While most attacks on enterprises result in a loss of data, financial information, and possibly reputation, attacks on critical national infrastructures can impact society’s health and safety.
The European Union puts the power grid, the transport network and information and communications systems among so-called “critical infrastructures,” which are crucial to maintaining vital functions in society. The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. outlines 16 critical infrastructures, including communications, critical manufacturing, emergency services, healthcare and agriculture.
However, according to the World Economic Forum, international and national policies are not keeping up with technological advances. “Digital dependency is changing the nature of international and national security, raising three urgent issues: how to protect critical infrastructure, uphold societal values and prevent the escalation of state-on-state conflicts,” argues the WEF Global Risks Report.
Critical infrastructure should be a priority for cybersecurity budgets
According to Mckinsey, if a dedicated national security agency can focus on one aspect of cybersecurity, it should protect the country’s critical infrastructure. Critical infrastructure is a prime target for hostile state actors.
“Critical infrastructure typically consists of both information technology and operational technology, which makes it harder and more complicated to protect,” argues McKinsey, which recommends that the best-in-class national critical infrastructure protection programs embrace the prioritization of critical sectors and assets, compliance with globally recognized cybersecurity standards, such as the ones defined in the U.S. National Institute of Standards and Technology’s Cybersecurity Framework and the adoption of robust governance mechanisms. This may involve additional sector-specific cybersecurity standards.
Leaving the doors open to malevolent actors
Critical infrastructures today are connected to the global digital ecosystem. This has brought with it greater control, easier management, and above all, convenience. But it has also exposed vulnerabilities. Take the recent attack on the water supply of Oldsmar, Florida, which has highlighted concerns about critical infrastructure security. The attackers briefly multiplied the amount of sodium hydroxide used in the city’s water supply. The biggest shock about this attack was that it was not complex. It was carried out through software that enables the plant’s managers to access the system remotely.
In 2019, the American Water Works Association (AWWA) noted that the resources and capabilities “for preventing, detecting and mitigating cyber risk fall short, particularly given the significance of the threat and potential harm.” Two years on, and there is still much progress to make.
As the AWWA points out, much of this is down to fractured organizational infrastructures, shared infrastructures with different levels of risks, and legacy systems. These challenges are not unique to the water industry. Take the municipal computers at Riviera Beach, a suburb of Palm Beach, Florida, which went down in a ransomware attack. The attack disabled communications and forced staff to revert to paper-based systems. The community was so desperate that they opted to pay the hackers $600,000 to restore services.
Digitalization and remote working a considerable challenge
Digitalization and enforced homeworking are significant challenges for those managing critical national infrastructures. According to ABI Research, cybersecurity spending for critical infrastructure is forecast to hit $106 billion this year, a $9 billion increase on 2020. Much of the spending growth is on ensuring that infrastructure operations can be securely monitored remotely.
“There is no denying that secure connectivity has become a key focus, not least with the revelations late last year of the SolarWinds Orion hack, which has brought into sharp focus the need for better vetting of services offered by third-party contractors and remote update processes,” explains Michela Menting, Digital Security Research Director at ABI Research.
“The implications for national security are significant, and critical infrastructure operators and governments worldwide are now re-evaluating and reassessing the risks as they relate to remote management,” adds Menting.
How digital is changing the face of critical national infrastructure
Digital transformation is changing the face of critical national infrastructure as we traditionally know it. Microsoft, Google and Amazon are hyperscale cloud providers, such as providing content and products for consumers that many would consider making them part of the new critical infrastructure. Automating processes is creating greater efficiencies, but with this increasing connectedness comes increased risk.
“In short, we are wrestling with what is critical national infrastructure. Traditionally it has been areas such as power stations, airports and hospitals. Big physical things which governments have always treated differently when it comes to security,” explains Nicolas Arpagian, VP Strategy and Public Affairs at Orange Cyberdefense. “Today’s digital world makes the differentiation even harder. What about Swift bank transfers, electronic trading at the New York Stock Exchange or Amazon and its servers, for example.”
“COVID has accelerated digital transformation process in critical national infrastructure that was already happening and will continue to happen,” adds Arpagian. “We are more and more dependent on digital, and you can’t tease the digital infrastructure apart. The challenge for those working in critical national infrastructure security moving forward is how they can balance the benefits of interconnectivity without significantly opening up risks to cyberattacks.”
One of the most drastic solutions is to move back to analog and away from digitalization in some critical areas where the risks from cyberattacks are too great. In 2019, the U.S. senate went as far as passing a bipartisan cybersecurity bill looking at ways of replacing automated systems with low-tech redundancies to protect the nation’s electric grid from malevolent actors. The aim is to thwart sophisticated nation-state attacks.
Closing the visibility gap
Increased digitalization will force governments to reassess their definition of critical national infrastructure. Across the entire critical infrastructure landscape, greater visibility will be paramount to stopping cyber aggressors from getting into systems without being seen and mounting attacks. “The definition of what is critical is now being tested more than ever before. At the same time, the threats to critical infrastructures are only going to get bigger. Organizations will need to reassess their processes and cyber risks to cope with a more hyper-connected world,” concludes Arpagian. This will require greater collaboration from critical national infrastructure agencies, governments and cybersecurity experts moving forward if we are to keep key critical assets safe in what is an increasingly borderless landscape.
The Orange Cyberdefense Security Navigator 2021 report has been released. It includes first-hand information from our 17 global SOCs and CyberSOCs, the Epidemiology Labs and World Watch, and expert reports and technology reviews on topics like videoconferencing solutions and the cybercrime ecosystem. Download the report to find out the most disrupting events in 2020 and how that projects into the future.