In this interview with Help Net Security, Michael Johnson, Board of Directors at Safe Security, talks about the importance of critical infrastructure security, why attacks on critical infrastructure are particularly worrying, and what can be done to thwart these threats.
Recent cyber events have shown how extremely vulnerable critical infrastructure is. What are the biggest security concerns?
In any world conflict, one of the primary threats posed is cyber actors disabling or destroying the core infrastructure of the adversary. Based on the global reaction to the current world conflict, countries fear reprisals. The worry is that there will be collateral damage to the critical infrastructure of other countries not directly involved in the current conflict.
Today, services such as healthcare systems, power grids, transportation and other critical industries are increasingly integrating their operational technology with traditional IT systems in order to modernize their infrastructure, and this has opened up a new wave of cyberattacks. Though businesses are ramping up their security initiatives and investments to defend and protect, their efforts have largely been siloed, reactive, and lack business context. Lack of visibility of risk across the estate is a huge problem for this sector.
The digitalization of critical infrastructure, coupled with increased dependence on third parties, has made it vulnerable to cyberattacks across multiple vectors. Supply chain attacks are becoming increasingly commonplace with several critical infrastructure businesses being compromised as collateral damage. The risks they need to monitor and manage include: employee workforce risk, third, fourth, and nth parties (not just their vendors, but their partners and suppliers’ networks, too), the native technology stack, compliance and regulatory frameworks, and internal policies and processes.
What area of critical infrastructure is most at risk?
Core infrastructure is the most vulnerable in any global crisis due to the massive impacts that an attack or outage would have on citizens. This infrastructure includes the energy, water, transportation, and healthcare systems that are needed every day to survive. The ability to disable and deny access to any of these resources is a massive threat to any country’s economy. In addition to this persistent threat, the cyber side of global conflicts have rapidly evolved in recent years, and companies and other non-involved governments would be wise to educate themselves on what the outcomes of the well-documented cyber-attacks have been to-date.
What could be the consequences of critical infrastructure attacks?
Our way of life could be impacted by a capable attack on critical infrastructure. Transportation, energy, financial, and healthcare services could be impacted. People could be delayed in accessing critical resources, to include energy to their homes, or have access to their bank accounts.
It is conceivable cyberattacks on critical infrastructure could lead to an attacker gaining control over the systems and networks, which could have devastating consequences. For example, attacks on our industrial control systems, healthcare centers, telecommunication providers, global financial markets, power plants, and other critical sectors have the potential to cripple national security, international trade, impact global economies, and international relations. Especially with supply chain issues and COVID-19 still impacting services, we cannot afford to have disruption or degradation of these critical systems.
How to mitigate or even avoid these attacks?
The complexity of the critical infrastructure businesses requires cyber risk management to be continuously and consistently proactive, across various factors and vectors. State and local entities have taken the initiative towards proactively assessing, prioritizing, and managing threats. For example, The Cyber Security Evaluation Tool (CSET) provides a systematic and repeatable approach to assess the cybersecurity posture of ICS networks. Moreover, the U.S. Office of Management and Budget (OMB) is taking notice of the need for automated solutions and is providing funding and guidance to help agencies adopt proactive capabilities.
Both public and private sector organizations are also sharing information and cyber defense best practices in critical infrastructure communities of interest, such as Information Sharing and Analysis Centers. There are also many popular commercially backed exchanges where information can be shared specific to critical infrastructure threats.
While there are a number of tools and security products that exist in the market today, to help boost critical infrastructure security, the fundamental challenge remains that they work reactively to defend against cyberattacks. Critical infrastructure needs real-time visibility into risk posture. Cyber risk quantification, backed by sound data science principles, has a unique opportunity to solve this challenge.
How will critical infrastructure security evolve in the future?
Organizations need to first understand where they stand today, in order to set goals for the future. You cannot manage what you cannot measure.
With the continued rise in nation-state threat actors, supply chain attacks, and attacks on critical infrastructure growing both in sophistication and impact, there are two things all companies and organizations need to focus on. First, organizations need to implement information and technology management best practices, to include network segmentation, multi factor authentication, network access control, etc. Second, organizations need to implement quantitative risk management, ensuring they are able to properly assess, prioritize, and manage cybersecurity risk.