The Ongoing Cyber Threat to Critical National Infrastructure

Written by: Rana Gupta, VP, Asia Pacific Sales for Cloud Protection & Licensing, Thales

In 2021, the Colonial Pipeline in the US was compromised by an enormous ransomware attack, which resulted in the disruption of nearly half the fuel supply for the eastern part of the country. This incident brought the threat of attacks against Critical National Infrastructure (CNI) – energy, utilities, telecommunications, transportation – to the top of mind for many. Closer to home, critical infrastructure operators in Asia Pacific are increasingly targeted by cyber espionage and sophisticated attacks with the potential for severe disruption to essential services such as energy and water supply, according to a 2021 report by Deloitte. The effects of cyberattacks on CNI are not only extremely inconvenient, but can also be incredibly disruptive to wider society and in some cases, life-threatening.
 
The reality of living in an increasingly connected world means that when these attacks happen, they are felt acutely and often on a global scale. For example, a major attack that takes systems offline for months would cost billions and could completely disrupt entire economies. CNI attacks are attracting considerable attention from governments and regulatory bodies around the world, particularly since the onset of the Russian invasion of Ukraine. Reducing the risk of attacks such as ransomware and malware on CNI will be of paramount importance to the stability of nation states for years to come.
 
The Threat of Ransomware
 
CNI attacks, both targeted and untargeted, have never been easier to carry out. Over the past decade, CNI has become increasingly connected to the internet, as water and energy systems become powered by intelligent sensors and government operations are deep-rooted in data. Cloud reliance on global infrastructure provides a vulnerable attack surface for threat actors and hostile nation-states.
 
According to our recent Data Threat Report, based on a global survey of 2,767 respondents including 876 from Asia Pacific, 55% of security and IT professionals across all critical infrastructure organisations, ranked malware as the leading source of increased security attacks, followed closely by ransomware (53%). Organisations in Singapore, including critical infrastructure organisations, were found to be among the most targeted in the world by ransomware attacks. The frequency of attacks is also rapidly increasing, with the Cyber Security Agency of Singapore (CSA) receiving 61 reports of ransomware attacks from January to October 2020, almost double of the cases reported for the whole of 2019. Unsurprising, as malware and ransomware attacks are relatively low-cost but can result in big pay-outs for threat actors. Furthermore, the growth in cyber threats in Asia Pacific, including ransomware attacks, is due to the speed and scope of growth of digitalisation and connectivity in the region. In recent years, ransomware has almost completely changed breach economics.
 
Given the highly regulated nature of the industries that operate DNI, the risks of a loss of productivity, long recovery times, and reputational damage as a result of an attack are extremely high. For many organisations, just paying the ransom can be less damaging than risking any additional impacts.
 
However, the report also showed insufficient ransomware preparedness across critical infrastructure organisations. Ransomware’s power comes from immediate “kidnapping” of data and critical systems, requiring a rapid, rehearsed response plan. Yet less than half of respondents stated they have a formal ransomware plan in place. In Singapore, for instance, it was found that businesses and organisations tend to prioritise recovery rather than prevention.
 
A Very Human Problem
 
When it comes to tackling these security challenges, the human element presents the weakest link. A majority of successful malware and ransomware attacks gain an initial foothold in organisations due to user error. This includes using easily guessed passwords and falling victim to phishing and socially engineered techniques such as business email compromise. This lack of basic cyber hygiene is overwhelming companies’ security operations in countries such as Singapore, evident when employees open phishing e-mails or select insecure passwords. The situation has worsened considerably in recent years due to large-scale shifts to hybrid and remote working arrangements, particularly in industries that operate CNI – as prior to the events of 2020 all activity would likely have been contained on site.  
 
Additionally, the convergence of Information Technology (IT) and Operational Technology (OT) makes it easier for attackers to move laterally within organisations, turning IT problems into much more impactful OT system issues. The ongoing attacks and threat to CNI demonstrates that the entire landscape of OT security has changed, and can no longer be considered separate from IT.
 
According to Deloitte, the majority of critical infrastructure organisations in Asia Pacific, for example, have no (or very limited) incident response plans for their OT systems, nor do they have playbooks for their OT environments. Without strong processes in place, they cannot enact comprehensive and effective responses to cyber threats.  
 
Despite these challenges, only half of leaders currently have security precautions like Multi-Factor Authentication in place, to combat against these human challenges. As ransomware concerns increase, organisations across every sector need to prioritise a holistic approach to cyber resilience which covers IT and OT and includes physical and human factors to ensure robust protection.
 
A Zero Trust Approach
 
CNI organisations typically have highly distributed infrastructure. These can include everything from warehouses, shipping ports, power lines, transmitting sites and railroad assets. Additionally. the transition of OT from proprietary, dedicated connections to internet of things (IoT) has greatly increased the size, complexity and elasticity of underlying networks while greatly increasing attack surfaces.
 
When it comes to improving security across these environments, adopting an information-based security architecture, such as a zero-trust model, protects individual information rather than system boundaries. In turn, this securely protects vulnerable and vital data that is at risk of being not only exposed but affecting critical infrastructure. Therefore, adopting zero trust principles can be a key strategy by ensuring “least privileged” access to highly distributed, high-value data and assets.
 
According to our report, only a third of security and IT professionals across all critical infrastructure organisations have a formal zero trust strategy. It’s extremely important that leaders look at these strategies in earnest. Unsurprisingly, organisations with a formal zero trust strategy are less likely to have been breached. Singapore’s 2021 strategy to secure critical infrastructure urges all Critical Infrastructure Information owners to adopt a zero-trust cybersecurity approach for critical systems and security leaders to adopt a risk-based approach and factor cybersecurity into the organization’s risk management framework.
 
Go on the Cyber Offensive
 
Attacks on Critical National Infrastructure will continue to rise in 2022 and beyond, to be just as frequent if not more so than attacks on IT networks. As we continue to use technology to bring all aspects of our lives online, connecting everything from healthcare to banking to energy and utilities. Threat actors now have the ability to target these systems that, once offline, have the potential to cause widespread disruption that impacts all of our lives.
 
Business and Industry leaders, as well as national governments, cannot be complacent in the face of the real-world implications of CNI. It’s clear they will need to go on the cyber offensive, to ensure they can effectively prevent and protect against these ever-growing threats.