Critical infrastructure and public sector organizations such as government and municipalities, manufacturing units, communication networks, transportation services, power and water treatment plants, et. al, have been battling a growing wave of breaches and cyberattacks. There are three main reasons why critical infrastructure is being targeted:
• Opportunity For Real-world Disruption: Attacks on railways, ports or air control systems can create shortages in food supply or halt supply of critical components and resources. Attacks on financial systems like the stock market or large telecom providers can shut down a country’s economic activity.
• Legacy And Outdated Infrastructure: Many critical infrastructure organizations rely on legacy systems that have either reached their end of life or have not received updates in decades. Such systems and devices have critical vulnerabilities that are exploitable by threat actors. In addition, the rise of IT and operational technology (OT) convergence, including the need for remote access to OT assets, has substantially increased the attack surface.
• A Tool To Further National And Geopolitical Interests: Geo-political conflicts around the globe have given rise to a new domain of cyber warfare where cyberattacks can be leveraged as a means of espionage, a weapon of mass destruction, carnage or chaos and a tactic to disrupt a strategic competitor or a rival nation. Russia’s coordinated attack on a satellite-based ISP just hours before the Ukraine war is a great example of cyber’s role in modern warfare.
To help critical infrastructure organizations improve cyber defenses, a simple framework called the seven dimensions of security strategy was developed after a careful analysis of the challenges faced by critical infrastructure. Summarized below are the seven steps:
1. Formulate A Cybersecurity Program Based On Risk: Start by identifying your priority areas and risky assets that need to be addressed. Next, run an in-depth vulnerability assessment to identify hardware, software, or misconfiguration weaknesses. Embark on a comprehensive scenario-planning exercise to identify unique risks based on identified vulnerabilities, threats, challenges and potential situations.
2. Invest In The Right Technological Controls: Critical infrastructure organizations must invest in an integrated defense approach comprising air gapping and segmentation of highly sensitive systems and data, adopting a zero-trust framework, leveraging next-generation firewalls, intrusion prevention systems and other security controls to detect and prevent external attacks, securing or limiting remote access, limiting privileged access to only a handful or users, implementing rigorous and continuous patching of OT and industrial internet of things.
3. Take Account Of Compliance And Regulations: There are several sector-based regulations and frameworks that critical infrastructure organizations must adhere to. For example, power grids must implement a series of mandatory controls called the NERC CIP. Similarly, public water sources and the aviation industry must also comply with the guidance provided by the Environmental Protection Agency and the Transportation Security Administration. The U.S. government issued a new mandate (a.k.a. CIRCIA) that requires organizations to report attacks within 72 hours and ransomware payments within 24 hours.
4. Train Employees On Cybersecurity Hygiene: Human error is the biggest risk to industrial control systems. The Colonial Pipeline attack that shut down fuel supply across the eastern U.S. is said to have been caused by poor password practices. Moreover, as generative AI matures, threat actors will weaponize deepfakes to impersonate employees and infiltrate organizations using highly targeted social engineering attacks. It is important to train employees to recognize and report phishing attempts.
5. Test And Validate Defenses Regularly: Penetration testing, a type of simulated cyberattack, can help identify gaps in security control and defenses. Since cyberattack vectors and techniques evolve regularly, organizations must perform routine penetration tests to identify critical vulnerabilities and improve security posture. In the case of critical infrastructure, it’s equally important to conduct physical penetration testing as some attackers are known to attack air-gapped targets by physically infiltrating their environments and then deploying malware via a physical connection or USB stick.
6. Establish A Vendor Risk Management Program: Threat actors are known to exploit the trust that exists between organizations and their third-party suppliers as well as machine-to-machine communication channels to launch attacks against organizations. Like other organizations, critical infrastructure depends on a network of third-party players to grow and operate their businesses. As seen in the case of the SolarWinds hack or the 3CX attack, threat actors can easily leverage trusted relationships and interconnected systems to compromise critical infrastructure environments. Organizations must develop robust vendor management risk programs to regularly validate and identify evolving and emerging risks arising from suppliers and channel partners.
7. Opt For Cyber Insurance: While insurance certainly does not equal cybersecurity, it’s always a good idea to have this safety net available. Some critical infrastructure organizations already have a terrorism risk insurance program (TRIP) in place, however, studies show that these programs provide limited coverage for catastrophic losses arising from cyber events. What’s more, certain cyberattacks may not meet the terrorism criteria. Insurers have introduced exclusions for losses arising from warfare, infrastructure outages and ransomware. Organizations need to evaluate policy inclusions carefully before purchasing insurance.
Critical infrastructure is the backbone of any society. Before the internet age, a physical attack on critical infrastructure would’ve been deemed an act of terrorism or an act of war. Today, these organizations face hundreds and thousands of attacks every day, perpetrated by skilled and highly resourced attackers operating from all corners of the world. Given the vast scope of attack vectors and security mitigations, it’s impossible to have all bases covered. Along with implementing the above guidance and best practices, organizations should collaborate with seasoned cybersecurity teams. These teams can offer an impartial view and deliver IT-OT cybersecurity knowledge that some enterprises may not possess internally.