Critical national infrastructures are the vital systems and assets pertaining to a nation’s security, economy and welfare. They provide light for our homes; the water in our taps; a means of transportation to and from work; and the communication systems to power our modern lives. The loss or incapacity of such necessary assets upon which our daily lives depend would have a truly debilitating impact on a nation’s health and wealth. One might assume then that the security of such assets, whether virtual or physical, would be a key consideration. Or to put that another way, failing to address security vulnerabilities of such important systems would surely be an inconceivable idea.
However, the worrying truth is that the security measures of many of our nation’s critical systems are not, in the large, what they should be. Perhaps this shouldn’t be a surprise. The rapid progression of technology has enabled critical systems to become increasingly connected and intelligent, but with little experience of the problems this connectivity could create, few thought about the systems’ security.
Although this new found connectivity has helped industries to realise great productivity and efficiency benefits, the attack on Ukraine’s power grid in 2015 opened the eyes of many in charge of such industries. After nationwide power-outages struck, it has now become clear that if security is not prioritised, the worst-case scenario could wreak havoc across our nations. Prevention is a must; a short-term fix will only delay the inevitable…
Critical infrastructures: an imminent attack
Not a case of if. But when.
It has been two years since news of Ukraine’s power grid cyberattack made headlines across the globe. And once again, critical infrastructure security has been propelled into the spotlight following a number of recent reports suggesting that a devastating attack is imminent.
The UK’s National Cyber Security Centre (NCSC) revealed in its first annual review that it received 1,131 incident reports, with 590 of these classed as ‘significant’. This included the WannaCry ransomware that took down the NHS. While none of these were identified as category one incidents, i.e. interfering with democratic systems or crippling critical infrastructures such as power, the head of the NCSC, Ciaran Martin, warned there could be damaging attacks in the not too distant future.
Furthermore, US-CERT recently issued an alert warning critical national infrastructure firms, including nuclear, energy and water providers, that they are now at an increased risk of ‘highly targeted’ attacks by the Dragonfly APT group. This follows a report by security researchers Symantec, who recently found that during a two-year period the group has been increasing its attempts to compromise energy industry infrastructure, most notably in the UK, Turkey and Switzerland.
Although no damage has yet been done, the group has been trying to determine how power supply systems work and what could be compromised and controlled as a result. If we know the group now has the potential ability to sabotage or gain control of these systems should it decide to do so, this should increase the urgency around the preventative measures needed to defend against a future attack.It is therefore hardly surprising that to combat the rise of such threats, the first piece of EU-wide cybersecurity legislation has been developed to boost the overall level of cybersecurity in the EU. This is called the NIS Directive.
Addressing security from the outset
The potential consequences are disturbing, so infrastructure owners need to consider working in closer collaboration with security experts to ensure the lights remain on. While most in the security industry recognise that there is no silver bullet to ensure total security, we recommend all of those in charge of critical infrastructures ensure they have enough barriers in place to safeguard industrial and critical assets. Proactive regimes that balance defensive and offensive countermeasures, as well as include regular retraining and security techniques such as penetration testing and “red teaming”, are vital to keep defences sharpened.
One of the greatest lessons that should be heeded is that the issue of security must be addressed from the outset of infrastructure development and deployment. It has become abundantly clear that cyberattacks against critical infrastructures are only going to increase in the coming months and years. Those in charge of securing such environments must deploy a new preventative mindset, ensuring strong barriers are in place to avert the hijacking of any critical infrastructures before there is a need to clean up its devastating result.
About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.
Source: infosec island