We can’t rely on goodwill to protect our critical infrastructure

How far is too far for a hacker? Earlier this year the Lockbit ransomware-as-a-service organization apologized and provided a free decryptor following a ransomware attack on a children’s hospital in Toronto—blaming a “rogue affiliate” for going against the rules and targeting an organization where there was a risk to life.

This self-regulation (of a sort) isn’t stopping other groups from targeting critical national infrastructure (CNI): hospitals, power grids, and oil pipelines have all been affected, and all have put lives at risk. The US had already seen the first lawsuit where a cyberattack was blamed for an infant death.

The UK has encouraged CNI providers to improve their security, but the frequency of attacks continues to increase.

Protecting CNI is a difficult task, thanks to a combination of a lack of skilled professionals, legacy systems and a lack of security investment that leaves them open to attack. To remain operational, these organizations must have the ability to continuously monitor for threats in real time. To do this, many current systems use an agent-based approach. But as agent-based approaches require downtime to be installed and updated, leaving the organization vulnerable, these are not fit for purpose.

How did we get here?

CNI is constantly under threat. This is partly because everything is under greater threat of attack. But the nature of ransomware is that it is most effective on systems that we just cannot afford to lose. The WannaCry attack, for example, hit 34% of NHS Trusts and nearly 600 GP practices resulting in the cancellation of 19,000 operations and appointments. While governments have tried to put together standards and laws calling for minimum security requirements, many organizations are confused as to how much these laws apply to them.

While one would assume that these systems should run the latest and greatest security measures, due to their sensitive nature, many of these systems operate on legacy machines that can’t be reset and can’t be patched. In 2021 the Digital Economic Council reported that over £2bn IT-related spending by the UK government is dedicated to simply “keeping the lights on,” and not updating or replacing outdated legacy systems. In the past IT managers could have relied on secrecy and obscurity to protect their systems but now any system that is connected in any way to the internet is at risk of attack. Even air gaps can be overcome—smart watches and malware-laden USB sticks have proven an effective way to break into these systems.

Protect critical infrastructure: Layering security

One of the preferred methods for keeping CNI safe is by layering the perimeter with multiple walls of protection. The idea is that if one wall is breached, the hacker has limited time to do any real damage before they are detected. If networks are siloed or segmented, ransomware infecting the network will struggle to move laterally. Once the malware is detected, security teams can quickly deploy the relevant patches while ensuring the malware is taken care of.

In addition to firewalls and ACLs (access control lists), another layer of control that these companies should make sure they employ is stricter zero-trust policies. As the name suggests, it treats every individual within the organization as untrustworthy, demanding they authenticate who they are before accessing anything.

Having this type of policy in place encourages stricter identity access controls and limits the amount of data that can move within a business, mitigating possible damage. However, even with these controls in place, the business must be able to detect and monitor where an intrusion has happened. If this isn’t possible in real time, it puts the attacker back in the driving seat.

A different approach

Agentless-based approaches are a far better fit for CNI. This involves monitoring and protecting systems and networks without the need to install software agents. Instead, technologies such as traffic analysis are used to detect and prevent cyber threats in real-time. There is no need for downtime for installation or updates, vital for CNI organizations that need to maintain continuous operations. It also eliminates the need to maintain and update software agents on each individual system, which can be time-consuming and cause additional disruption.

An agentless approach can also be more effective at detecting sophisticated APT attacks. APT groups often compromise a single system and use it as a foothold, remaining hidden while they gather intelligence for a future attack. As agentless systems do not need to be installed on each individual system, they can provide a more comprehensive view of network activity and are better able to detect and prevent APT attacks that may go unnoticed by traditional security systems.

While the threat level remains high, the organizations that maintain CNI will need to step up their security posture. An agentless approach is recommended, providing a reliable approach for monitoring in real time—but it is not enough on its own. It must be part of a comprehensive security strategy with multiple layers of protection within the network.