Contributed ArticleFive years ago, cyberattacks impacting critical infrastructure were considered a relatively rare occurrence. There had been a couple of instances of attacks in Ukraine, where attackers impacted energy supplies, but few considered mass outages impacting any and all organisations. That has now changed.
In the last few years, we have seen numerous organisations crippled by ransomware attacks, such as those that impacted JBS Foods and the Colonial Pipeline last year. The frightening reality is that the threat to critical infrastructure operators has increased rather than dissipated.
Threat actors recognise the impact they can have by affecting these environments and rely on this to monetise their attacks, with growing accuracy and frequency. Far from being over, these attacks have continued with KP Snacks experiencing outages earlier this year in February, following an attack on its IT systems. And even whole regions can be impacted as demonstrated by the attacks targeting Costa Rica, with the country declaring a state of emergency.
These attacks are evidence that the threat is far from over nor trivial. But how can critical infrastructure operators adequately defend themselves from these persistent threats?
The harsh truth is that the vast majority of attacks are preventable
Critical infrastructure relies upon operational technology used to control physical devices. These systems are increasingly connected and even controlled by IT systems.
Attackers have capitalised on these converged networks IT and OT to move laterally from one system to another, making the compromise of just one device dangerous with an attack on an IT system rendering OT systems inoperable.
A major factor is that the tools and processes of yesterday are still being used to solve today’s problems, built and designed for the old era when the attack surface was a static laptop, desktop or on-premises server.
The harsh truth is that the vast majority of attacks are preventable.
To stem the tide and prevent ransomware continuing to run amok, organisations need to determine the risks that exist within the infrastructure. This requires a holistic view of both IT and OT environments, the interdependencies that exist for critical functionality and determine where weaknesses and vulnerabilities exist. When it comes to physical OT environments, there are a myriad of hidden systems, tucked away in a closet or hidden under a desk, that were temporarily installed, promptly forgotten, and left under protected.
Once a holistic viewpoint is established, the next step is to identify what would cause theoretical versus practical damage. From this stance steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations, to nullify attacks.
Knowing where to start can seem insurmountable, but there are a number of resources at hand. There are global initiatives, such as the joint cybersecurity advisory from key cyber agencies in the United Kingdom, Australia, Canada, New Zealand and the United States that underscores a key trend regarding the most routinely exploited vulnerabilities.
The frightening reality is that the threat to critical infrastructure operators has increased
The reason advisories and guidance such as this are vital for organisations is it provides strong intelligence about which threats bad actors are actively exploiting. If organisations fix these flaws, the vast majority of attack paths will be closed off, preventing compromise, malware infiltration and/or exfiltration of data.
Most ransomware leverage weaknesses created from misconfigurations and known but unpatched vulnerabilities in systems, meaning these incursions could have been prevented. However, when it comes to critical infrastructure that is not always a simple exercise.
These systems are often complex, and in the case of industrial environments they are built on legacy equipment and protocols that were not designed with security built in, nor external connectivity considered. Yet this is today’s reality.
This requires a holistic view of both IT and OT environments, the interdependencies that exist and where weaknesses and vulnerabilities exist.
