One only has to look at past events to know that nation-state hacking has become an increasing concern for governments worldwide. In 2018, hackers from China targeted universities and the Lowy Institute in Australia, to steal intellectual property and information.
In 2015, Ukraine’s power grid was compromised by the Black Energy Trojan, targeting the IT infrastructure of three energy distribution companies and temporarily cutting the supply to consumers for several hours. In 2017, Britain’s National Health Service was held hostage by Wanna cry ransomware and NotPetya hit energy and transport organizations in Europe and the United States.
In most of these cases the attackers, methods used, and motives were different. Attackers may target either IT or operational technology environments, but in nearly every case the attacks caused considerable and costly disruption. Many of these systems have processes that are not connected online and are designed to act as fail-safes to prevent disaster scenarios. Nonetheless, disruption occurs and the consequence can be costly, inconvenient and major damage.
Research suggests the energy, utilities, and manufacturing sector could do more to improve security by employing more security staff, spending more on security like continuous risk assessment solutions, and implementing advanced endpoint security measures.
Tackling the problem
Many governments are aware of the dangers that attacks on national critical infrastructure, be it food supply, water, financial services, energy, and government can pose. In 2016, the Australian Federal Government launched its cybersecurity strategy in recognition that Australia’s interests in a digital age must be protected.
Governments are also translating their security strategies to align with regulatory requirements. In relation to national infrastructure, the Security of Critical Infrastructure Act 2018 requires organizations operating Australia’s electricity, water, gas, and port infrastructure to inform the government about their IT environments. The legislation also gives the government the power to force organizations to fix any potential vulnerabilities and bring them in line with government security expectations.
The harsh reality of the digital world is that it is impossible for critical infrastructure organizations to eliminate cyber risk entirely. Businesses need to grow and innovate by adopting new technologies, expanding into new markets or carrying out mergers and acquisitions. However, organizations operating national critical infrastructure must ensure they are managing their cyber risk well. With these five tips, organizations in the critical infrastructure sector can improve their security and avoid a national catastrophe.
1) Map critical processes
The first key step for any organization in this sector to improve its security is to understand and map what its critical processes and data are and the architecture of its systems. This allows organizations to have a complete understanding of where vulnerabilities may lie and how threat actors might target critical systems.
2) Adopt security frameworks
Once organizations have developed a basic understanding of potential exposure, they can bring the right people (and skillsets), processes and technologies together to build a successful program. By following government security frameworks and other popular frameworks like the Australian Cyber Security Centre’s Essential Eight framework, an organization will have a benchmark to assess its security capabilities against on an ongoing basis. Organizations should also prepare for a cybersecurity incident by having incident response plans in place and investing in the right people to ensure that the plans can be put into action.
3) Share information
One of the Australian Government’s goals in establishing its cybersecurity strategy was creating a national partnership that encouraged the sharing of security information. Sharing information about threats and attacks is particularly important to reduce the risk for everyone in the industry and stop attacks before they spread. The whole industry is potentially impacted if one succumbs to a major attack.
4) Take employees back to school
Educating people within the organization and external business partners about cybersecurity hygiene is vital. Many of these events started with someone opening a malicious email attachment or clicking a malicious link in an email. And let’s not forget business partners and other third parties – the risks of the supply chain are extreme.
Security teams in organizations must continuously monitor and manage IT systems and ensure that the right prediction, prevention, detection and response controls are the place, especially as they increasingly operate in the new world of the Industrial Internet.
The threats to critical infrastructure are not going away any time soon. Governments worldwide.
By Pierre Tagle, Head of GRC Consulting ANZ & SEA, SecureWorks.