When you consider critical infrastructure, most people automatically think of basic needs such as water supply, electricity, transportation facilities such as trains, airports, docks or gas supplies for heating. In reality, there are 16 sectors that come under the category of critical infrastructure, as defined by the US Department of Homeland Security, but they are not exclusive to the US. The sectors also include areas like agriculture, public health, and security services such as the armed forces or police, which apply to any modern society.
While these vital services and facilities are responsible for keeping our nation’s security, economy, and public health and safety running, we don’t give them much thought until something has gone wrong and the services are interrupted. For example, we’ve all experienced that frustration when there is a power cut in the neighbourhood and even the simplest tasks, such as switching the kettle on for a cup of tea, are impossible to complete. Now take that downtime and add in greater interconnectivity and multiply it by the size of the country. That slight annoyance has now transformed into a significant and national incident which could bring a country to a standstill.
The more interconnected our infrastructure is, the more vulnerable it is to cyberattacks, and this is where hackers are starting to gain a foothold. By exploiting this newly connected terrain to conduct reconnaissance, gain remote access, and in some cases, mount attacks, hackers are infiltrating critical networks and are poised to wreak havoc. So, what can be done to ensure the public infrastructure is protected against cyberattacks?
No longer in isolation
In the past, protecting our critical infrastructure was typically categorised as just protecting the physical perimeter; security guards armed with guns and guard dogs patrolling the barbed wire fences. But in today’s industrial environment, demand for greater operational efficiencies has driven a digital transformation. The industrial control systems (ICS) underpinning our critical infrastructure are no longer isolated from the internet but are now highly connected across multiple sites and a diverse supply chain. This transformation has indeed delivered tremendous increases in efficiency and productivity but has also increased the attack surface of our infrastructure, so we must think about protection of digital perimeters as well as physical.
In many ways, a more interconnected infrastructure is a good thing for the global economies. All organisations can benefit from the combination of advanced computing with industrial automation. For example, it will lead to improved reliability of the infrastructure through the predictive and remote maintenance that can be utilised to address potentially dangerous problems before they result in costly downtime. But this comes at a cost as there has been, and remains, little consideration for the risk that this poses.
Fortunately, there have only been a small number of cases around the world in the last few years, with the Ukrainian power grid takedowns in 2015 and 2016 being the most notable and leaving thousands of citizens without power for several hours. Whilst these incidents have been an order of magnitude rarer than the constant stream of attack reports we see from sectors such as finance and retail, the repercussions of an attack are far greater than any other sector.
In fact, using the Ukrainian incidents as a baseline, researchers from the UK Infrastructure Transitions Research Consortium at the University of Oxford and the Centre for Risk Studies at Cambridge Judge Business School, estimated that comparative attacks on the UK could cost in excess of £111m a day. It was concluded that even a relatively limited incident could hit the power supplies of more than 1.5m UK citizens.
Defending against the unknown
One of the biggest challenges is accounting for, and securing against, the unknown. While there are plenty of security personnel and detection tools available that can seek out recently discovered vulnerabilities and malware or identify new attacker techniques or behaviours, little can be done to prepare for unknown threats. To compound this, whilst most of the Internet’s traffic is managed via open standards, ICS tend to run on a multitude of old, obscure and proprietary protocols. They were never designed to be operated in the ‘cyber’ world. As a result, there is a high chance that many industrial systems have already been compromised by unknown malware, which is now lying in wait for when the time is right to strike.
So, what do we do? One train of thought is to retreat back into technological isolation and do everything manually and revert back to the analogue protocols. Yet, this is a somewhat short-sighted and retro approach, which could significantly stifle innovation as well as being counterproductive and labour intensive. The critical national infrastructure of the world’s nations is not vulnerable because they are digitised, but because the hackers and nation-state threat actors understand the cyber terrain better than those tasked with defending it.
Understand the environment
In order to protect the infrastructure, you must first have the visibility into it and map out all critical elements so as to gain a full understanding of the domain that is to be managed.
Stage one is to develop a complete inventory of all assets and endpoints and map the paths of communication between them so that sensitive sections of the network can be segmented, to isolate them from parts not critical to their operation. This sounds straightforward, but it can cause a headache as some equipment may have been in operation for decades, with any remedial changes or modifications poorly documented, so there is rarely a reliable starting point to build a security blueprint against. Luckily, OT security technologies are now available to help enable security and operational staff to identify assets on their network.
Stage two is defining what ‘normal’ behaviour looks like. If scheduled maintenance work always takes place on Tuesday morning at 10 o’clock, then you’d want any anomalous behaviour, such as maintenance work suddenly being carried out at 2 o’clock on a Wednesday afternoon to be flagged as a potentially critical issue. The best OT security technologies establish a baseline of normal behaviour by monitoring activity and establishing patterns of behaviour. When anomalous behaviour is detected they apply advanced logic to establish the level of risk and whether an alert must be raised.
By defining the environment, actively monitoring activity and then implementing proper control, the level of risk posed by a potential attack can be mitigated. Alongside traditional site security controls, including issuing employee identification badges and deploying access control readers, one of the objectives should be to isolate the most critical areas of the ICS network and not only control who initiates changes to production processes but that critical processes cannot be impacted if another part of the network is compromised.
Collaboration not isolation
For the first time in modern warfare, we are in the position where industry is on the front line, instead of the government. With a large amount of critical national infrastructure bring governed by the private sector, the onus is placed on them to keep the country’s industry running should an attack take place. Whilst there must be collaboration with the government to transform today’s disjointed and dense attack surface into a transparent architecture that enables defenders to reliably identify threats, the focus has shifted from reliability to reliance – the ability to continue running in the face of attack.
To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.
If you would like to join our community and read more articles like this then please click here.