Barry O’Connell, EMEA general manager at Trustwave, says that critical infrastructure businesses must urgently tackle cybersecurity gaps to prevent potentially catastrophic breaches

Rising geopolitical tensions across the globe are leaving UK critical infrastructure dangerously exposed.

This year, the NCSC has already warned of nation-state sponsored actors hiding on UK infrastructure networks, using ‘living off the land’ techniques to remain undetected and perform malicious activities.

Water scarcity large

Additionally, factors such as the convergence of information technology (IT) and operational technology (OT) systems, a lack of standardised equipment, and the use of third-party vendors, continue to make critical infrastructure all the more vulnerable.

Successful cyberattacks on critical infrastructure, such as power grids or transportation systems, can have a ripple effect, causing widespread economic disruption, jeopardising public safety, and even endangering lives.

The current landscape

Critical infrastructure industries such as water, utilities, and energy, often rely on outdated legacy systems that were built without modern cybersecurity threats in mind.

Before the convergence of IT and OT, many organisations mistakenly believed their OT systems were isolated from cyber threats because they were air gapped.

These systems can be difficult and expensive to patch or upgrade with very little standardisation, making them prime targets for exploitation.

This convergence has increased the attack surfaces for cybercriminals. These systems are often interdependent meaning a disruption in one area can have cascading effects on other critical systems and, if compromised, can cause widespread outages.

What’s the risk?

Cybersecurity is no longer solely a technology concern confined to IT and security professionals, it’s an enterprise risk that can have serious implications for business continuity, brand, and reputation.

When it comes to critical infrastructure, this threat is intensified due to the nature of what it supplies – energy and power, healthcare, and water, for example – as well as the sensitive nature of the data the majority of the organisations in the industry hold.

Examples include the Southern Water data breach that occurred earlier this year, resulting in the compromise of a significant amount of personal data of both customers and current and former employees

[Another is] the infamous Colonial Pipeline ransomware attack – the largest cyberattack on oil infrastructure in the history of the United States, resulting in it being shut down for several days.

Future proofing critical infrastructure

In order to ensure critical infrastructure can stand the test of time and keep the lights on, literally, the systems running it must be protected.

To reduce the risk of exposure to cybersecurity threats, there are a number of measures that can be taken.

Firstly, it’s vital to prioritise a complete understanding and risk assessment of the critical infrastructure environment. This includes OT systems, assets, and configurations.

Once this understanding is reached, organisations should also evaluate the connections and functionalities of any and all third-party vendors involved in critical infrastructure operations.

Next acknowledging where the gaps are, not just in terms of security but also resource limitations is important.

Not every organisation is going to have the budget, resource, or skills, available to them to cover everything straight away. As such, recognising resource limitations and prioritising the protection of the most critical systems and functionalities is necessary.

Once both the understanding of the environment and the prioritisation of critical systems have been garnered, there are some specific security measures that can be taken straight away which will put the relevant organisations in a better position.

These include:

  • Conducting penetration testing and other offensive security approaches to proactively identify weaknesses so they can be mitigated before they are exploited.
  • Implementing continuous monitoring of critical infrastructure systems to identify suspicious activity and potential vulnerabilities.
  • Develop and test comprehensive backup and incident response plans to ensure a swift recovery from cyberattacks should they occur.
  • Provide training programs to educate personnel on social engineering tactics and how to identify and prevent them.

The sophistication of cyberattacks varies greatly. While nation-states may launch highly targeted attacks, less skilled attackers may rely on opportunistic tactics. Regardless of the attacker, the vulnerability of critical infrastructure remains the same.

Although not every attack can be predicted or prevented, taking the cybersecurity measures mentioned above, as well as prioritising the most critical assets, will mean that when a cyberattack does happen, the damage and subsequent risk is reduced.