Organizations in every industry now face sophisticated, and often novel, cyber threats. But for organizations operating critical national infrastructure (CNI), the scale and multiplicity of these threats can be overwhelming. These organizations are under immense pressure to avoid downtime, maintain safety standards, and comply with government legislation, while protecting themselves from a high frequency of incisive cyberattacks.
Here's a breakdown of some of the main cybersecurity challenges facing CNI and how organizations can tackle them.
1. Attack Tools for Hire
CNI organizations make particularly favorable targets for ransomware gangs, as the high cost of downtime means they are often more likely to pay a ransom in the hope of quickly restarting their systems. These organizations face the same financial pressures as other industries, but the potential social, political, and safety implications of downtime make them especially vulnerable.
When DarkSide targeted Colonial Pipeline with ransomware last year, the group received the ransom it had demanded just hours after the attack detonated. Even so, it took six days for Colonial to restore the pipeline's operations using DarkSide's IT tool, causing significant oil shortages across the East Coast of the US.
It's not just organized ransomware gangs targeting these organizations, but also individual threat actors using for-hire ransomware-as-a-service (RaaS) tools. The increasing availability of these tools means we are seeing more small-fry attackers taking on big-game targets in the hope of large payouts.
Tools reliant on threat intelligence will struggle to keep up with this dispersed threat landscape. To fight it, organizations will need to employ security approaches that account for novel threats to both their IT and OT systems.
2. Ransomware Groups With Nation-State Backing
Though ransomware affects organizations in all industries, CNI organizations face the added threat of nation-state-backed groups, which cause disruption to aid government or military action and may not be looking for ransom payments at all.
Because of their government backing, these groups have the funding to quickly develop novel tools and are incredibly difficult to combat with legislation or arrests. If an attack of this nature had struck Colonial Pipeline, the time it took to bring systems back online — and the socioeconomic disruption — could have been considerably worse.
At the Royal United Services Institute, Darktrace CEO Poppy Gustafsson addressed Russia's use of cyber warfare in its invasion of Ukraine.
"The attack on the Viasat satellite that disabled Ukrainian military communications one hour before the invasion was a key component of the beginning of this war," she said. "We have seen UK, US, and EU officials jointly attribute this attack to Russia, an immensely political act. That is unprecedented."
3. Destructive Malware
With cyberattacks becoming an increasingly common fixture in military arsenals, CNI organizations are recognizing the need to bolster their defenses against tenacious and well-funded attackers who are employing novel malware strains. Increasingly, that includes destructive malware.
This year the Russian invasion of Ukraine brought another CNI threat into the headlines. HermeticWiper is a disk wiper that struck several Ukrainian organizations a day prior to the invasion, fragmenting and then overwriting files on disk in an attempt to cause disruption. This is a form of destructive malware: malware that does not hold systems for ransom but is simply designed to damage them, wiping data and breaking processes. The average estimated cost of one of these incidents to a large, multinational company is $239 million.
The nature of destructive malware makes it primarily a political or military tool, and in the wake of the invasion of Ukraine, the Five Eyes intelligence alliance issued a warning regarding the heightened risk of cyberattacks. The stakes of such an attack make it paramount that organizations are prepared for novel threats, rather than relying on rules-based security systems.
4. Government Compliance Requirements
The social implications of CNI shutdowns mean that these organizations receive far greater attention from governments. In recent years, legislation has often followed high-profile attacks, leaving organizations limited time to update their procedures and remain compliant. A recent of case this in the US was the Cyber Incident Reporting for Critical Infrastructure Act. The act, signed earlier this year, requires critical infrastructure operators to report cyber incidents to CISA within 72 hours, meaning reports must be hastily drawn together during the immediate aftermath of an attack.
Having advanced threat investigation technology deployed across the digital environment can help CNI operators piece together cohesive threat narratives from disparate and sometimes subtle events, reducing the time to understanding massively for security teams. Beyond meeting government deadlines, this insight into how attacks emerge and move through the network massively increases an organization's ability to detect sophisticated threats and seek out potential vulnerabilities within their systems.
5. Converged Infrastructures That Need Protecting
An earlier article covered the future of IT/OT convergence and how artificial intelligence (AI) can help organizations embrace it. In brief: Deploying technology that considers IT and OT as a single environment prevents gaps in security posture and aids the detection of wide-ranging attacks.
IT/OT convergence is one of the biggest points of anxiety for security professionals in CNI organizations. Technologies such as the Industrial Internet of Things (IIoT) devices and industrial control systems as-a-service (ICSaaS) make network segmentation increasingly ineffective.
When a phishing attack can lead to OT system shutdowns — and potentially put human lives in jeopardy — security approaches need to be able to stop threats with speed and precision. AI-driven tools can make convergence a strength, using data from one set of systems to inform detections within another.