Effectively Managing Cyber Threats on Critical Infrastructure

Anthony Perridge

Anthony Perridge

Criminals are tirelessly attacking critical infrastructure around the world and compromising the Industrial Control System and the Supervisory Control and Data Acquisition systems that control these infrastructures, writes Anthony Perridge. In 2010, the Stuxnet worm infiltrated numerous control systems and damaged nuclear power plants. Five years later, the BlackEnergy malware attack on the Ukrainian power supply became the first cyber attack that caused a blackout.

However, the term critical infrastructure not only covers the power grid, but also areas such as the military, manufacturing, healthcare, transport, water supply and food production. In 2017, the outbreak of the ransomware named WannaCry affected several healthcare companies. In 2018, the US CERT, together with the National Cyber Security Centre and the FBI, issued a warning that the Russian Government had launched an attack on critical infrastructure in various industries.

In addition, for several years now, threats to air travel booking and public transit systems have been making the news headlines. In early 2019, the ransomware variant LockerGoga began infiltrating and disrupting the production processes of chemical companies and aluminium producers.

Important challenges

According to an investigation conducted by (ISC)2, there’s a shortfall of nearly three million cyber security experts worldwide, and nearly 60% of the 1,452 survey respondents believed that their company was at medium to high risk of virtual attacks. The existing security teams are barely able to handle the myriad alerts. Moreover, they’re often not sufficiently represented at senior management level to receive the necessary attention and support for important initiatives. For example, only 31% of organisations in the aviation industry have a dedicated CISO.

To make the most of their existing resources, security teams must be able to understand and prioritise the threat data and alerts within the context of their organisation. This gives teams the opportunity to easily and clearly communicate relevant security issues to management and justify the additional resources needed in order to improve security processes.

More and more attacks use multiple vectors in parallel and make the defence more difficult. The US CERT warning cited above mentions a variety of these used TTPs, including spear-phishing e-mails, watering hole attacks, credential capture and specific attacks on Industrial Control System and SCADA infrastructures.

At the same time, the attack surface is growing as critical infrastructure operators increasingly migrate to the cloud, introducing mobile devices and the Internet of Things (IoT). More than two-thirds of IT executives in the oil and gas industry said they are more vulnerable to security breaches because of digitisation (the provision of digital technologies for advanced automation).

Companies can protect their digital landscape against threats only if they have an overview of the entire infrastructure and the ability to continuously evaluate and prioritise threat intelligence.

Modern security features

Many ICS and SCADA systems have been in use for years and don’t have modern security features that can protect against current threats. The number of reported weaknesses in the production area increased significantly in 2018 compared to the previous 12 months. However, these systems are rarely updated as operators fear interruptions.

Despite increasing attacks on critical infrastructure, protection has not been extended. Rather, it has become even worse as the devices and systems are increasingly connected to the Internet without any attention having been paid to the security implications. Although those responsible for IT and Operational Technologies have different goals, processes, tools and concepts, they must work together as their environments grow closer.

Surveys among security officers say that 75% of businesses assume they will be the victims of cyber security attacks on OT/Industrial Control Systems. However, only 23% adhere to the industry’s minimum legal requirements for cyber security.

Impact on the business

Headlines about attacks on critical infrastructures are quickly portrayed as a sensation. It’s often difficult to find the facts behind the report and to understand the impact of a large-scale cyber campaign on the business. It’ not enough to update only the Industrial Control System and SCADA devices. With a trusted threat intelligence platform, companies can identify and respond to the truly relevant threats.

Tips to help organisations minimise their cyber risk:

*Consolidate all sources for external (such as OSINT) and internal (SIEM, for example) threat and vulnerability data in one central repositori

*Collect security-related information about the entire infrastructure (local, cloud, IoT, mobile and legacy systems) by integrating vulnerability data and threat intelligence in the context of active threats

*Filter non-relevant information, avoiding overload due to too many alerts, and easily navigate massive amounts of threat data to focus on critical resources and vulnerabilities

*Prioritise the most important data depending on the individual situation, with the possibility of dynamic adaptation as new data and insights become available

*Proactively search for malicious activity that can demonstrate malicious behaviour, Denial of Service attacks and other disruptions and potential harm to customers, employees and key components alike

*Focus on aspects beyond reactive measures to aid detection, response and recovery

Anthony Perridge is Vice-President (International) at ThreatQuotient

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts