Critical Infrastructure: A Flashing Beacon For Cybercrime

Uploaded on 2022-12-30 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Transport & Travel, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

In May of 2021, Colonial Pipeline, the largest pipeline system for refined oil products in the US, suffered a damaging cyberattack. The breach, a result of a vulnerable VPN password, caused the company to close down operations for a number of days, resulting in oil shortages on the East Coast. This is just one example of how devastating an attack on a critical industry can be.  
 
The UK government states there are thirteen sectors that come under the umbrella term ‘critical infrastructure’ including, chemicals, civil nuclear, communications, defense, emergency services, energy, finance, food, government, health, space, transportation, and water. All of these, which provide services that are essential to the day-to-day functioning of society, are hives of the most sensitive and confidential data that threat actors can easily be monetised on the Dark Web, driving further cybercrime and disruption.  
 
Unfortunately, the potential for widespread disruption has not gone unnoticed by cybercriminals. In fact, the US  Cybersecurity and Infrastructure Security Agency has urged the UK to act rapidly, warning that its government could be the victim of a 9/11 style cyberattack. This year also saw cybersecurity authorities in Australia, Canada, New Zealand, US and UK pleading for critical infrastructure defenders to prepare for an escalation in cyberattacks after the war between Russia and Ukraine.  
 
This increased risk has already been felt across the world with various national and public bodies being targeted, from governments in Cuba and Peru to water companies such as South Staffordshire Water as well as Denmark’s largest train operator and the NHS, which was impacted by a supply chain attack. With heightened political tensions across the globe, the potential for another attack on our critical infrastructure is not just concerning but highly likely. So, let’s take a look at what the current threat landscape looks like and how companies, as well as government agencies, can better protect themselves.  
 
Why Are Critical Industries More At Risk? 

This focus on critical infrastructure is intentional. Cybercriminals are fully aware of the impact that any disruption has on vital services, not just financially but also on public confidence. For example, in utilities, you cannot expect people to be without electricity or water, which means companies are more likely to pay in the event of ransomware. Hackers are also very observant and will strike during periods of unrest, for example using the ongoing energy crisis as an entry point for phishing or man-in-the-middle attacks.  
 
Another common risk factor among critical infrastructure organizations is that they all have a high level of interconnected legacy tech. This could include old devices that may not be used every day but are still active, or a machine that is critical to business processes but can only operate on older software that can’t be patched. Much of this legacy, although residing on our managed networks, does not sit within the ownership of our digital and security teams. It is true that some industries are more dependent than others, such as utilities, but everyone has their own battle to overcome.  
 
By not having a cohesive understanding of their technology estate, it makes it much harder for these industries to implement a holistic security strategy and also provides hackers with more ways to gain access to the wider network.  
 
Is Increased Connectivity The Problem? 

This problem has been exacerbated by the introduction of IoT devices which are incredibly complex to manage and are rarely built with security in mind. As companies collect more data and expand their network infrastructures, the more attractive they become to hackers and the harder it is to defend against threats.   
It’s vital that past experiences such as the Colonial Pipeline are not forgotten, but instead used to fuel next steps. While increased connectivity does widen the attack surface and make it more difficult to manage, there are technologies that help secure IoT devices against new threats and make this transition period smoother. 
 
It's important that we don’t stand in the way of technological progress. If we look at the transportation industry, when we board a plane, we have no idea whether a pilot is in control or if it is just on autopilot. But we still go on holiday and travel with confidence. It is possible to build the same level of trust when it comes to advances in driverless cars, despite their increased connectivity and reliance on IT. To get there, manufacturers need to be building security into these products. If things are designed with security in mind, they are less likely to get breached. This is a transferable message that needs to underpin every new decision, in every sector but especially critical infrastructure.  
 
Securing Our Future 

Many organizations are good with risk management but are missing the end-to-end cyber strategy that covers everything from employee engagement and BYOD security to firewall management and anti-malware protection.

Missing any one element can create vulnerabilities with damaging consequences. What is the takeaway from this? I think there are four key elements: 

1.    Communication is key:   You are only as strong as your weakest link so it’s crucial that there is an open dialogue within a company from the boardroom to the IT department. Any device that has access to the company network can allow hackers to gain access if it’s not properly managed. The problem is multiplied by the shift to home and hybrid working so organizations should be talking with employees and educating them on how to stay secure.   

2.    Visibility and segmentation:   It’s impossible to successfully secure a network without understanding the assets within it. Taking a full inventory, including cloud assets and data stores, will expose any weaknesses such as unpatched security updates or devices that have outdated firmware. Once you have mapped the network you can then implement strategies such as segmentation, which creates virtual internal barriers that stop hackers from moving laterally and creating widespread damage.  

3.    CISOs need to do their part:   The role of a CISO is to make sure that the board has greater understanding of the risks facing a business. Your job is to influence and make it clear to them in language they understand. This means spelling out the business consequences of weak security. There is a general lack of communication between CISOs and the wider business, and that needs to change in order to better secure our critical services.  

4.    Need for an overarching authority:   As we look at the challenges facing critical infrastructures, it's clear that companies in all sectors need to elevate their cybersecurity programs. But they cannot do it on their own. We need a unified regulatory body that can help these sectors implement standard practices. This will reduce disparities in cybersecurity spending, for example across energy and water.  
 
In the UK, our critical infrastructure is a bright flashing beacon attracting cybercriminals far and wide. The threat level continues to grow, and the consequences only become more severe. Now is the time to take action and prevention should be at the heart of every step they take to better secure themselves.  

Deryck Mitchelson is Field CISO EMEA at Check Point Software 

You Might Also Read:

Resilience Is Essential To Protecting Critical Infrastructure:

 

« US Bans Government Users From Using TikTok
IT Downtime Is Growing As Digital Transformation Speeds Up »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

InteliSecure

InteliSecure

InteliSecure offer Professional Services, Security Assessments and Managed Services for data and threat protection.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

Auth0

Auth0

Auth0 is a cloud service that provides a set of unified APIs and tools that instantly enables single sign-on and user management for any application, API or IoT device.

ICS2

ICS2

ICS² is the first cyber security company focusing on protecting the control system of power, oil, gas, and petrochemicals plants.

MailXaminer

MailXaminer

MailXaminer is an advance and powerful email investigation platform that scans digital data, performs analysis, reports on findings and preserves them in a court validated format.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

CIBR Warriors

CIBR Warriors

CIBR Warriors are a leading cyber security and networking staffing company that provides workforce solutions with businesses nationwide in the USA.

Noname Security

Noname Security

Noname Security detects and resolves API vulnerabilities and misconfigurations before they are exploited.

Almond

Almond

Almond is positioned as a key independent French player in audit and consulting in the fields of Cybersecurity, Cloud and Infrastructure.

Teleport

Teleport

Teleport is a remote-first technology company. We enable engineers to quickly access any computing resource anywhere on the planet.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

Zeron

Zeron

Zeron build bridges between security teams and top management. Our platform unifies your cyber risk posture seamlessly, encompassing threat insights and quantifiable risk scenarios.

EK3 Technologies

EK3 Technologies

EK3 Technologies mission is to provide comprehensive cybersecurity and IT solutions that allow our clients to focus on sustaining their business.