[ad_1]
Critical infrastructure is a beacon for cybercrime, says Derrick Mitchelson, Field CISO EMEA at Check Point Software.
In May 2021, the Colonial Pipeline, the largest refined petroleum pipeline system in the United States, suffered a damaging cyber attack. The breach, resulting from a vulnerable VPN password, caused the company to shut down operations for several days, leading to oil shortages on the East Coast. This is just one example of how devastating an attack on a critical industry can be.
The UK government says there are 13 sectors that fall under the umbrella term ‘critical infrastructure’, including chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport and water. All of these, which provide services essential to the day-to-day functioning of society, are hives of the most sensitive and confidential data that threat actors can easily monetize on the Dark Web, leading to further cybercrime and disruption.
Unfortunately, the potential for widespread disruption is not unnoticed by cybercriminals. In fact, the Cyber Security and Infrastructure Security Agency (CISA) in the US has urged the UK to act quickly, warning that its government could be the victim of a 9-11-style cyber attack. This year, cyber security authorities in Australia, Canada, New Zealand, the US and the UK pleaded for defenders of critical infrastructure to prepare for an escalation of cyber attacks following the war between Russia and Ukraine.
This increased risk has already been felt around the world as a variety of national and public bodies have been targeted, from governments in Cuba and Peru to water companies such as South Staffordshire Water, as well as Denmark’s largest train operator and the NHS, whose supply has been affected by the chain attack . With heightened political tensions around the world, the potential for another attack on our critical infrastructure is not only worrisome but very likely. So let’s take a look at what the current threat landscape looks like and how companies, as well as government agencies, can better protect themselves.
Why are critical industries more at risk?
This focus on critical infrastructure is intentional. Cybercriminals are acutely aware of the impact any disruption has on vital services, not only financially but also on public trust. For example, in the utility sector, you can’t expect people to be without electricity or water, which means companies are more likely to pay in the event of ransomware. Hackers are also very careful and will attack during periods of unrest, for example using the ongoing energy crisis as an entry point for phishing or man-in-the-middle attacks.
Another common risk factor among critical infrastructure organizations is that they all have a high level of interconnected legacy technology. This may include old devices that may not be used every day but are still active, or a machine that is critical to business processes but can only run on older software that cannot be patched. Much of this legacy, although located on our managed networks, is not owned by our digital and security teams. It’s true that some industries are more dependent than others, such as utilities, but everyone has their own battle to overcome.
The lack of a cohesive understanding of their technology estate makes it much more difficult for these industries to implement a holistic security strategy and also provides hackers with more ways to gain access to the wider network.
Is increased connectivity a problem?
This problem is exacerbated by the introduction of IoT devices that are incredibly complex to manage and are rarely built with security in mind. As companies collect more data and expand their network infrastructure, they become more attractive to hackers and harder to defend against threats.
It is vital that past experiences, such as the colonial pipeline, are not forgotten, but used to fuel the next steps. While increased connectivity expands the attack surface and makes it harder to manage, there are technologies that help protect IoT devices from new threats and make this transition period easier.
It is important that we do not stand in the way of technological progress. If we look at the transportation industry, when we board an airplane, we have no idea if the pilot is in control or if it’s just on autopilot. But we still go on vacation and travel with confidence. It is possible to build the same level of trust when it comes to progress in driverless cars, despite their increased connectivity and reliance on IT. To get there, manufacturers need to build security into these products. If things are designed with security in mind, they are less likely to be hacked. This is a transferable message that should underpin every new decision, in every sector, but especially in critical infrastructure.
Securing our future
Many organizations are good at risk management, but lack an end-to-end cyber strategy that covers everything from employee engagement and BIOD security to firewall management and malware protection. A lack of any element can create a vulnerability with harmful consequences. What is the conclusion from this? I think there are four key elements:
Communication is key: You are only as strong as your weakest link, so it is crucial that there is open dialogue within the company from the board to the IT department. Any device that has access to a company’s network can allow hackers to gain access if it is not properly managed. The problem is compounded by the shift to home and hybrid work, so organizations need to talk to employees and educate them on how to stay safe.
Visibility and segmentation: It is impossible to successfully secure a network without understanding the assets within it. A complete inventory, including cloud assets and data stores, will reveal any weaknesses such as unpatched security updates or devices running outdated firmware. When you map a network, you can apply strategies like segmentation, which creates virtual internal barriers that prevent hackers from moving laterally and causing widespread damage.
CISOs need to do their part: The CISO’s role is to ensure that the board has a better understanding of the risks facing the business. Your job is to influence and make it clear to them in a language they understand. This means stating the business consequences of poor security. There is a general lack of communication between CISOs and the wider business, and this needs to change to better secure our mission-critical services.
The need for comprehensive authority: As we look at the challenges facing critical infrastructure, it’s clear that companies in all sectors need to improve their cybersecurity programs. But they can’t do it alone. We need a single regulatory body that can help these sectors implement standard practices. This will reduce disparities in cybersecurity spending, for example for energy and water.
In the UK, our critical infrastructure is a bright beacon that attracts cybercriminals far and wide. The threat level continues to rise and the consequences become more severe. Now is the time to take action and prevention should be at the heart of every step you take to better protect yourself.
[ad_2]
Source link