A cyberbreach on Critical National Infrastructure (CNI) could have a catastrophic impact on the national economy. Joseph Carson, Chief Security Scientist at Thycotic, explains the impact of CNI attacks and how to regain control.
Not all cyberthreats are created equal. While every attack will be bad news for someone, some security incidents can impact the stability of an entire nation. Critical National Infrastructure (CNI), comprising essential services such as water, transportation and power, is perhaps the area with the greatest capacity for causing damage.
These key assets represent an important juncture between the digital and the physical in a way that is seen in few other industries. A breach suffered by a retailer, for example, will harm the organisation’s profits and potentially put customers in the firing line for fraudsters. A serious attack on CNI, by comparison, could have a catastrophic impact on the national economy and even threaten human lives.
The modern world is extremely reliant on key CNI functioning effectively and very vulnerable to any disruption as a result. An attack on the power grid could shut down industry and endanger lives as hospitals and other essential facilities are unable to function, while interfering with transportation infrastructure, such as rail networks, could disrupt business operations and food supplies.
Fortunately, such attacks are extremely rare compared to the constant flow of standard cybercriminal activity. For one thing, attacking CNI assets normally requires much more specialised knowledge and tools compared to a standard commercial business. More importantly though, most threat actors are motivated by simple profit and there is little direct financial gain in disrupting CNI.
Due to this, attacks on CNI are usually the domain of high-level threat actors working on behalf of nation states. Indeed, according to research from the Ponemon Institute, nearly a quarter of all CNI firms report that they had been the victim of a nation state attack in the last two years.
The impact of real CNI attacks
Such attacks are often carried out as an alternative to traditional kinetic warfare. Cyberattacks are notoriously hard to trace and therefore have a large degree of plausible deniability – especially compared to launching an airstrike. One of the best examples of this strategy was the 2010 attack on Iran’s nuclear programme. The notorious Stuxnet virus, tailormade to attack industrial control systems, wrought havoc on Iran’s nuclear development and is believed to have destroyed around 20% of the country’s nuclear centrifuges.
Attacks on CNI can also be used to deliver a potent political message. In another case of power infrastructure being attacked, Ukraine suffered serious attacks on its power grid in 2015 and again in 2016. The attacks were believed to be the work of the Russia-sponsored advanced persistent threat (APT) group dubbed Sandworm and correlated with the increased tensions and kinetic warfare incidents between Ukraine and Russia at the time. The attacks gave a taste of how disruptive targeting CNI can be, with the 2015 incident leaving around 225,000 Ukrainians in a sustained blackout for several hours.
While such overt incidents are thankfully few and far between, CNI actually faces a near-constant threat from cyberattacks. Ponemon found that nine in 10 CNI providers have been damaged by a cyberattack in the last two years alone.
The challenge of securing CNI
Attacks targeting CNI tend to be the work of advanced persistent threat (APT) groups working on behalf of nation states with specific goals. Such high-level adversaries are difficult to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will opt for soft targets.
In addition to facing particularly tenacious attackers, most areas of CNI must also contend with complex network infrastructure that is difficult to secure. Operational Technology (OT), the systems used for managing the heavy industrial equipment common across these sectors, often operates in a very different fashion to traditional IT. Systems have often been designed with a lifespan of decades in mind and are a poor fit with the fast-moving world of modern IT networks.
Gaining centralised visibility and management of such a complex environment can be extremely challenging – in fact Fortinet reports that 78% of CISOs have limited central visibility of their OT environments. This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected.
The conflicting network architecture also means that standard security measures such as role-based access control (RBAC) and two-factor authentication (2FA) are close to impossible to implement without purpose-built tools.
These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption. Against this risk, the EU’s Networks and Information Systems (NIS) directive mandates that CNI firms must raise their levels of overall security and network resilience or face significant penalties.
Regaining control of CNI
While OT systems present some difficult security challenges, they can still be secured with the right combination of technology and processes. CNI organisations must pursue a “defence in depth” approach which leverages multiple layers of security to account for the complexity of their network.
One of the most essential areas to focus on is regaining visibility and control of the network as a whole, including the disparate IT and OT systems. In particular, this means having a firm command of how systems are accessed. As with more traditional IT networks, threat actors will almost always seek to acquire user credentials that will grant them privileged access rights to the system.
Implementing a strong privilege access management (PAM) approach will counter this threat by introducing a raft of measures that include ensuring a strong password policy, password rotation, RBAC and 2FA. Behaviour analytics can also be used to detect unusual behaviour and automatically force suspicious users to re-authenticate and verify their identity.
However, a PAM system will only be effective if it can cover the whole environment with no gaps. The solution must be able to accommodate all IT and OT systems such as ICS and SCADA, as well as other connected technology such as IoT.
This will also enable the organisation to deliver the audits, alerts and analytics that are key to complying with NIS auditors. More importantly though, with a single, centralised point of visibility and management for all user access and activity, CNI operators will be able to significantly reduce the risk of a threat actor infiltrating the network and exploiting its systems to cause nationwide cris