Concern around protecting critical national infrastructure (CNI) is growing. Following several high-profile attacks and growing tensions around state sponsored cyber activity, the threat landscape is only likely to intensify. Ransomware has especially been top of mind in recent months because of several headline-grabbing stories.
Critical national infrastructure has become a hot target for cyber criminals and has exacerbated worries around the globe due to its importance to everyday life. Attacks like this often target operational technology (OT) and industrial control systems (ICS) and range from modifying various industrial processes to disrupting and even shutting them down entirely.
Take the Colonial Pipeline ransomware attack as an example: the company, which transports over 100 million gallons of fuel from Texas to New York daily, was forced to halt its operations once it discovered the breach. The pipeline was down for nearly a week, resulting in gas shortages at stations across the southeast. For a company that provides just under 50% of the fuel for the entire East Coast, the ramifications of this attack were huge, worsened by the fact that there was public internet facing access to services that should have been segregated. Ultimately it was determined that a single stolen password was the avenue the hackers used, showing just how simple it can be for a hacker to get inside a system and how vulnerable the systems of CNI can be.
The healthcare sector in Ireland has also recently taken a big hit when threat actors breached the IT systems of Ireland’s health system and infected it with ransomware, forcing the HSE to shut it down. Emergency services, pharmacy systems, and the coronavirus vaccination appointment system were thankfully unaffected. But radiology services, elective surgeries and more were brought to a halt in the immediate discovery of the attack. Even though many systems are now back online in the weeks since, according to the HSE’s chief executive, it could take many more months for hospitals within the network to fully recover from the incident.
The discovery of the SolarWinds Orion software supply chain breach was pivotal in highlighting the risks facing the supply chain. All sorts of organizations faced consequences, both public and private across the world. Part of the problem with SolarWinds was understanding where the software was in use and where it might be compromised. In the UK, NCSC’s Protective Domain Name Service (PDNS) became a primary source of data analysis to do this, enabling the UK government to understand the scale of the issue and enact appropriate incident response.
This isn’t a new problem. According to a study by Bridewell Consulting, 86% of CNI organizations (across aviation, energy, transport and more) in the UK have experienced a cyber attack over the last year. Nearly a quarter (24%) of respondents reported experiencing between one and five successful attacks, while just over 90% of the UK IT decision makers surveyed said they experienced at least one successful attack.
With CNI so interconnected, operators cannot be singularly focused on protecting their own systems but need to consider all the various pieces that make up the security supply chain. Late last year, while the pandemic was in full swing, the US CISA issued an alert warning that threat actors were targeting the healthcare system.
This prompted the UK’s NCSC to bolster their own defenses in relation to healthcare, resulting in the Health & Social Care Network (HCSN) being brought under the PDNS, which helped secure 1000+ additional HCSN organizations. The NCSC’s PDNS has been in operation for several years and was also offered to the vaccine supply chain, as part of the NCSC’s Active Cyber Defense (ACD) Broadening project that was designed to expand ACD’s impact into the private sector.
One of the key tactics in stopping these threats against the CNI is to endeavor to make it as difficult and costly as possible for the hackers to launch a successful attack. One of the best ways of doing this is through closer collaboration between friendly governments and industry. By sharing threat intelligence, best practices, skills and information with each other, all become stronger in their defense.
The cyber strategy of CNI organizations need to take lessons from country-wide strategies that factor in both individual organizations, the wider supply chain, and link up to central intelligence that can be shared and relied upon globally.
Ultimately it is about finding the changes that make the biggest difference. That can be done simply and seamlessly to maximum effect. An example of this is utilizing the DNS protocol for protection. While it isn’t a silver bullet, by monitoring DNS traffic for malicious activity, attacks can be stopped in their tracks, with DNS queries not being resolved. When you consider that this is now effective across the public sector and NHS, you can see the vast protection being achieved through a relatively simple tactic, particularly when it is combined with an overall improvement in organization cyber hygiene.
Identifying those tactics which are the force multipliers in cyber defense will be critical to protecting CNI in the future.