Around the world the critical infrastructure that supports and sustains modern societies is coming under attack, whether from nation-states or non-state-affiliated actors such as criminals or terrorists.
These attacks are able to undermine critical infrastructure by not only damaging equipment but by interrupting operations which, in turn, can cost organisations millions of pounds to resolve.
Yet, despite the level of threat many organisations are still failing to address or even understand the risks that they could be facing.
Facilities, systems, sites, information, people, networks and processes are all deemed essential in maintaining a functional and operational society.
According to the European Union, “The power grid, the transport network and information and communication systems are among the so-called ‘critical infrastructures’, which are essential to maintain vital societal functions. Without reliable supplies of energy or predictable transportation, our current way of life would not be possible.”
So just how vulnerable is our infrastructure to cyber-attack? Today, physical attacks, such as bombing campaigns, have given way to cyber-attacks - they’re far cheaper to organise and much harder to counter and can have a significant impact on the availability, integrity and delivery of essential services.
The scale of attacks is astonishing. According to recent reports from Carbon Black 88 per cent of UK companies have suffered breaches in security in the past twelve months, and one small business in the UK is hacked every 19 seconds!
The threat to state actors is equally challenging and certainly growing and, according to the International Criminal Police Organisation, “The overlapping of the digital and physical world – while it has allowed us to monitor and even control infrastructure from anywhere in the world is now increasingly vulnerable to threats.”
Greater connectivity means that modern infrastructures tend to rely on internet-based technology to function – in the past these types of networks were set up and operated independently and separately.
Today’s systems are responsible for controlling and supervising services and collect and send information related to that controlled infrastructure, however, that leaves them extremely vulnerable to cyber-attacks.
Earlier this year a computer hacker gained access to the water system of a city in Florida, looking to pump in a ‘dangerous’ amount of a chemical into the city’s water treatment system.
This wasn’t an isolated case. It’s happened in the US before and in 2020 there were multiple, if unsuccessful, attacks on the Israeli water supply.
Around the world water, electricity, nuclear plants and transport are being probed for any sign of weakness with hackers looking to exploit out-of-date and vulnerable IT systems.
Our internet-based interdependent and interrelated infrastructure is more vulnerable to cyber disruptions and attacks are able to cause widespread disruption because of ‘cascading effects’.
According to Interpol. “One attack on a single point of failure could lead to the disruption or destruction of multiple vital systems in the country directly affected, and lead to a ripple effect worldwide.”
Attackers are varied and include criminal groups, hackers, employees, and foreign nations that are engaged in espionage and information warfare, as well as terrorists. As a result, their ability to act and the motives that drive them will vary. The Florida water system attack is being attributed to a disgruntled employee, for example.
To counter these types of attacks and to secure national infrastructure organisations will need to be able to identify vulnerabilities and prepare for incidents, and that requires an ability to not only identify possible impending attacks but to determine when and if disparate elements are under attack.
Protecting critical infrastructure
“Critical infrastructure protection requires a multi-faceted approach that secures both the physical and virtual infrastructure systems,” said Paul Dant, Vice President, Security Product Management at Digital.ai which helps organisations through a combination of agile planning, application security, software delivery and the use of artificial intelligence to deliver digital products and services.
“I’ve been involved with security over many years covering reverse engineering and how hackers are able to tamper with software and bring it under their control. These issues go back many years but are certainly relevant to the challenges that critical infrastructure is facing today.
“I’m what you’d call a poacher turned game-keeper. I started out developing games and over time saw the vulnerabilities in the software and wanted to better understand the issue of security and how companies were looking to address it.
“Software is vulnerable and over time I’ve led a number of security assessments looking at nuclear power plants, hospitals, even film sets.”
These types of assessments are essential if the threats facing critical infrastructure are to be understood and organisations better able to take the necessary steps to improve the cyber-security of their operations.
“At Digital.ai I work on application security products which form part of a much broader Value Stream Management platform which looks to help companies build digital products in the ‘right way’.”
According to Dant, with so much more digitalisation across industries, Digital.ai’s platform helps organisations to better understand the intricacies and complexities associated with developing secure platforms that connect users with critical infrastructures.
“If it’s not done correctly it can lead to a serious breaches or the comprising of systems,” he warned.
The pace of digitalisation is also causing problems and while many companies have turned to technology, due in no small part to the impact of COVID-19, many have not really been prepared when it comes to delivering secure platforms.
“Organisations need to be aware that cyber-attacks are not only growing but are constantly evolving and changing; the activities of hackers are now being automated as they target critical infrastructure. Malware attacks are typically automated and social engineering remains a valuable tool for getting malware in the front-door of an organisation.”
Turning specifically to critical infrastructure Dant said that while there are a few things than make it unique there are of course common issues and vulnerabilities – “we are simply talking about computers and networks at the end of the day.”
The big difference with infrastructure is that in many cases it is built around sensors and other critical components that can be “really old”.
“Both physically, but also in the way that these systems have been created, developed and deployed,” Dant said.
“There are a lot of vulnerabilities in these systems. There are critical components that are hard to take out of service to upgrade them or to add newer, more secure, components. And because of the demand for digitalisation there’s a growing need for remote connectivity which in turn provides a channel for hackers to access – all forms of remote connectivity is a security risk.”
According to Dant if we are to tackle these kinds of threats – and he pointed to the recent Florida water system attack – then threat modelling needs to be taken more seriously.
“It tends to get lost in complex terminology. At the end of the day all it is, is a tool to better understand where the risks are, how they should be tackled and which ones should take priority.
“Effective modelling will identify threats and better understand the impact of these attacks. It’s a scary topic for organisations, but a critical one.”
It’s not just the terminology that is putting organisations off but the cost and not really knowing what to do, Dant suggested.
However, Dant pointed to US grid disruptions caused by frigid temperatures earlier this year, in which millions of people in Texas lost power to underscore the crippling effect of any disruption to the electric grid.
“While that wasn’t a cyber-attack there was a threat risk and the application of proper threat management could have identified that threat and allowed for better planning, with a very different set of outcomes.”
News has recently emerged from Japan that the Chinese military is suspected of ordering hackers to attack hundreds of targets in Japan, including the country's space agency and defence-related firms.
According to police, a Chinese man who had leased several servers in Japan used them for the attack and the servers' ID and other credentials had been passed to a Chinese hacker group, known as "Tick”, a private hacker group that’s thought to work under the instructions of China's national security authorities.
“All types of services and organisations are under threat,” warned Dant. “I’ve spent years evaluating systems but it’s not just hacking that’s a threat. People make mistakes which obviates any security that might have been put in place.”
Both physical security and the human component need to be considered, according to Dant.
“I conducted an assessment on a nuclear facility and while the system was secure the facility certainly wasn’t – there was a hole in the perimeter fence. There needs to be a holistic approach when it comes to security, otherwise you will leave your critical systems vulnerable.”
Artificial intelligence is seen as having an important role in learning from attacks and then preparing for future ones.
“While it has a role, I’m not entirely sold on AI and ML in terms of protecting systems. It could help in the better understanding of attacks and informed though it is, it’s still very much a guessing game,“ said Dant. “Attacks can look legitimate so we wont be alerted every time, and while AI could be used to solve problems I do think we need to get back to basics i.e. what are the possible threats, what do I have of value and how could it be compromised, what impact would a security breach have – you don’t need complex AI algorithms to understand that.”
For Dant the benefits of digitalisation need to be balanced with security and, when it comes to developing systems, the issue should not be about patches or firewalls but addressing design vulnerabilities in the first place.
In the US, the Biden administration recently launched an emergency taskforce comprising of multiple agencies to address an aggressive cyber-attack that had affected hundreds of thousands of Microsoft customers around the world and which came on the heels of SolarWinds, a separate series of sophisticated attacks which both the UK and US governments have attributed to Russia that breached about 100 US companies and nine federal agencies.
However, despite the obvious threats posed, President Biden's $2.25 trillion infrastructure plan does not include any funds to protect critical infrastructure against cyber-attacks, even as that threat grows.
In the UK the new chief executive of the NCSC, Lindy Cameron recently suggested that basic cyber hygiene is as important a life skill as knowing how to wire a plug - and that digital literacy is as non-negotiable in boardrooms as financial literacy.
Cameron said, “Cyber security is still not taken as seriously as it should be, and simply is not embedded in UK boardrooms,” and went on to cite examples like recent ransomware cases and the SolarWinds and Microsoft Exchange compromises as showing the real danger the UK faces.
At the end of the day critical infrastructure needs to be made as hard a target as possible for those that might seek to disrupt it and the data generated and processed needs to be properly protected, she warned.
Whether government and business will address this, however, remains to be seen.