do a lot of damage should they gain access to the data housed within the operational domain.
Alongside access management, organisations must focus on protecting their sensitive data through encryption techniques and the careful management of the cryptographic keys that underpin the security. This undertaking is non-trivial and requires understanding of not just the technology but also the security policy that is being enforced, the operational and process logic that is being supported, and the level of protection being balanced with the understanding of risk.
As more critical infrastructure comes online, the focus must be to counteract the risks that will be generated as a result. The good news, in the UK at least, is that the government is aware of the threat too, having announced in its integrated review that a new cyber security strategy is being worked on that will address the vulnerabilities and ensure resilience is built in to prepare for and withstand future cyber-attacks.
The key word here is resilience. Organisations in charge of critical infrastructure must ensure they are prepared for future attacks and mitigate the impact that hackers can have. This comes down to building that resilience through some of the controls mentioned earlier – access management, encryption, key management, architectural design – and treating OT and IT as related but different challenges.
While the UK’s national cyber strategy is still being worked on, organisations in charge of the country’s critical infrastructure cannot afford to wait. If organisations can show hackers that they are not soft targets and will demand significant resources and effort to gain access then this is step one towards becoming resilient. If this can be extended to ensure that, even if the more persistent attackers do get through the net, they can gain little or nothing due to the resilient architecture, monitoring and response systems, then resilience becomes the reality. There are of course many other layers to consider, from threat intelligence to get ahead of the game, to the adoption of deception techniques to mislead or even attract attackers, to non-critical or simulated systems to monitor attack techniques. But that is probably for another day.
In the meantime, organisations need to put cybersecurity and resilience at the heart of all strategies. Our very lives could depend on it.
Tony Burton is marketing and strategy director, secure communications and information systems at Thales UK