November 6 2023
There are almost no aspects of our modern lives that are not supported by some form of critical infrastructure. The nature of critical infrastructure itself has changed much in recent memory. Whereas in the past we may have thought in isolation of communications, energy, water, food supply and government services as critical infrastructure, all these services are now each dependent on Internet connectivity and associated Cybersecurity. Indeed, there is hardly an organization that does not, somehow, rely upon digital infrastructure.
In this article we’ll discuss the complexities of safeguarding critical infrastructure cybersecurity, covering a wide array of threats and protective measures. We’ll cover cyber threats such as ransomware, social engineering, IoT vulnerabilities, supply chain attacks, APTs, and DDoS attacks.
We’ll stress the importance of a layered defence strategy, emphasizing risk assessment, network segmentation, strong access controls, regular software updates, intrusion detection, vulnerability management, security information management, incident response planning, data encryption, employee training, backup, and secure supply chain management.
Additionally, we’ll also highlight the significance of continuous monitoring, collaboration, and information sharing among organizations. This article underscores the need for comprehensive cybersecurity technologies, including cloud security, endpoint detection, real-time threat intelligence and automation, to effectively counter cyber threats.
In summary, we present a holistic view of critical infrastructure cybersecurity, emphasizing the multifaceted approach required to mitigate evolving cyber risks.
The Importance of Safeguarding Critical Infrastructure
In our connected society new actors have emerged with their own agendas. These vary from the simply mischievous, to sophisticated nation-states who have vast resources with which to undermine and influence according to their own objectives.
Digital systems now underpin every aspect of our society at large, our economy, and our lives as individuals. Correspondingly, the ways in which cyber threats to critical infrastructure continue to evolve means that we must remain proactive and vigilant and protect our digital infrastructure from threats now and in the future.
Understanding Cyber Threats to Critical Infrastructure
The ways in which critical infrastructure is threatened depends on the objectives of the attacker. It’s worth noting too that these are not necessarily distinct threats. Combinations of the issues below can be used to carry out a cyberattack on critical infrastructure, and creating an exhaustive list of all possible combinations really isn’t possible. Here are some examples.
- Cyberattacks or Hacking. If we consider this category broadly, we can include malware infections, unauthorised access attempts, the exploitation of software or implementation flaws. These attacks usually come in two parts – firstly the location of a vulnerability (infrastructure, web applications, people, 3rd party suppliers and so on), and then the exploitation of that vulnerability. Improving the cyber security of critical infrastructure starts with locating these vulnerabilities before they can be exploited.
- In these extortion attacks, malicious software is deployed on the victim’s network, data is encrypted, and money is demanded to decrypt the data. Here the objective is clear – financial gain. Some ransomware groups are also thought to have links with state security services.
- Social Engineering. Tricking people into clicking on links in emails, WhatsApp, SMS or other media is a well-practised way of gaining access to systems or data. Usually, malware is downloaded, or usernames and passwords are collected from the victim from a fake phishing site, allowing the attacker to gain access and look for more ways to secure a foothold in the target infrastructure.
- IoT Vulnerabilities: The proliferation of Internet of Things (IoT) devices in critical infrastructure introduces new attack vectors. For example, IoT devices may be placed in physically insecure locations where they can be tampered with. They might also be overlooked and become vulnerable due to lack of security updates. Security may not even have been a key design consideration. Vulnerabilities in these devices can be exploited to gain access to critical systems.
- Supply Chain Attacks: The growing and interconnected nature of commercial companies and critical infrastructure has opened previously unseen doors for malicious activity. Attackers may target third-party vendors and suppliers that have connections to critical infrastructure organisations. A variation on this is vulnerable 3rd party software which might be in use at multiple critical infrastructure organisations, providing an attacker with a simultaneous pathway to multiple organisations. The Solar Winds hack is a good example of this.
- Advanced Persistent Threats (APTs). This is the name given to undetected and long-term cyber-attacks typically orchestrated by nation-states or well-funded groups. They may target critical infrastructure to gain access to valuable data or disrupt operations over an extended period. To achieve this kind of foothold, a variety of techniques will be used, such as the ones listed above.
- Distributed Denial of Service (DDoS) Attacks: DDoS attacks are another type of attack designed to overwhelm critical infrastructure targets with excessive or malformed traffic, rendering it inoperable. This kind of attack is used by extortionists, activists and nation states. Incidentally, DDoS services can be hired on the dark web, whilst legitimate critical infrastructure cybersecurity companies have been offering anti-DDoS services for some time.
Global events continue to shape the threats and threat-actors relating to critical infrastructure security in cyber security. The UK National Cyber Security Centre (NCSC) details in its 2022 report how the UK faces malign cyber capabilities from Russia, China, Iran and North Korea. All of those nations regard cyberspace as place to pursue their own political, socio-economic and strategic objectives.
China is estimated to have the largest hacking program than that of every other major nation combined. In one example, China was closely linked to a compromise of 500 UK Exchange servers affected by a zero-day vulnerability. Over 5000 servers were compromised globally.
The growth of cybersecurity threats has resulted in a range of compliance and security standards emerging. These include standards like PCI DSS (which is only interested in organisations handling payment card data). There’s also the IASME IoT Cyber Scheme (which aligns with existing standards and is designed for IoT devices). Then there’s the UK Government’s Cyber Essentials scheme which is a baseline designed to raise the bar for all types of organisations. There are of course many other industry-specific regulatory frameworks. All of them are intended to compel organisations to take security seriously, and to ensure that they do not expose themselves to unnecessary cyber risk.
It is a sobering fact that only a few years ago, many organisations would not regard themselves as a target for nation-state attention. However, the fact is now that hostile nations will target not just critical national infrastructure and Government services, but commercial organisations too. Improving critical infrastructure cybersecurity requires improving cybersecurity for all.
Strategies for Safeguarding Critical Infrastructure (H2)
Guiding Principle: Defence in Depth
Each of the following categories should be seen as a small part of a bigger picture. Whatever security standard one looks at – we’ll find references to some, or all the below themes. Essentially, no single area can make an organisation inherently secure, but together they can form a deeper strategy which is more likely to provide a robust defence against cyber threats to critical infrastructure.
The is worth keeping in mind when forming security strategy for any organisation and is also important when validating the claims of security product or service vendors who can sometimes make claims about the scope and effectiveness of their products which may not be realistic.
Also remember that compliance with regulatory frameworks like PCI DSS, ISO/IEC 27001, SOX and so on require a demonstrable implementation of security policy – not just a tick-box approach. Implementing robust security is genuinely challenging and requires commitment from the top of the organisation.
Risk Assessment and Management
Risk assessment and management are pivotal components in safeguarding critical infrastructure. They provide a structured approach to identifying, evaluating, and mitigating potential threats and vulnerabilities that could compromise the integrity, availability, and confidentiality of critical systems and assets.
The process begins with a comprehensive risk assessment, which involves identifying critical assets, evaluating potential risks, and estimating the impact of various threats. This assessment considers a wide range of factors, including cybersecurity threats, physical security risks, environmental hazards, and operational vulnerabilities.
Once risks are identified and assessed, risk management strategies are developed. These strategies prioritize risks based on their severity and likelihood, allowing organizations to allocate resources effectively. Risk mitigation measures may include implementing strong access controls, enhancing physical security, encrypting sensitive data, and establishing incident response plans.
Continuous risk monitoring and periodic reassessment are crucial as the threat landscape evolves. Risk management is an ongoing process that adapts to new vulnerabilities and threats, ensuring that critical infrastructure remains resilient in the face of emerging challenges. Ultimately, effective risk assessment and management are fundamental in protecting the foundation of modern society and national security.
Network segmentation is a fundamental cybersecurity strategy for safeguarding critical infrastructure. It involves dividing a network into distinct, isolated segments or zones, each with specific access controls and security measures. This approach is crucial for limiting the lateral movement of cyber threats, preventing the spread of attacks, and protecting critical systems and assets.
By segmenting the network, organizations can ensure that only authorized personnel and devices have access to sensitive resources. Critical infrastructure components, such as control systems or data repositories, can be placed in highly restricted segments with stringent access controls.
In the event of a security breach, network segmentation contains the impact, making it more challenging for attackers to move laterally and compromise additional systems. It has been likened to the compartmentalisation of a ship to prevent flooding in case of a breach.
Network segmentation enhances overall security, improves insight into network traffic, and simplifies monitoring and incident response efforts. It’s a crucial defence mechanism for safeguarding critical infrastructure against cyber threats and ensuring the continuous and reliable operation of essential systems.
Strong Access Controls and Authentication
Strong access controls and authentication mechanisms are vital components in safeguarding critical infrastructure. These security measures help ensure that only authorized personnel can access critical systems, networks, and data, thereby reducing the risk of unauthorized intrusion and compromise.
Access controls involve the use of policies, procedures, and technologies to define and manage user permissions. Role-based access control (RBAC) and the principle of least privilege (PoLP) are commonly used strategies. RBAC assigns permissions based on job roles, while PoLP restricts user access to only what is necessary for their specific tasks.
Authentication methods, particularly multi-factor authentication (MFA), add an extra layer of security by requiring users to provide multiple forms of verification before gaining access. This typically includes something the user knows (e.g., a password), something they have (e.g., a smart card), and something they are (e.g., a fingerprint or FaceID).
Implementing strong access controls and authentication not only prevents unauthorized access but also helps in auditing and monitoring user activities. For critical infrastructure, where the stakes are high, these measures are essential for maintaining the integrity, confidentiality, and availability of vital systems and resources.
Regular Software Patching and Updates
If you ask cyber security professionals about root causes for data loss incidents, hacking, or any other issue concerning a cyber attack on critical infrastructure they’ll most likely tell you that malicious actors managed to exploit a flaw in outdated and vulnerable software.
Such flaws can be located by automated scanning tools – and this is often the same technique that hackers will use to locate exploitable vulnerabilities. Alternatively, phishing attacks are used to launch malware that will exploit vulnerable software within an organisation’s network.
Once inside a vulnerable system, attackers can execute various malicious activities, including data theft, ransomware attacks, and setting up backdoors for persistent access. Continuous vigilance, regular patching, and robust cybersecurity practices are essential to prevent malicious actors from locating and exploiting flaws in unpatched systems.
Intrusion Detection and Prevention Systems (IDS/IPS)
IDS or IPS systems can monitor network and application activity and report or act on anomalous behaviour. Action might include raising an alarm on a management dashboard, or even actively blocking traffic from or quarantining the suspected attacker.
As with many powerful network management tools, IDS/IPS systems can sometimes be thought of as a “silver bullet” solution for preventing attacks. Modern systems are indeed very powerful however they must be correctly configured and deployed. First-generation systems relied mostly on signature-based analysis of traffic, but now AI and ML (machine learning) models are used to dynamically spot intrusions, even if the specific attack has not been seen before (also known as “zero day” attacks).
Reaction to a suspected attack is almost instantaneous and the details of the attack are also shared in near real-time with other users of the IPS system.
Total reliance on such systems is certainly tempting, but as with all good security practice, defence in depth is the best strategy. Critical infrastructure cybersecurity companies may well offer their products as powerful tools to defeat cyber-attacks, but no product is infallible. Network segmentation is also a powerful tool in limiting an attacker’s progress through the network, as are all the recommendations in this article.
All organisations should assume that they harbour some kind of vulnerability within their critical infrastructure. The question is what to do about it. There are two main ways to help in identifying and managing vulnerabilities. Firstly, there’s penetration testing, which is a process carried out by specialists to locate and exploit vulnerabilities to see how an attacker might gain access to the organisation’s critical infrastructure, using the same techniques that an attacker would.
Then there’s vulnerability scanning. This differs from penetration testing in that the process is much more tool driven. This level of automation means that large numbers of systems can be scanned and evaluated for vulnerabilities. This can provide a useful view of how many vulnerable systems are out there – a very useful source of information for risk management discussions at the senior stakeholder level.
Vulnerability management also helps in identifying vulnerabilities in an organisation’s own software (for example, web applications) as well as 3rd party software packages. It may also spot configuration weaknesses in cryptographic systems, weak access controls, or even the presence of malicious software.
Of course, the real value in vulnerability management is that it could improve the cyber security of critical infrastructure by limiting the opportunities for an attacker in the first place – if the vulnerabilities identified are mitigated promptly.
Security Information and Event Management (SIEM)
So far, we’ve talked about a range of critical infrastructure protection and cyber security controls. But how does a mature organisation tie all this together? If we’re monitoring security events from around the infrastructure, then we need some way of correlating and coordinating them so a bigger picture can emerge.
For this there are SIEM solutions. Typically, these solutions will enable centralised event corelation and the subsequent detection of threats which might not have been otherwise noticed. Many organisations use SIEM to address compliance issues – these solutions are a powerful way to create audit trails and to validate access controls. This is a key component of many compliance standards.
The marketplace for SIEM solutions continues to develop rapidly and there is increasing convergence of traditional SIEM solutions with emerging capabilities such as Security Orchestration Automation and Response (SOAR), User and Entity Behaviour Analytics (UEBA), and Advanced Threat Intelligence. These integrated features enhance SIEM’s ability to detect and respond to security threats more effectively.
All this suggests that running a SIEM can provide huge advantages when improving critical infrastructure cyber security, but such systems require specialist skills and Board-level commitment and investment. Also, SIEM solutions are dependent on accurate and relevant tuning to avoid “alert overload”, and of course the quality of the data they ingest.
These are complex, but very powerful systems.
Incident Response Plan
When a cyber security incident occurs, it is too late to start thinking about what to do. As in many crisis-management situations, it is far more effective to be able to fall back on well-rehearsed drills than improvise in an unprepared fashion.
The key components of an incident response plan are:
- Don’t have multiple plans for multiple scenarios. Complexity will work against you in a real incident.
- Identification of key individuals. These are the people who must be informed about the incident, must handle it, and contribute to the resolution of it.
- A flow chart showing the process – again simplicity is key here. Reams of text will not be easy to understand in the heat of the moment.
- Escalation criteria. Not everyone needs to be involved at once, but it should be clear who needs to be involved as the incident develops.
All incident response plans should be reviewed and rehearsed regularly, in line with changing business and technical developments. Table-top or War-gaming exercises should be used to evaluate threat scenarios, and to test the plan.
The UK’s National Cyber Security Centre (NCSC) has a sample response plan available here.
This remains a cornerstone of modern cyber security, however the concept itself dates to Roman times with the use of the Caesar Cipher. This is a basic system to obfuscate text by shifting characters by several places to rearrange the original text.
Modern systems are somewhat harder to crack – properly implemented cryptography can be used to protect data during transmission over a network, or at rest with a storage system. Furthermore, cryptography can be used not just to keep secrets, but also to verify the identity of web sites. Digital signatures can be used to determine if message content has been altered from the original.
The key here (pun intended) is that doing strong encryption properly is hard. Software developers can often take shortcuts when implementing cryptography in their products. This can result in common mistakes like:
- Using weak encryption ciphers or keys. Outdated algorithms like DES or short, guessable encryption keys are a sure way to invite an attacker to use brute-force to access confidential data or systems. Secure ciphers such as AES with a 128 or higher key length, should be considered a minimum for that type of cryptography.
- Rolling You Own Cryptography (RYOC). As mentioned earlier, doing cryptography properly is hard, and the development of ciphers is a specialised field. Don’t be tempted into implementing your own system unless you have the time and expertise to do it properly (hint: most organisation have neither).
- Insecure key management. Managing keys properly is also hard – there’s a temptation to embed default keys within software products to simplify their use. But guess what? That’s exactly the kind of thing malicious actors are looking for all the time.
Cryptography is used within every component of modern information systems and the secure implementation of it is vital to ensure the integrity, availability and confidentiality of data.
Employee Training and Awareness
Improving critical infrastructure cybersecurity is not fully possible without addressing the human element. This is because end-users are often the target of phishing attacks which can be difficult to spot, particularly if the user is unaware in the first place. There are also other social-engineering attacks to consider too – from other platforms such as WhatsApp, phone calls, SMS messages or external connection requests from MS Teams. Attackers continue to develop and adapt.
It is not just phishing and social engineering awareness though. Knowledge of internal policies and procedures is essential too. Once a security culture has been established, employees should know not only how to behave and react to suspicious events, but also how they should behave in the daily course of their work.
The success of any security culture therefore hinges on the behaviour and actions of the people within the organisation.
It is often said that employees are the last line of defence. Actually, they are the first.
Backup and Disaster Recovery
Backup and Disaster Recovery (DR) are indispensable parts of the plan to improve critical infrastructure cybersecurity. Whilst prevention may be better than cure (for that, see the other sections in this article) any serious plan must make provision for an incident in which critical data or systems are affected by a Cyberattack.
Ransomware or data breaches can severely impact essential systems, disrupting services and compromising sensitive data. Backups ensure that these components are duplicated and stored securely. This may provide a lifeline for an organisation struggling with a serious incident.
Disaster Recovery is the other side of the discussion. It involves meticulous planning and testing on restoring backups, re-establishing network connections and applications, and setting up the infrastructure to do this. The point of a DR plan is to recover operations and get back up and running as soon as possible. Critical infrastructure often implies continuous operation – meaning that the DR plan is itself a critical component.
The UK NCSC, an organisation actively involved in critical infrastructure protection, has also issued some guidance entitled Principles for ransomware-resistant cloud backups which closely relates to this issue.
The reputational, legal and commercial implications of prolonged service disruptions is a concern to businesses of all sizes, however a cyber attack on critical infrastructure requires a carefully planned and tested DR response.
Secure Supply Chain Management
As we’ve already suggested, critical infrastructure relies on a myriad of interconnected technologies, often sourced from various vendors and suppliers. Secure Supply Chain Management ensures the integrity and trustworthiness of the components, software, and services integrated into these systems. A compromised element within this supply chain could serve as a gateway for cyber threats.
Key to implementing secure supply chain practices is the rigorous vetting of vendors, verifying the authenticity and security of the products and software they provide, and establishing clear contractual agreements that mandate ongoing adherence to security standards. There is as much emphasis on legal agreement here as there is on critical infrastructure cybersecurity itself. If a 3rd party supplier is compromised, it should be clear what legal recourse is available to all parties.
There should be a strong emphasis on regularly validating claims of security and compliance made by suppliers. For example, evidence of security testing should clearly match the scope of the services being offered. Tough questions should be asked, and clear evidence needs to be provided. The devil is in the detail!
By scrutinizing every link in the supply chain, organizations can mitigate the risks associated with poor security practice, malicious software, or compromised services. Safeguarding the supply chain ensures that the critical infrastructure components are trustworthy, resilient, and free from vulnerabilities, thereby ensuring the uninterrupted operation of essential services.
Continuous monitoring can play a crucial role in improving critical infrastructure cybersecurity by providing ongoing surveillance and analysis of an organization’s IT infrastructure. This approach allows for the early detection of cyber threats and vulnerabilities in real-time, enabling organizations to respond quickly and contain security incidents before they escalate.
A related field is threat-hunting. Threat hunting, which involves actively searching for and identifying potential security threats, can be enhanced through continuous monitoring. By continuously monitoring the entire network, organizations can detect anomalies and patterns that may indicate a cyber attack on critical infrastructure.
Of course, threats come from many sources and continuous monitoring can take place at various places within the organisation. Cyber threats to critical infrastructure can be identified by:
Technical infrastructure monitoring. This covers the compute, storage, network, and other physical or virtual devices. This allows IT teams to troubleshoot performance issues, optimize usage, reduce cost, and forecast capacity needs. However, anomalies here could be indicative of malicious activity too.
Network monitoring. This helps organizations understand the status of their firewalls, switches, routers, and other devices as the network evolves. It captures the source and destination IP addresses, ports, and protocol metadata of network traffic, allowing for the detection of bandwidth utilization, packet losses, delays, and potential malicious intrusion attempts.
Application stack monitoring: This involves monitoring an application and its underlying application stack, including application servers and databases, to proactively collect status, load, response, error, and utilization metrics for all application components. Again, anomalous behaviour here could be an indication of compromise.
Collaboration and Information Sharing
Collaboration and information sharing play a crucial role in improving critical infrastructure cybersecurity. By working together and sharing knowledge, organizations can enhance their ability to detect and respond to cyber threats effectively. Here’s how.
- Rapid dissemination of threat intelligence: Sharing information about cyber threats and vulnerabilities allows organizations to stay updated on the latest risks. This can help in threat hunting and the detection of anomalies, as organizations can leverage the collective knowledge and experiences of others to identify and respond to emerging threats quickly.
- Increased visibility into the cyber threat landscape: Collaborative efforts, such as the US-based Joint Cyber Defense Collaborative, bring together diverse teams from public and private sectors to proactively gather, analyse, and share actionable cyber risk information. This enables organizations to have a more comprehensive understanding of the evolving threat landscape and make informed decisions about their cybersecurity strategies.
- Diverse resources and expertise: No single organisation knows everything. Collaboration allows organizations to access a wider range of resources and expertise, which can be particularly beneficial in addressing complex and sophisticated cyber threats. By working together, organizations can pool their resources and capabilities to develop more robust and effective cybersecurity solutions.
- Collective insights into risk-informed action: Through collaboration and information sharing, organizations can turn collective insights into risk-informed action. This means that they can use the shared knowledge and experiences to develop more targeted and effective cybersecurity strategies, focusing on the most critical risks and vulnerabilities.
However, it is essential to note that collaboration and information sharing also come with risks and limitations. Organizations must act pragmatically and ensure that they have robust cybersecurity measures in place, prioritize sharing only the most critical information, build trust, streamline processes for quick and effective communication, and continuously improve their security monitoring practices based on feedback and lessons learned from past incidents.
Invest in Cybersecurity Technologies
There are no silver-bullet technology solutions that will mitigate all threats to critical infrastructure cybersecurity. However, the cyber market continues to grow and offer powerful tools to build, maintain and monitor a secure infrastructure. Consider:
Cloud security: The security of cloud-based data and applications is crucial. Investing in robust cloud security solutions can help protect your organization from data breaches and other cyber threats to critical infrastructure. Consider solutions including privilege controls, which enable the audit and control of user and application privileges. Consider also the basics of encryption, 2-factor authentication and asset mapping – an underestimated housekeeping task which will pay dividends and can reduce the risk of supply chain attacks.
Endpoint Detection and Response: With the normalisation of remote work and the proliferation of connected devices, securing endpoints such as laptops, smartphones, and IoT devices is essential. Endpoint Detection and Response (EDR) solutions can help detect and prevent cyber attacks on critical infrastructure.
Real-time threat intelligence: Staying ahead of emerging threats requires access to up-to-date information about the latest cyber threats and attack techniques. Investing in real-time threat intelligence capabilities can help your organization proactively identify and respond to potential security breaches.
Security awareness training: Often cited as the last line of defence, we’re the first line! Providing regular security awareness training to employees can help them recognize and avoid common cyber threats, such as phishing emails and social engineering attacks.
Automation, analytics, and AI: Advancements in automation, analytics, and AI can help organizations more effectively identify and respond to cyber threats. Managing more with less is one outcome here.
There are intricate intricates challenges and diverse strategies involved in safeguarding critical infrastructure cybersecurity. Cyber threats are dynamic, ranging from traditional attacks to sophisticated techniques like APTs and supply chain vulnerabilities.
A multifaceted, defence-in-depth approach must therefore be adopted. Continuous risk assessment, robust access controls, employee training, and collaboration among organizations are all important as is the need for proactive measures such as regular software updates, intrusion detection systems, and encryption.
Protecting critical infrastructure requires an adaptive and collaborative cybersecurity ecosystem, involving constant vigilance, technological advancements, and collective intelligence to stay ahead of evolving threats and ensure the resilience of our vital systems.