Accessing a major critical infrastructure network is very appealing to cybercriminals, as they can maximize societal impact and demand large ransom sums to fix tampered systems. With recent high-profile attacks, including that against the Colonial Pipeline in March 2021, it has become clear that the organizations handling critical infrastructure networks are now in the firing line. Critical infrastructure is vulnerable to both threat groups that are evolving their tactics and public scrutiny if they do not remain transparent when an attack occurs.
So, how can critical infrastructure networks best protect against increasing cyber threats? Cyberattacks on critical infrastructure will not go away, but we can reflect on previous industry attacks to understand the lessons learned and identify areas of improvement that may help to prevent future attacks.
You’re Only as Secure as the Weakest Link
One of the biggest cybersecurity lessons of this year is that organizations are only as secure as their least secure supplier, and basic security failings are often the main access routes into critical company systems. This is because most large organizations struggle to have visibility over their own asset inventory and even less visibility into their supply chain asset inventory. A bad actor doesn’t have to target the most direct route into an application, instead, they look for the clearly forgotten legacy system, integration, or less protected supplier.
Cybercriminals set out to generate large ransom pay-outs with the least amount of effort, and are potentially monitoring targets that continue to use legacy systems to operate networks that are relied upon by thousands. Legacy systems have outdated and unpatched software, misconfigurations, and weak credentials—all extremely easy routes for threat actors to access and shut down. Critical infrastructure networks must have sufficient security to ensure that bad actors are kept at bay.
After the ransomware attack, which affected around 2,000 companies worldwide, Kaseya managed to restore encrypted data 20 days after the organization’s incident response team detected the security incident, but reports emerged showing that the company was warned of serious security flaws in its software between 2017 and 2020, which were not addressed. The company was aware of seven vulnerabilities present on systems because they had a Vulnerability Disclosure Program (VDP) in place. However, only four out of the seven vulnerabilities that were flagged by security experts were patched. This example demonstrates that although organizations can have effective security programs in place, they can still fall victim to an attack because of a vulnerability in a third-party network.
Critical Infrastructure is Being Exploited Right Now
Coordinated cyberattacks against the Ukrainian government are happening right now, and the methods being used come as no surprise: CMS and log4j attacks against an essential member of the supply chain, an IT firm, that manages part of the government’s websites. This comes less than two months after log4j was discovered, an unreasonably short time for any scanner, pentest, or security team to find and fix every instance of a zero-day. Demonstrating that critical infrastructure needs different and innovative ways of detecting new vulnerabilities at speed in their huge attack surfaces.
Detection Capability is Key for Critical Infrastructure
When reflecting on the recent attacks on critical networks, it’s not all doom and gloom. Security teams observing critical systems are learning from the consequences of previous attacks. Take the Houston Port hack that happened back in September 2021, for example. A nation-state actor attempted to shut down a major U.S port in Houston, Texas, but the early detection of unusual activity on the targeted network resulted in systems being shut down by the port’s security team before the network was impacted or any data was stolen by bad actors. A quick response time was central to the success of Houston Port’s security team, and this demonstrates that detection capability is essential when protecting critical infrastructure networks. Despite this, cyberattack remediation time is increasing to an average of 3.1 days, and, with attack surfaces widening and critical infrastructure networks being a top target for cybercriminal groups, organizations that manage these vulnerable networks simply cannot afford the risk of being hacked.
Left-Field Methods Are Here to Help
The only means of protection against cyberattacks is prevention. More traditional organizations and industries—including the UK’s Ministry of Defence—are starting to embrace more unconventional security ideas to minimize security risk, like leveraging the ethical hacking community with VDPs and bug bounties.
A global team of hackers can work together around the clock and across time zones to keep a close eye on vulnerable networks, and these security specialists have significant knowledge that can be utilized to identify the exploitability of vulnerabilities and provide detailed feedback to organizations that can help them to improve their remediation speed. With the help of hackers, security teams managing critical infrastructure can spot malicious activity at speed and stop bad actors in their tracks before any damage is done.
What’s more, through a VDP or bug bounty program, security professionals are invited to search for new and cutting edge vulnerabilities—”back door” gaps that many bad actors are using to access critical infrastructure networks—think log4j for the Ukrainian Government. This is an opportunity for ethical hackers to provide their specialist, outsider knowledge of hacking, which is instrumental to helping forecast the tactics and approaches that can be potentially made by bad actors. For added precaution, organizations can also require third-party suppliers to have similar security protocols in place and audit their suppliers to be security ready, which will help towards improving the cyber hygiene of all the links present in a software chain—a win-win for interconnected critical infrastructure networks.
The Importance of Transparency
Organizations have a responsibility to openly share information on security gaps because transparency builds trust. Every organization is vulnerable to cyberattacks and there’s too much at stake if a critical infrastructure network were to be successfully accessed by malicious actors as these services are heavily relied upon by the public. Security teams have a duty to reveal as much information as possible about any vulnerabilities that are discovered, especially when an intrusion occurs, to share knowledge and help others to be secure against the same threats.
We’ve seen how transparency benefits organizations that have experienced a breach or attack. Back in March 2019, Norsk Hydro—a global aluminum manufacturer—was hit by an extensive cyberattack that affected its entire global organization. In response to the attack, the company distributed frequent and candid communications, not only to inform the public about the events that were unfolding but to help expose the tactics being used by the cybercriminal group to curb future cyber threats. This is a great example of how transparency helps organizations tackle intruders while also building trust when a cyberattack takes place. Cybersecurity leaders, including the CEO of Dragos, widely praised the company in the media for how it handled the attack. Houston Port’s security team was also praised for its transparency when systems were accessed in September 2021.
The only way critical infrastructure can tackle growing cyber-threat is through industry, government, and public collaboration. By working with others to openly share information, security teams can build strength in numbers, learn from previous events, and ultimately build trust—crucial for organizations handling our most critical infrastructure.