02 May 2024

Securing critical infrastructure is a non-optional must in the modern world; however, with so many attack vectors and evolving threats, where should we even begin?

In an increasingly digital world, securing critical infrastructure – including but not limited to national defence, healthcare, emergency services, transportation systems, and utilities – is essential. The disruption of such infrastructure can ripple far beyond a single organisation to threaten public safety. But what exactly is the biggest threat to critical infrastructure today?

Availability disruption

“The biggest threat is any cyberattack that succeeds - but a highly disruptive one, particularly if it impacts services people depend on, will be the worst case,” shares Piers Wilson, head of product management, Huntsman Security.

“The biggest threat to critical infrastructure in 2024 is the disruption of availability,” agrees Andy Thompson, offensive research evangelist, CyberArk Labs. “Threat actors are continuously honing their skills, finding new ways to penetrate critical networks. And when they manage to do so, essential systems that are key to public health and safety - for food, water, and energy supplies for example, or for fundamental transportation, communications, and financial services - can experience major disruption. Without these services, it’s near-enough impossible for society to function as normal.”

According to Thompson, the attack by DarkSide back in 2021 is a perfect example of ‘availability’ disruption. The group carried out a ransomware attack against a large oil pipeline operator that disrupted fuel supplies and triggered panic buying and widespread gas shortages across the southeastern US. In the same month, Conti waged an attack against the Irish Health Service that impacted patient care for months, which led to healthcare providers having to cancel appointments, postpone elective surgeries and delay treatments.

“These attacks demonstrate just how vulnerable critical infrastructure is in today’s digital world, and the severe consequences that cyberattacks can have on essential services,” says Thompson.

There are several threats that could cause catastrophic loss of critical infrastructure, according to Duncan Swan, chief operating officer, British APCO, including bad actors; poor architecture that is increasingly prone to outages from ageing systems; where demand outstrips (cap)ability - especially at times of critical need. It’s important to consider that we increasingly rely on critical infrastructure for everyday life; insufficient and/or ineffective planning of business continuity and disaster recovery scenarios where key ‘what ifs’ are poorly thought through.

Moreover, attacks could be orchestrated by any number of different actors, from nation states with vast resources, to lone disgruntled employees or ex-employees looking to cause chaos, to criminal gangs looking for ransomware opportunities. Each has its own goals, capabilities, and attack vectors.

Accordingly, “rather than focusing on one specific scenario, organisations operating critical infrastructure need to be prepared for any attack from any direction – and make their systems as resilient as possible,” asserts Wilson.

“Many of these threats can be planned and, probably more importantly, budgeted for – with far and away the most unpredictable threat being that of a bad actor which could take the form of cyber or physical attacks at key critical infrastructure vulnerabilities,” adds Swan.

Staying one step ahead

With threats seemingly coming from all sides, how can critical infrastructure be secured, particularly in the face of increasingly sophisticated attacks?

“Staying one step ahead has to be the mantra,” asserts Swan. “Meticulously planning the ‘what ifs’ and don’t assume something cannot happen. There must be built-in capability/redundancy to be able to lose the use of one element of the infrastructure without losing everything (but also making sure that in doing so the level of complexity has not been ratcheted up to such a level that this poses additional risk). The level of proactive monitoring is key, as is the ability to mount a pre-emptive response to likely disruptions/attacks.”

Most successful attacks still use tried and tested strategies against low hanging fruit. Getting the basics right, says Wilson, is critical.

“The most fundamental security mistakes are still the most likely to trip organisations up and lead to successful breaches,” explains Wilson. “Patching systems, keeping up to date on threats, and good credential hygiene makes systems a much harder target. Having a way to regularly audit and automatically flag issues before they are exploited is key – not only for preventing most attacks, but for freeing up security teams’ time to investigate and protect against more sophisticated approaches.”

A large part of successful security is about shrinking the attack surface, removing opportunities for attackers: “for instance, when dealing with infrastructure there often isn’t a need for all systems to be connected to the internet in an uncontrolled way,” says Wilson. “Systems that can be protected from the wider internet should be, as this will greatly reduce attackers’ options. In addition, automating the detection and resolution of ‘basic’ cyber threats will free up cybersecurity teams to detect and deal with the most significant threats.”

“The biggest threat is any cyberattack that succeeds - but a highly disruptive one, particularly if it impacts services people depend on, will be the worst case.”

The advent of modern connectivity, particularly cloud computing, IoT, hybrid working, etc., all bring in to play new opportunities for attack. Applications are often deployed in the cloud beyond the confines of the trusted enterprise network border; IoT endpoints are sometimes connected over the public internet; and remote working often results in bypassing the enterprise network, with system administrators routinely managing critical infrastructure from home.

“To secure critical infrastructure in the face of increasingly sophisticated attacks, it must be made less accessible remotely,” opines Thompson. “This could involve implementing restrictions on remote login capabilities, or tightening authentication measures to ensure only a limited number of authorised individuals can remotely access these systems. Essentially, organisations need to create barriers to remote entry and reduce the number of access points. That way, you shrink the attack surface and make it more difficult for potential attackers to exploit vulnerabilities and launch cyberattacks against critical infrastructure.”

The AI effect

The widespread entry of AI into the world in 2023 has shaken up government and enterprise activities significantly. The ultimate double-edged sword, enterprises are incorporating it into many levels of the network – just as bad actors are rapidly integrating it into their attacks.

“AI is having a big impact on the critical infrastructure sphere, allowing for more effective detection of malicious activity and threats – but it’s no different to its impact on IT and OT,” opines Thompson. “Just like organisations use AI to simulate cyberattacks, and test and enhance the security of their OT and IT systems, AI is a powerful tool to create appropriate response plans to protect critical infrastructure. More specifically, AI can be used to identify cyberattack patterns, predict threats, automate the response, and better protect the network.”

“It is key to helping with detecting a change in trends; to spot inconsistencies; and to help stay one step ahead of any malicious activity. It will be at the heart of any proactive monitoring – as well as helping to best shape the necessary response and actions required,” adds Swan. “AI also has a key role in helping to plan be that scenario planning and gaming; the ability to analyse and make sense of situations through big data. But it’s also important to remember that the use of AI will rely on the critical infrastructure actually being available to get data feeds as well as power necessary to analyse and compute...”

Machine learning (ML) has been employed in the cybersecurity sector for years. Security Information and Event Management (SIEM) tools, often incorporating ML, effectively collect, aggregate, and analyse vast volumes of data emanating from devices, network, applications, etc.; detect anomalies, and either flag more complex threats or quarantine lower-level ones.

“However, AI is also being used by malicious actors to increase the volume and effectiveness of attacks,” says Wilson. “Whether using automated bots at scale to probe networks for vulnerabilities to ransomware, or more focused attackers using deep fake technology to support advanced social engineering tactics. This means that it’s not just cybersecurity teams that need to be on guard, but every employee of the organisation. With no way to anticipate each new attack vector is around the corner, the issue is less whether attacks are driven by AI or not, but whether organisations can deal with the unexpected.”

Shouldering the responsibility

Securing critical infrastructure is non-optional in the modern world – and not a responsibility that lies on just one head.

“It has to be a mix of industry and government - government needs to ensure licence/operating/service conditions are clear in terms of responsibilities. And government has overall oversight of critical national infrastructure,” says Swan.

Wilson believes that, ultimately, it’s the operator of the facility or service that is responsible for securing critical infrastructure: “putting in place competent security teams, equipped with the right tools that help them to keep systems secure, is critical. Whether that’s AI-based automation to deal with lower-level threats, or cybersecurity experts that can defend against complex nation-state level attacks.”

However, Wilson agrees with Swan that “governments must play a role too due to the disruption and harm a major breach could cause; they have a vested interest in ensuring infrastructure is secure and aren’t exempt from being the operators themselves. Government’s role doesn’t end at implementing legislation that ensures operators meet their obligations.”

“Bad actors operate at high level - are well funded, often state funded, can access the latest tech (not always legally), and, just as the good actors use AI, they too will be using AI to their advantage,” adds Swan. “So, we need high level government oversight – National Cyber Force as one example – with appropriate funding, checks, etc. Cutting corners is not an option given the reliance of society today on the connected networks of energy, communications and other utilities and systems key to the economy, public safety, health, and life generally.”

Thompson explains that more and more, critical infrastructure operators are turning to cloud-based services to accelerate the pace of innovation and streamline operations. However, anyone with cloud access is a privileged user and a potential target for bad actors looking to exploit privileged accounts and attack critical infrastructure systems.

“Every employee with access to critical systems and networks is responsible for safeguarding their identity security and securing critical infrastructure – no matter whether they are part of the cybersecurity, operations, legal or HR team, all parties have an important role to play,” concludes Thompson.