Takeaway: It’s not possible for infrastructure owners and operators to fall behind in the technology race, but together with the broad opportunities brought forward by increased connectivity new cyberthreats are also emerging.
The infrastructure sector is taking its first timid steps in the world of digitalization. New AI trends are being used to optimize energy grids, power plants, oil and gas refineries, and manufacturing plants.
Roads and highways are implementing new technologies to prepare for the imminent arrival of self-driving cars. (Read Are self-driving cars safer than cars driven by humans?)
It’s not possible for infrastructure owners and operators to fall behind in the technology race, but together with the broad opportunities brought forward by increased connectivity new cyberthreats are also emerging.
Public and financial records can be sold on the dark web, and the breach of such records can be quite profitable for hackers. A landscape of unscrupulous agents who breach systems and stealthily maintain access over extended periods of time to perform various hacks (data theft, supply chain attacks, cryptomining, spying, and extortion) are now targeting organizations in the infrastructure sector as well.
With $3.25 billion per year made by hackers just by violating social media, it’s time for those verticals to address these issues, adapt and ultimately evolve.
The Current Cyberthreat Landscape
When a large state-owned energy company is hit by a successful cyberattack, the economy of an entire nation and the wellbeing of thousands of people are at stake. The simplest ransomware attack may cause a disastrous attack if critical data is exposed to malicious actors.
Back in 2015, a single spear phishing email attack in Ukraine took out took out the energy grid for more than 225,000 people. Attacks can strike some of the most vulnerable assets of human society, such as the farming and agricultural business (by blocking farming equipment) or the financial sector (think of the Equifax credit bureau breach).
In some other instances, instead, a single breach may cause massive material damage (examples include nuclear power plants, dams or waste recycling plants).
Even when they are not the primary target, the proliferation of interconnected Internet of Things (IoT) networks means that a single security gap can make factories and plants become a collateral target. Older vulnerabilities never grow stale, as hackers never stop checking whether those doors are still open.
More than half of the vulnerabilities that have been publicly exposed in the last 10 years are still susceptible to attacks even today. Establishing a successful cybersecurity strategy during the digital transformation process is a mandatory step, and may require tens of thousands of operators across hundreds of sites.
Simplifying Cyber Defense Strategies
Infrastructure operators often need to work within significant budget constraints — especially in the public sector. Money is often insufficient, and stakeholders usually prefer to invest it in more “physical” assets such as better materials and machinery than in (apparently) less practical avenues such as cyber defense.
To address this challenge, breach and attack simulation (BAS) platforms such as Cymulate are being currently employed by many organizations.
Companies can use BAS platforms to test various aspects of their cybersecurity defenses for any gaps and vulnerabilities when they are put under stress. Examples range from web gateways to web applications (firewall effectiveness), endpoints (anti-malware effectiveness), and emails (anti-phishing).
Users just need to install a client on one of the endpoints in their networks and the platform can be used to run various tests. Users can even schedule these tests to run automatically in set intervals. BAS comes as a welcome alternative to other testing methods, such as penetration tests and red teams since these are typically carried out by white hat hackers and seasoned security professionals.
Instead of hiring a specialized cybersecurity team, companies can simply retrofit existing IT teams to test possible attack vectors quite comprehensively. BAS reports are also used to identify weak points in the security perimeter or IT infrastructure allowing companies to allocate their investments more strategically.
This evidence-based approach is vital to make stakeholders happy by focusing security budgets on the most evident vulnerabilities.
Mitigating And Remediating
In a sector when even the slightest disruption may have catastrophic consequences, resiliency is mandatory to at least mitigate incoming damage, as well as the ability to quickly restore any impaired services or capabilities.
Fail-safe strategies and backup plans represent a pivotal point in any remediation strategy, highlighting the importance of detection and forensics tools that can identify indicators of compromise. For example, heightened gateway restrictions such as additional firewalls may be enforced to contain the attacker’s ability to move across the network once a section is compromised.
If everything goes south, is nonetheless important to be able to provide quick disclosure to collateral actors which may be involved as well (such as emergency operators, fire and police departments, etc.). Being able to share relevant data into ticketing systems may be critical to accelerate this process. Risk baselines must be determined to know which areas are the most vulnerable and prepare a remediation plan accordingly.
Highly controlled access and authorization management, as well as tidy asset inventory can help minimize the risk linked to the devices connected to the OT network. A robust control system is a passive approach that has already been adopted by the U.S. electricity sector.
It helps reducing the overall risk as well as the root cause analysis phase since it easily pinpoints the source of the issue. It can also be used to enhance mitigation, for example by allowing administrators to close facility doors remotely.
Although many organizations in this vertical still lack the maturity to properly handle the full range of cyberthreats that come with the territory, many are taking the necessary steps to improve.
A strong governmental action will also be necessary to establish an adequate regulatory environment mandating compliance to the strictest security strategies.
Otherwise, the material risks of a careless approach are too massive to be dealt with.