Every attack, successful or otherwise, should be a wake-up call for any organization not yet engaged in an active cybersecurity program, doubly so for critical infrastructure (CI) providers.
In the past two years, we have seen some significant successful attacks on CI that have caused a significant impact. Such attacks are both direct, which is the direct system breach, and indirect, such as ransomware.
That impact was felt far beyond the organizations impacted directly and, in some cases, across the world. Unfortunately, some of those impacts will ripple back and forth for some time to come.
Gartner recently reported that only 60 percent of organizations globally protect endpoints. That’s a staggering statistic and shows people aren’t doing the very basic things to stay safe.
Speaking to TRENDS, industry experts said that a breach isn’t the end of the impact. In fact, it is the beginning, which makes it important that critical national infrastructure providers secure their environments continuously.
Primary threats to critical infrastructure
Unfortunately, a lot of CI is subject to the same attacks as what might be considered normal IT. The divide between IT and operational technology (OT), which was felt to provide some additional protection to OT systems, has long since evaporated.
OT networks are either now connected to IT networks or OT systems are actually resident on IT networks. This is often done without consideration for the potential risks.
Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust, said risks can range from a single machine being taken offline to entire failures within the infrastructure.
“We have seen attacks causing fuel shortages, impacting global shipping, interrupting power delivery and water processing. While the moves might be desired and improve cost efficiency, they have to be carefully considered against the risks the moves bring,” he said.
He added that it is essential to establish what infrastructure is being used and understand the risks of each device being compromised.
“It’s hard to protect what you cannot see and may not even be aware of,” Chappell said.
Talking about the Middle East region, Sam Curry, chief security officer, Cybereason, said, “The Middle East is in a global world and suffers the same risks, uses the same technology and has the same vulnerabilities as the rest of the world. Not only do threats like Log4J and Spring4Shell affect Middle Eastern organizations, but the full gamut of actors is also present .”
Curry added that one needs only look to the Saudi Aramco breach many years back to understand the regional threat.
Bahaa Hudairi, Regional Sales Director META, Lookout, said, “The Middle East is a prime target because business is booming, new companies are setting up shop, and international enterprises are expanding into the region. Also, there are more remote workers than ever, and attackers are taking advantage of that trend with more sophisticated hacking techniques.”
Hudairi said that most of the employees have access to sensitive cloud data, and now access it from personal unmanaged devices. This opens up opportunities for attackers to trick employees with socially engineered phishing attacks, as employees are less security-conscious on personal devices.
“This is often how cybercriminals kick off the first steps of advanced cyber attacks like ransomware,” he said.
The ransomware attack was named the biggest threat also be Stefan Schachinger, Product Manager, Network Security – IoT, OT, ICS at Barracuda.
“This has been ongoing for years already and there is no end in sight. Demanding high ransom payments requires the attackers to put high pressure on the victims. Usually, a significant impact of operations up to a complete shutdown is their goal,” he said.
Attacks on critical infrastructure cause high public attention because of an impact on people’s lives, as witnessed with Colonial Pipeline (an American oil pipeline system) when gas stations ran out of supplies a year ago.
“That is a very inconvenient situation for the attack’s victim, people and public authorities and requires intermediate remediation, and many times the quickest and cheapest solution is to pay,” Schachinger said.
Key Learnings
Increasingly, critical infrastructure systems are being connected to the internet. This new world of connectivity requires particular attention from businesses with cyber-physical systems.
Sam Curry, chief security officer, Cybereason, said, “The only learnings are the ones that lead to changes in behavior. The biggest problem in security is the gap between the security department and the business.”
“When one sees and understands why a peer has suffered, that is a lesson observed. They don’t count. Unless countries take steps to improve all of cyber unless companies lean into cyber, and unless hardware and software become secure (and private) by design, there are no lessons learned,” he added.
According to Chappell, two key things have come out of the recent high-profile attacks–the attackers are aware of OT systems and how to compromise them, and every system in the environment of a CI provider is critical to their operation.
“Ransomware on all of the workstations in an organization makes it impossible to get to the backend systems that are used to run the operation. You can’t bring new infrastructure into the environment until the threat is neutralized, paralyzing the organization,” he said.
The problem with critical infrastructure networks, Schachinger said, is they are flat and open, and the devices are vulnerable.
“This means the malware that has found its way into the network can spread unhindered. The most popular attack method is still email. The chances of success are good and — even if it fails — there is no risk of any consequences for the attacker. Of course, email-based attacks work better when cybercriminals are prepared,” he said.
Email is not the only way into a company. Remote maintenance access is a major risk, especially in industrial networks, Schachinger said.
Ransomware attacks aren’t going anywhere, according to Hudairi.
“If anything these threat actors have made their operations an enterprise, creating scalable, repeatable and profitable campaigns. While there is no silver bullet to ransomware-proof your organization, there are several Zero Trust approaches that can mitigate the risk,” he said.
How to secure critical infrastructure
Chappell said that enterprises and CI providers need to focus on the foundational elements of cybersecurity in the first instance.
“Getting the basics right with appropriate best practices will ensure that the cybersecurity implementation sits on a solid base. These include vulnerability management, identity management, configuration management, patch management, change management, and of course, privileged access management,” he said.
Curry recommends uplevelling the cyber discussion: bring it to the boardroom.
“Make it a risk-based discussion. Cover the bases, invest in the people and practice. Security is a sport that is played, not watched,” he said.
For Schachinger, the answer to enhancing network security even as connectivity increases is network segmentation.
“Network segmentation is crucial in today’s working environment and is as important in OT systems as it is for IT networks. We’ve seen what can happen to an unsegmented network when it is breached. To avoid the devastating impact of modern ransomware attacks and network breaches, Middle East critical infrastructure operators need to implement network segmentation,” he said.
Hudairi suggests four actions Middle East organizations can take to protect against ransomware:
Secure the edge: Wherever that may be. Detecting risky behavior and securing endpoints are crucial to reducing the impact of a ransomware attack.
Control access privileges with tools and context: VPNs have their place, but the unbridled access they enable is risky. With users logging in from anywhere, it’s critical to understand the context under which they’re accessing your corporate apps and data.
Prevent data modification and exfiltration: Modern data loss prevention means protecting data both at rest and in motion. Modifications or duplications of data at rest can be indicative of a bad actor, and whatever data is exfiltrated should be encrypted regardless of whether the user is legitimate or not.
Protect all endpoints: One compromised user or device can be detrimental to the security of the entire infrastructure.
Regulation and role of governments
Hudairi said that with recent international conflicts, there have been fears of increased cyber threats targeting government bodies and critical infrastructure across both the public and private sectors.
Government can provide standardization, regulation, and cyber funding to protect the most vulnerable and important industries and assist with cybersecurity implementation, Hudairi added.
Curry recommends carrot and stick. First, encourage investment in cyber, cyber governance and innovation. Mandate rules for working with the government and stimulate protection for key sectors. Invest in law enforcement and national recommendations, frameworks and resources to assist.
“Give guidance on what to do and consequences for bad management,” he said.
According to Chappell, knowing where to start providing the specific requirements found in protecting critical infrastructure from cyber-attacks is likely outside of the primary operational experience found in CI organizations.
“As cybersecurity appears to only be making a slow move into the fabric of organizations, government lawmakers and the subsequent regulations are providing the external drivers necessary for organizations to make the move toward cybersecurity-first. By making cybersecurity a fundamental requirement within the regulations issued, and backing those up with legislation, governments send a clear message that this is no longer something that can be left to the CI organizations to achieve,” he said.