In March 2020, a survey on the global state of industrial cybersecurity found that nearly three in four IT security professionals were more worried about cyberattacks on critical infrastructure than they were of a data breach in their own organization. This was consistent with the 2020 Global Risks Report from the World Economic Forum that noted the rise in cyberattacks targeting critical infrastructure such as energy, transportation, health care, water treatment, sewerage, nuclear, chemical, government, food chains, financial facilities, and electoral systems. The concerns over critical infrastructure cyberattacks are valid. Here is why.
1. Increased connectivity
Critical infrastructure is not immune from the threats lurking on the Internet and the information technology revolution that has transformed every other aspect of modern work and life. The days when energy infrastructure was run by isolated systems on location are long gone.
Today, critical infrastructure is connected to the global digital environment. This has brought unprecedented convenience and control to infrastructure managers. However, it has also increased the number, nature, scale, and sophistication of infrastructure vulnerabilities.
The threat surface has been greatly expanded, compounded by the rise of the Internet of Things, including the push toward smart cities and smart homes.
2. Highly organized adversaries
The capability of threat actors has evolved with these new attack opportunities. Actors today include more organized and well-resourced foes such as nation-states, terrorists, and cybercriminal networks. Given the potentially catastrophic repercussions of a successful attack, these organized adversaries prioritize critical infrastructure targets in their cyberwarfare or cybercrime strategy.
A successful attack on energy infrastructure could trigger disruptions in diverse essential systems, including health care, transportation, financial services, and food supply.
3. Increased hacking knowledge
Cyberattacks date almost as far back as the Internet’s transition to the mainstream. In the early years, hackers were a small, elite community. They enjoyed a uniquely deep understanding of how information technology systems worked.
Since then, though, the experience and technical knowledge required to launch an attack have steadily decreased. Malicious exploits, penetration tools, and hacking advice are easily available on the Internet. With such ready access, cyberattacks may be launched by anyone from a lone actor to a nation-state.
4. Growing sophistication and number of attacks
The complexity of cyberattacks has greatly increased. Recent cyberattacks have rendered some of the largest websites in the world inaccessible for hours. Worse still, attributing an attack to a specific actor remains a major challenge. Even when a group comes out as the originators of the attack, it may be a red herring. The real initiator, especially in instances where state actors are involved, may do that to conceal their identity.
The number of attacks is rising too. The U.S. DHS ICS-CERT and the National Vulnerability Database (NVD) are reporting a higher number of vulnerabilities and flaws in infrastructure control systems.
5. Ability to manipulate physical systems by cyber-means
Every company is continuously in danger of a cyberattack on their proprietary data, websites, communication systems, customer accounts, and business networks. Critical infrastructure providers, however, must contend with the additional threat of attacks on their operational technology (OT) systems, often referred to as infrastructure control systems (ICS) or supervisor control and data acquisition (SCADA).
ICS/SCADA are responsible for operating physical processes like the generating, processing, and delivery of water, power, fuel, chemicals, transportation, and communication. A cyberattack on these operational technology systems may potentially damage vital equipment, disrupt essential services, threaten health and safety, and precipitate disruption to a wide range of other market sectors.
In the past, OT security depended on the specialization and obscurity of infrastructure systems as an impediment against external attacks. A utility’s systems were heavily customized and often compatible with only a limited number of components from one vendor. This made it harder for attackers to identify and execute exploits against the components of the grid. Thanks to the digitization and integration of modern OT systems with standard enterprise systems, that is no longer the case.
6. Attacks on critical infrastructure already nearing a new normal
Cyberattacks on critical infrastructure are already creating a new normal. They are no longer an unusual occurrence that is seen once every few years or months. Every day, critical infrastructure somewhere in the world is under attack. While the overwhelming majority of attacks are not successful, some do go through.
For instance, a 2015 cyberattack on three electricity distribution companies in Ukraine left nearly a quarter-million customers with no power for up to six hours. The attack relied on readily accessible malware tools.
In 2016, Bangladesh Bank, the country’s central bank, had its network breached by hackers who proceeded to obtain the bank’s SWIFT log-in credentials. With access to this global funds transfer system, the attackers stole more than $80 million.
In 2018, a cyberattack on Atlanta disrupted municipal operations and rendered the software applications that control law enforcement, court systems, and watershed departments unusable.
7. COVID-19 has accelerated remote work and created new security gaps
Most analysts predicted the world would continue to move toward remote work as the primary means of working. Still, many considered it would take decades before we would see Fortune 500 organizations having the majority of their employees work from home. The COVID-19 pandemic changed that in dramatic fashion.
The spiraling crisis that was the COVID-19 caused upheaval to work routines worldwide. As cities shutdown and governments enforced social distancing policies to stem the spread of the virus, organizations had to quickly transition to a work-from-home model for nearly all their entire staff. It brought forward the normalization of remote work by perhaps 10 years.
In a matter of weeks, companies had to establish a means for their employees to access enterprise systems from home. That shift occurred in critical infrastructure organizations and allowed staff to access intellectual property away from the office location. With this, hackers were presented with new opportunities to intercept sensitive communication or compromise an employee’s computer so they could gain access to critical infrastructure networks.
Businesses must plan for critical infrastructure cyberattacks
Attacks on critical infrastructure have far-reaching economic implications and, in the worst case, could be the trigger for armed or cyber conflict between nations. Hackers can damage physical infrastructure by compromising the systems that are responsible for controlling physical processes. They can ruin specialized equipment and disrupt essential services.
IT security professionals have to think about what a critical infrastructure cyberattack would mean for their own enterprise operations and the mitigating controls they can put in place to minimize the impact.
Featured image: Pixabay
