Critical Infrastructure Protection

Construction worker in a light rail tunnel

In today’s cyberthreat landscape, threat actors are drawn to organizations that operate within critical infrastructure (CI) sectors, such as oil and gas, financial services, telecommunications, mass transportation, public healthcare, etc. When targeting legacy control systems operating within a critical infrastructure sector, threat actors often settle for the lowest hanging fruit, typically people with elevated access privileges to targeted systems and data. For example, an attacker can gain back door entry into an otherwise secure network by acquiring direct access from an insider (current or former employees) connected to a target organization.

By compromising organizations within critical infrastructure sectors, threat actors, such as ransomware groups, are assured of hefty ransom payouts because of the impact of their exploit. Furthermore, when attackers remotely access, control, and command a targeted system, they can cause significant disturbance to critical processes that otherwise benefit ordinary people and entire governments. Therefore, cyberattacks on a critical infrastructure could lead to operational disruption and total system shutdown.

Traditionally, control systems for CI were separate from the open internet. They were deployed on air-gapped networks and had tight physical security. However, the introduction of the Internet of Things (IoT) changed the dynamic. Although it helped cut operational costs and human resources, it also enabled remote access and control of the system.

Protecting critical infrastructure comes with many challenges — from the side effects of digital transformation to ensuring complex, interconnected supply chain networks. Therefore, it is essential for security teams to consider all these aspects to prepare and develop a robust critical infrastructure protection program.

Challenges Associated with Protecting Critical Infrastructure

Critical infrastructures are made of physical and virtual assets (host-based and network-based) that are integral to maintaining operability within high functioning environments. Due to its proximity to normalcy in society, any impact to critical infrastructure networks from natural or artificial threats significantly compromises the safety and security of people, processes, and technologies with high significance. As a result, fostering a proactive approach to cyber risk management within the CI arena is a dynamic challenge.

The number of breaches and cyberattacks on CI has increased considerably in the past few years. Per a recent GE report, 67% of CI-supporting organizations face cyber attacks once a year. As the cyber threat landscape evolves, uncovering challenges associated with securing critical infrastructures requires ongoing research to deliver detective, preventive, and corrective controls to a robust security posture.

The challenges associated with critical infrastructure protection can be divided into several categories; however, in this article, we shall focus on supply chain security-based, digital transformation-based, and human element-based challenges. So first, let’s go into more depth and explore some of the critical challenges associated with security-critical infrastructures:

Supply Chain Security-Based Challenges

Supply chain security is complex; it entails protecting networks of endpoints that serve specific purposes. Traditionally, a supply chain network comprises hardware, software, and managed services from third-party entities working to fulfill a collective business goal. At the same time, the need for greater resilience, transparency, and speed has transformed supply chain networks into more flexible, digital, and interconnected parts. Thus, more data flows through these connections than ever before.

Despite the increase in business agility and speed, the risk profile for supply chain systems that manage supply chain processes within a critical infrastructure sector is greater. For example, concerning the potential cybersecurity attack surface and flow of components through the supply chains: attackers can exploit a security weakness in one link and compromise the functionality of the entire supply chain.

The absence of proper operational technology (OT) security in the supply chain can result in loss of access to emergency and essential services. According to a recent report, 84% of respondents believe that software supply chain attacks will become a grave concern in the coming years. Supply chain attacks exploit trusted third parties to access many attack targets in parallel. A successful attack on OT organizations not responsible for CI can also lead to severe consequences.

Cybercriminals perceive OT networks as low-hanging fruits due to inadequate OT security. The SolarWinds Orion or Sunburst breach is one of the most prominent examples of how a supply chain breach can affect more than 18,000 organizations. After gaining access to the SolarWinds build system, the attacker added a malicious DLL file and distributed it to SolarWinds customers. The malicious file enabled remote access and stayed undetected for over six months

Digital Transformation–Based Challenges

Today’s critical infrastructures are connected to global digital ecosystems that allow greater visibility, control, management, and overall convenience. However, one of the most challenging aspects of managing critical infrastructures that interface with emerging technologies before, during, and after a digital transformation process is the lack of proper security gap assessments. The control systems that function within critical infrastructures are inherently vulnerable to today’s sophisticated cyber operations due to the legacy structure of their operating system and the fragility of their hardware and software architecture. Therefore, introducing newer tools and technologies into legacy computing environments without proper security risk assessments produces risks that could most likely impact operational functionality and business continuity.

Challenges with the Human Element

Amid rapid digital transformation and the introduction of the latest technologies, organizations often neglect to secure the human element to achieve complete network security; as a result, CI protection is incomplete. Human failure to comply with security policies or lack of cybersecurity awareness can allow cybercriminals to target CI networks. The risk of unexpected human error combined with the lack of real-time visibility is a serious security challenge.

Threat actors use social engineering techniques to lure their victims into clicking malicious links to access the network. First, they exploit vulnerabilities related to security knowledge and skills, then manipulate employees into inadvertently revealing access to critical industrial assets. Security automation and cybersecurity training are the best ways to approach this challenge. Replacing manual work with automation and restricting human access to only places with great necessity can help reduce the security gaps. Also, providing cybersecurity awareness training to all employees can fortify the security posture.

Progress Made Thus Far

In recent years, government and private organizations have taken various initiatives to improve CI security. For example, the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems is a collaborative effort between the federal government and its private sector partners. This voluntary initiative aims to improve CI cybersecurity posture by using threat detection technologies and responding in essential control systems.

Setting performance goals or cybersecurity baselines for CI can help improve national security. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) coordinates with partners to make CI more resilient and secure. Below are some of the notable strides made so far:

  • In 2021, the Biden Administration launched an Industrial Control Systems Cybersecurity Initiative, with the primary goal of strengthening the security of the country’s critical infrastructure.
  • In March 2021, the Department of Energy announced new programs to improve global supply chain security vulnerabilities, protect CI, and bring together key partners to enhance energy sector stability.
  • A 2021 Executive Order made it mandatory for agencies to identify and report the presence of national security systems within their computing environment. Such focused attention to networked systems identification helps to adequately provide security awareness and threat mitigation controls to combat security incidents across all National Security Systems.
  • Alberta’s Critical Infrastructure Defence Act protects essential infrastructure from damage or interference. The law further lists prohibited activities and penalties.
  • The Critical Infrastructure Act in Australia manages complex national security risks of sabotage, espionage, and other dangers to Australia’s CI. The act builds a clear picture of CI ownership, mandates cyber incident reporting, offers government assistance, etc.

What Security Teams Should Consider in the Critical Infrastructure Security Sector

Critical infrastructure includes assets, core systems, and strategic networks in physical and digital forms. CISA recognizes 16 sectors of such significance that any disruption can lead to a socioeconomic crisis, jeopardize security, interrupt the national public health system, etc. Therefore, security teams must consider fundamental factors like the changing threat landscape, system vulnerabilities, different threat actors, information sharing, and compliance with regulations for CI protection.

CI security calls for a balance between the need for prevention, identification of any attack with an effective strategy for the response, crisis management, and damage control. Let’s explore various aspects security teams must consider for protecting CI:

Dynamic Critical Infrastructure Threat Landscape

As the nation’s CI attracts extensive criminal activities, this dynamic threat landscape requires more attention. In addition, foreign threat actors with increasingly sophisticated intelligence capabilities are searching for new vulnerabilities to exploit. The CI threat landscape includes international and national terrorism by non-state actors, nation-state-sponsored cyberattacks, and the convergence of IT and OT systems with the increased use of IoT across industries.

Therefore, security teams must consider the evolving threat landscape and adopt secure and resilient strategies capable of handling real-time anomaly detection from multiple data sources and endpoints and accounting for changes in compliance standards.

Consequences of Vulnerabilities in Critical Infrastructures

Threat actors can exploit the vulnerabilities in critical infrastructures for geopolitical and financial gain. The leading causes of vulnerabilities in ICS and SCADA systems are improper design, human errors, and configuration issues. An insecure design creates an opening for malicious actors to compromise critical systems. And because the vulnerabilities in critical infrastructure are inextricably linked, security teams must have a fundamental approach to systems design, infusing cross-domain considerations with security.

The human element depends on capability and intent. Adopting automation and reducing the human element to the bare minimum can minimize security gaps. The poor configuration of services and devices is one of the most common vulnerabilities. Weakly enforced technical and administrative internal security measures and running critical systems on the open internet make them easier targets for compromise.

Emerging Threat Actors and Groups

The low barrier of entry and easy availability of cyber-sabotage resources create more threat actors and groups. From peer and non-peer nation-states to non-state actors like terrorists, cybercriminals, malware developers, initial access brokers, etc., these threats are real and can cause substantial damage. For example, in January 2022, CISA, FBI, and NSA issued a joint alert to warn CI operators about Russian state-sponsored threat actors possessing sophisticated cyber capabilities to develop custom malware and compromise third-party software and infrastructure quickly. In addition, the joint warning advises security teams to invest in endpoint log monitoring capabilities to detect any malicious activity and minimize the impact of a compromise.

Threat Actors’ Interests and Motivations

Threat actors target and compromise critical infrastructures for different reasons: most cybercriminals are motivated by financial gain and bragging rights; meanwhile, advanced persistent threat (APT) actors generally operate on behalf of a rogue nation-state and are often interested and motivated by geopolitical leverage. The primary motivations for attacking a national CI are sabotaging socioeconomic conditions, stealing national security intelligence, and gaining military advantage for future negotiations.

Therefore, cybersecurity teams must understand the dynamic interests and motivations of different threat actors to understand the level of security controls needed to protect critical infrastructures. As a result, cybersecurity teams should likely have cyberthreat intelligence subteams focused on studying and analyzing threat actors’ trends, interests, motivations, and potential targets.

Fostering Trust via Compliance and Collaboration

CI security is an essential part of the global economy and society. Due to the dynamic CI threat landscape, it is not possible for a single organization to effectively manage all the risks alone because of limited knowledge, authority, and resources. It is a shared responsibility of the government and private sector to ensure resilience and CI security. For adequate CI protection, timely trusted information sharing among stakeholders is necessary. Fostering public-private partnerships, coordination, collaboration, and regulatory compliance are the best to ensure network security.

Conclusion

As organizations with critical infrastructures leverage digital transformation to enhance processes and meet market demands, some of the areas of contention will be operational technology (OT), information technology (IT), and the cloud. As such, organizations must assess their security posture by checking that their chosen threat mitigation strategies are adequately deployed and operational, with the correct levels of coverage. Secondly, the ability of an organization to understand its maturity level in alignment with its risk tolerance level is pivotal for combating cyber threats in high production and dynamic environment. Therefore, security teams and senior management must possess a visibility of their organization’s current exposure to cyber risks to enable appropriate response, remediation, and informed decision-making.

Governments and industry leaders are focused on refining comprehensive critical infrastructure standards for highly regulated industries. Therefore, security teams should be equipped with the capabilities required to proactively protect the networks and industrial control systems assigned to monitor and manage critical processes, which modern-day society relies on. If your organization offers critical infrastructure services, watch this demo, inspired by real-life events, to see how an operational technology (OT) SOC team leverages the LogRhythm SIEM to detect a life-threatening attack on a water treatment plant and counteract any further attack cycles — all in real time.