Cultivating digital hygiene

The growing cyber-threat means IT safety has moved up the priority list for infrastructure asset managers.

Cybersecurity could hardly be more relevant in today’s world. The pandemic has cemented the status of the digital economy, remote working is here to stay and the war in Ukraine has raised the threat of malicious attacks on critical infrastructure.

Even before the Russian invasion, the European Union Agency for Cybersecurity (ENISA) was highlighting the marked uptick in cyberattacks. The pandemic may have ushered in a new era of hybrid remote working, but it has also widened the attack surface for cyber-criminals to exploit.

Over the past two years, critical infrastructure across healthcare, transportation and the energy sector have all been targeted by hacking groups, with the ransomware attack on the Colonial Pipeline perhaps the highest-profile example. Operators of the largest pipeline system in the US were forced to pay out $4.4 million following a six-day shutdown that showcased the very real threat to national security.

“Traditionally, ransomware has targeted critical infrastructure because it is more likely to pay,” says Patrik Bless, chief information security officer at Swiss investment manager Partners Group. “The supply chains of assets are being targeted as malicious groups realise they can get into their targets more easily via a supplier, not only limited to technology outsourcing but also regular business process outsourcing.”

The need for robust cyber-protection in the West has also intensified following the Russian invasion of Ukraine. Authorities in the US, UK and EU allege that just one hour before troops crossed the border, Russian-sponsored hackers launched a cyberattack on the US telecoms firm Viasat, causing outages in Ukraine and affecting windfarms and internet users in central Europe.

GPs under pressure

The attack on the Colonial Pipeline, combined with this increasing threat from state-backed hacking groups, has already triggered a response from the US government. On 15 March, President Biden signed into law the Strengthening American Cybersecurity Act aimed at preventing future ransomware takeovers. The new bill imposes cyber-incident and ransomware attack response protocols. Firms will also have to disclose vulnerabilities, tactics and techniques used by malicious attackers.

For managers of critical infrastructure assets that rely on digital networks, culture and board mindset are as important as laws and regulations. “Cybersecurity is a business problem and not a technical one,” says Bless. “If you do not have accountability at the board level then nothing will get done.”

Terry Mason, director in cyber risk and privacy at risk mitigation consultancy HKA, explains that while GPs can afford cyber talent, they have not always been proactive about managing cyber risks within their own environment or portfolio, and historically have not been intimately involved in operations on the ground.

But this is changing. “LPs are demanding greater visibility and transparency into how GPs are thinking about cyber risk with their portfolio assets,” says Mason. “New proposed rules from the [US SEC] for cybersecurity for investment advisers will surely sharpen their focus on good cyber practices at portfolio companies, such as dedicated cyber policies and procedures, incident response capabilities, and qualified personnel that are responsible for managing their cybersecurity programmes.”