Amid heightened international tensions, there are growing concerns about critical national infrastructure (CNI), writes John Moran, Technical Director, Business Development at Tufin.

While physical attacks against transportation, power, telecom and other infrastructure have always been a concern during conflicts, a growing reliance on “smart” connected infrastructure has made these high-value targets increasingly vulnerable to cyber-attacks as well. 

Ciaran Martin, Head of the UK’s National Cyber Security Centre, stated that he believes a major cyber-attack on the country is a matter of “when, not if”.

Governments around the world appear to be taking this threat seriously. The US Department of Energy is investing $45 million to protect the national grid from cyber-attacks. In the UK, strict new regulations have also recently come into law to ensure that telecoms providers implement stronger security measures.

So, what are the risks of a serious cyber-attack on CNI and how can these crucial systems be protected?

The impacts of major CNI cyber incidents

Cyber-attacks on CNI are a daunting prospect as they can quickly cause serious disruption on a national scale, impacting the health and safety of large proportions of populations. While not as common as attacks on private businesses, there have been many notable incidents in the last few years.

The 2021 Colonial Pipeline ransomware attack caused over 5,000 miles of pipeline to be closed, resulting in widespread fuel shortages across the south-east of the US. Responsibility for the attack was claimed by the Russian group DarkSide, although they insisted their motives were strictly financial.

In 2017, a WannaCry ransomware infection that spread quickly through the NHS in the UK had far-reaching repercussions, resulting in approximately 13,500 appointments being cancelled as critical health systems were taken offline. As is sometimes the case, the NHS WannaCry infection was not the result of a targeted attack; the healthcare service’s aging IT infrastructure was simply another unfortunate victim as WannaCry quickly spread across the globe. Targeted attacks on healthcare providers are becoming more common as unsympathetic criminals seek to capitalise on the disruption they cause and pocket the wealth of personal information these providers possess.

Petya ransomware also impacted many CNI targets. Ukraine was hit especially hard, with infections causing disruptions for telecom provider Ukrtelecom, the State Savings Bank of Ukraine and Boryspil International Airport. A year earlier, a major cyber-attack on Ukraine’s power grid during the previous conflict led to 230,000 citizens experiencing prolonged power outages.

Why CNI makes an ideal cyber-target

The ability to cause disruption on a regional or national scale makes CNI an appealing target for hostile nation states. Where physical attacks are likely to illicit a physical response, the appropriate response to a cyber-attack remains a topic of debate. In addition, a well-executed cyber-attack offers the perpetrator a level of plausible deniability, a critical consideration when the victim nation may not yet be a direct participant in the conflict.

While discussing the dangers of an attack to the undersea telecoms cables carrying internet and phone services, Brad Smith, Vice Chair and President of Microsoft, noted that cyber-attacks are in many ways easier to launch than their physical equivalents.

On top of their value to nation states, CNI targets are increasingly being targeted by non-affiliated criminal groups and individual actors. Healthcare and other public services have borne the brunt of ransomware attacks as criminals rely on their victims quickly relenting to large ransom payments to restore critical services.

In addition to their monetary and psychological value, CNI is an attractive target because it often relies, at least in part, on legacy operational technology (OT), which can lack many of the security features of more modern technology and may have vulnerabilities because the system cannot be taken offline to be patched or because the system is no longer supported by the vendor. 

The biggest challenges in securing CNI

The OT at the heart of our critical infrastructure often dates to the analog age, a time when the greatest threats facing technology were largely physical. The industrial control systems (ICS) that manage OT systems were naturally air-gapped and a malicious actor would need to gain physical access to cause harm.

As these systems become digitized to enable remote monitoring, automation and other smart infrastructure use cases, legacy OT and modern IT systems are increasingly converging. This convergence of IT and OT, along with the proliferation of the internet of things (IoT) devices, has created an extremely complex environment that is difficult to secure. The growing proliferation of 5G networks will also continue to drive this trend.

Unfortunately, due to cost and downtime, most CNI providers cannot simply replace these legacy systems. Often, this forces providers to look for alternate means of securing these critical resources; compensating controls which protect otherwise vulnerable assets. Doing this effectively requires being able to accurately prioritize vulnerabilities based on their actual risk and the ability to respond to potential security incidents – both demanding comprehensive internal network intelligence.

Unfortunately, in many cases, IT and security teams are still relying on static documents and manual processes to store and retrieve critical information. This results in intelligence which quickly becomes outdated and processes which cannot scale to the agility and efficiency required of a digital operation. As a result, vulnerabilities in legacy systems often remain exposed for long periods of time, presenting threat actors with multiple paths and the ability to achieve long dwell times as they carry out their attacks.

Why context is the priority for protecting CNI

First and foremost, protecting CNI requires comprehensive visibility across the entire IT and OT estate. Gaps in visibility lead to unseen assets remaining unprotected and inaccurate assessments of risk.

Whereas in the past, the unavailability of data presented a roadblock, today’s security teams are positively overwhelmed with information. Large security and IT stacks provide a constant stream of information about the organization’s entire infrastructure. External data sources, such as the National Vulnerability Database, threat intelligence services and vendor feeds, are also plentiful. 

Today’s challenge is turning this raw, uncorrelated information into actionable intelligence which can be used as the basis for complex risk decisions. This is especially challenging with OT infrastructure, as these networks and devices are frequently isolated and managed by separate teams, with the threat intelligence relevant to these networks often distinct. 

To avoid becoming inundated with data and expending limited resources entirely on analysis, we must emphasize data which can be used to provide context, turning raw data into actionable intelligence. Performing these tasks at scale requires an automation approach to both data collection and analysis.

This approach allows security teams to focus their limited resources towards reducing risk to CNI, making use of threat intelligence which is highly tailored to the individual network. For example, the security team at a power facility may be faced with hundreds of vulnerabilities. However, with proper context it is easy to identify the relatively few critical assets with vulnerabilities which are being exploited in the wild and are exposed to untrusted networks.

Whether from nation state operatives or criminal gangs, the CNI threat landscape will only grow in size and complexity. With the potential for significant economic impact, as well as the health and safety of the population, on the line CNI providers must have an accurate and up-to-date view of their current risk profile.

This article was originally published in the January edition of Security Journal Americas. To read your FREE digital edition, click here.