From the pillars of safeguarding digital assets against cyberthreats to the best approach to critical infrastructure, Daniele Mancini, EMEA Field CISO at Fortinet, outlines the challenges faced by organisations and how Fortinet is empowering its clients to manage unforeseen risks, be compliant and implement a security-oriented culture.
What are the pivotal industries classified as critical infrastructure?
Critical infrastructure industries comprise an extensive array of sectors that are indispensable for the operation and safety of a country. These sectors are crucial in ensuring public safety, economic stability and national security.
The energy sector has an important role because it serves as an ‘enabling function’ for all other critical infrastructure sectors. The energy sector consists of a network of assets and resources, including electricity, natural gas and oil.
Critical infrastructures are exposed to a diverse range of cybersecurity risks and vulnerabilities, which have the potential to cause significant disruptions to the operation, availability and integrity of vital services and systems. As such, safeguarding these sectors is of utmost importance.
What are the primary challenges faced by organisations within critical infrastructure when safeguarding their assets against cyberthreats and how are these challenges evolving?
Firstly, as a result of the interconnectedness of modern infrastructure, the growing sophistication of threat actors and the expansion of the attack surface brought about by Digital Transformation, these obstacles are constantly evolving.
Secondly, the scope of cyberthreats targeting critical infrastructure has grown beyond individual hackers or small groups. State-sponsored hackers, criminal groups and hacktivist groups that utilise advanced methods and resources are formidable adversaries.
The constantly evolving threat landscapes poses additional challenges to critical infrastructures that store exceedingly sensitive data and are oftentimes stuck on outdated operating systems.
As these infrastructures rapidly migrate to the cloud and implement mobile and Internet of Things (IoT) technologies, the attack surface expands. A combination of IoT devices and outdated technology lacking strong security make critical infrastructure systems attractive targets.
Due to this vulnerability, we have noticed a surge in advanced persistent threats (APTs) within critical infrastructure systems in recent years. APTs are covert, persistent attacks that are designed to compromise critical infrastructure systems and gain control. By compromising operational technology, exfiltrating confidential data, or disrupting vital services, these attacks pose a major threat to critical infrastructure security.
Please share an example of a cyberattack against critical infrastructure and what repercussions it has on the broader cybersecurity discourse.
APTs have continued to evolve with increased sophistication. Their targets have widened to include sectors such as energy, water treatment facilities and transportation systems. These threats often leverage social engineering, spear-phishing and exploit vulnerabilities in software and hardware to gain access to target networks, where they can remain undetected for extended periods.
An example of an APT that has recently focused on critical infrastructure is the operation of the APT group known as ‘Red Stinger’. Since December 2020, this previously unidentified APT actor has been associated with assaults that specifically target critical infrastructure, transportation and military establishments in Eastern Europe.
The group’s deliberate focus on numerous entities, including those engaged in the September East Ukraine referendums, suggests that their actions were driven by geopolitical considerations. Red Stinger was able to extract various types of data from their targets, including microphone recordings, USB drives, keyboard strokes and snapshots, across various campaigns. The diverse assortment of exfiltrated data indicates the execution of a thorough surveillance operation with the intention of amassing sensitive information.
Red Stinger highlights the changing threat picture for critical infrastructure, with long-term espionage by APT organisations such as this using advanced tools and strategies to enter and stay undetected in their target networks. The emergence of these APT groups demonstrates the necessity for strong cybersecurity, ongoing monitoring and international collaboration to safeguard vital infrastructure from skilled attackers.
Critical infrastructure sectors constantly face multifaceted risks from regulatory, strategic and operational dimensions. How do these challenges intertwine and how can organisations address them effectively?
Undoubtedly, these sectors are beset by strategic, operational and regulatory obstacles that interconnect and could affect their capacity to safeguard assets from cyberthreats. Understanding the interrelationships among these challenges is the first step in tackling them.
At the strategic level, organisations need to dedicate long-term planning resources to overcome these challenges. They must develop cybersecurity strategies that are resilient enough to recover from attacks and robust enough to adapt to the ever-changing threat landscape. This entails mapping out all vital assets, evaluating potential risks and the prioritising security initiatives.
At the operational level, the challenge is to maintain the day-to-day security of the infrastructure or plant. This includes having an overview of supply chain security and the management of internal network complexity, while working to overcome any cybersecurity skills deficiency. In addition, organisations need to find ways to strike a balance between security measures, operational efficiencies and availability.
At the regulatory level, they are faced with an extensive array of cybersecurity laws, standards and guidelines. These regulations can vary across sectors and jurisdictions, thereby presenting complexities. Organisations need to dedicate resources, not only to ensure that they are compliant but also to keep up with future regulatory changes that could cause substantial modifications to their current systems and procedures.
How can organisations navigate and stay compliant amidst the evolving regulatory frameworks influencing critical infrastructure cybersecurity?
To operate in sectors involving critical infrastructure, organisations must effectively navigate and comply with regulations and cybersecurity standards. The recent creation of the NIS2 Directive and the Cyber Resilience Act (CRA) in the European Union are some examples of how dynamic the regulatory landscape can be.
Here are seven approaches organisations can adopt to navigate and stay compliant with these frameworks:
- Develop a compliance roadmap: Perform regular risk assessments to ensure that organisational practices are in accordance with the stipulations of NIS2. Also, develop a strategic plan encompassing vulnerability management process, incident response plans and cybersecurity policies.
- Implement and maintain compliance measures: Adopt a security by design approach as mandated by the NIS2 and incorporate security considerations throughout the entire product lifecycle, from concept creation to deployment. Moreover, in accordance with NIS2 and CRA requirements, establish processes for the prompt reporting of vulnerabilities and incidents.
- Foster a culture of compliance: Employee education and awareness is key to ensure each member of the organisation upholds their responsibility in keeping compliant. It is also important to document compliance activities, encompassing policies, procedures and audit reports.
- Leverage cybersecurity technology: Incorporate sophisticated cybersecurity technology that are in line with regulatory obligations to bolster the security posture of the organisation. It is crucial to engage with legal counsel and compliance consultants to support you in navigating complex regulatory terminology and validate your compliance.
- Continuous monitoring and improvement: Conduct internal and external audits to identify areas for improvement and assess the efficacy of the compliance efforts. Remain informed of regulatory framework modifications and adjust compliance programs as necessary.
- Collaborate and share information: Engage in collaborative associations such as Information Sharing and Analysis Centres (ISACs) to facilitate the exchange of threat intelligence and best practices. Collaborate with industry associations and government agencies to bolster compliance initiatives and get valuable perspectives on emergent regulatory developments.
- Prepare for compliance verifications: Prepare products subject to the CRA for conformity assessments by external bodies, particularly ‘critical’ and ‘important’ products that contain digital components.
How does Fortinet assist critical infrastructure entities in mitigating cybersecurity risks and fortifying their overall security framework?
We engage in extensive collaboration with critical infrastructure organisations worldwide at Fortinet. The threat intelligence activities that we perform with the FortiGuard Labs are of the utmost importance. The proliferation and development of cyberthreats have generated a need for innovative solutions and dependable threat intelligence.
By analysing data from millions of global network sensors and Artificial Intelligence, FortiGuard Labs ensures that critical infrastructures are prepared for imminent threats by monitoring the global attack surface. Furthermore, to support organisations in developing cyber-resilience and facilitate the detection, containment and eradication of cybersecurity threats, we have incorporated FortiGuard Labs into our portfolio of technologies.
How will future challenges and advancements in technology shape the strategies employed by critical infrastructure organisations to secure their assets?
Critical infrastructure security is approaching a pivotal moment, characterised by technological advancements and emergent challenges that will force organisations to re-evaluate the approaches they take in safeguarding their assets. The current environment is shaped by a several factors, such as the widespread adoption of Internet of Things (IoT) devices, the emergence of sustainable energy vehicles, the incorporation of renewable energy sources, and the constant threat of cyberattacks.
In the digital age, cyberattacks have become more advanced, posing substantial threats to personal information and vital infrastructure. They have also grown more aggressive over the past decade, with cyberwarfare scenarios growing more realistic.
In the energy and water industries, smart metering systems and the wider digital landscape create specific cybersecurity obstacles. To mitigate these risks, utilities providers need to develop adaptable strategies that leverage cutting-edge technology and promote cross-sector innovation and collaboration.
Organisations in any sector, but especially in critical infrastructure, need to find effective strategies to reduce innovation erosion while becoming more agile in technology and cybersecurity. Perhaps, cybersecurity needs will drive the next generation of change in innovation, collaboration and investment.
Click below to share this article
