- CISO Guides
- 13 min read
The critical infrastructure sector is a bright flashing lighthouse attracting cyber-criminals from far and wide.
In fact, on Wednesday 19th April 2023, the National Cyber Security Centre (NCSC), issued a warning about threats to UK critical infrastructure and services posed by Russia-aligned cyber attackers.
And then, last month, the UK government published their National Risk Register report. The report, based on the government’s classified National Security Risk Assessment, considers malicious cyber-attacks backed by nation states and terrorist groups. The report concluded that there is a 5% to 25% likelihood of serious attack on UK critical infrastructure over the next two years.
This percentage may seem relatively low, but the potential ramifications are devastating. Today, we are going to dive into the growing threat of cyberattacks on critical infrastructure, and the importance of levelling up your cyber security defence and awareness initiatives.
We will be shedding light on why cybercriminals target these vital systems, the sectors most vulnerable to critical infrastructure attacks, common attack methods, the ugliness of nation-state attacks, notable past incidents, and the importance of cyber hygiene for safeguarding these critical networks.
Cybercriminals have a range of motivations for targeting critical infrastructure, and understanding these motives is crucial for cyber security decision-makers. This focus on critical infrastructure is intentional. Cybercriminals are fully aware of the impact that any disruption has on vital services, not just financially but also on public confidence. Let us explore some of these reasons in a little more detail:
Some attackers aim to disrupt critical infrastructure systems to cause financial losses or gain economic advantages – this can be for personal or geopolitical reasons. By targeting energy, transportation, or financial sectors, they can manipulate markets, extort organisations, or even engage in ransomware attacks. The average ransom demand skyrocketed to $2.07 million in 2022, and from all the evidence gathered in 2023, this average will be higher come year’s end.
Critical infrastructure organisations often hold valuable data, such as proprietary technologies, industrial secrets, or sensitive government information. Cybercriminals may target these systems to steal data for espionage, competitive advantage, or resale on the black market.
This is the fastest growing motive behind critical infrastructure attacks. Nation-states or hacktivist groups might target critical infrastructure to advance political or ideological agendas. This can lead to widespread disruption, compromising national security, thus leading to massive monetary, reputational, and operational disruption.
Cyberattacks on critical infrastructure can be part of larger strategic warfare efforts. Disabling an enemy's power grid or communication networks can severely weaken their defences and infrastructure, making them more vulnerable to physical attacks. Most recently, we have seen critical infrastructure targeted as a form of strategic warfare in the Ukraine/Russia conflict as both nations wrestle for ground, both physically and digitally.
In Bridewell’s Cyber Security in Critical National Infrastructure (CNI) Organisations 2023 report, it is revealed that the national cost of living crisis is also damaging the ability for CNIs to stop cyberattacks. 65% of CNIs are seeing a reduction in their security budgets, with only 21% of organisations using 24/7 IT security monitoring. The report states that 34% of CNIs across the UK anticipate a rise in cybercrime as a direct result of the current economic crisis, whilst 33% of decision makers also believe that the prevalence of phishing and social engineering attacks will grow due to the economic downturn.
Certain critical infrastructure sectors are particularly susceptible to cyber threats due to their interconnectedness, reliance on technology, and potential impact on society. These sectors include:
The energy sector, encompassing power grids and oil and gas facilities, is a prime target for cyberattacks due to its role in sustaining modern life. Disruptions can lead to blackouts, financial losses, and even health risks.
Transportation systems, including aviation, maritime, and railways, rely heavily on digital controls and communication. Cyberattacks in this sector can result in accidents, supply chain disruptions, and economic losses.
Water supply and wastewater treatment facilities are critical for public health. An attack can lead to contamination, service disruptions, and dire health consequences for communities.
Hospitals and healthcare organisations are vulnerable to cyberattacks that can compromise patient data, disrupt medical services, and put lives at risk. Whilst healthcare organisations hold a lot of data, they are also laboured with outdated technology and systems, which leaves them prone to quite common cyberattacks.
And, of course, the financial sector is a lucrative target for cybercriminals seeking financial gain. Attacks on banks, stock exchanges, or payment systems can lead to economic turmoil.
The UK’s National Risk Register report reveals other infrastructure sectors prone to cyberattacks. These include social care, nuclear facilities, and telecommunications. Furthermore, it is revealed that 58% of local governments are facing ransomware attacks on a semi-regular basis.
Cybercriminals employ a variety of techniques to compromise critical infrastructure. Some of the most common attacks are:
Phishing attacks involve tricking employees into revealing sensitive information or providing access credentials. This method is often used to gain initial entry into a network by tricking an employee that has access to the master network into downloading malicious software.
Ransomware attacks encrypt critical data and demand a ransom for decryption keys. Ransomware can work its way into an organisation in many ways, including phishing. When successful, these attacks can lead to data loss and significant downtime.
DDoS attacks overwhelm systems with traffic, rendering them inaccessible. For critical infrastructure, this can result in service disruptions and financial losses. DDoS attacks are quite common but are still frustrating every single time.
Attackers exploit unknown vulnerabilities, known as zero-day exploits, to gain unauthorised access to systems. These attacks can be difficult to defend against because the vulnerability is not initially known and therefore the solution is harder to come by. In some cases, attacks can go unnoticed and unreported for an extended period.
Insiders with access to critical systems can pose a significant risk. Malicious employees or negligent actions can lead to data breaches or system compromise.
This World Economic Forum report reveals that 86% of business leaders and 93% of cyber experts believe global geopolitical instability significantly raises the likelihood of a catastrophic cyber event occurring within the next two years.
Nation-state actors possess advanced capabilities and resources, making their attacks on critical infrastructure especially concerning. These attacks are often stealthy, highly targeted, and motivated by political or strategic goals – and they are on the rise every single day.
When used for political purposes, nation-state attacks threaten operations, destabilise governments, and disrupt critical infrastructure such as power grids, transportation networks, and financial institutions. Furthermore, certain malware can even be used to destroy evidence of network infiltration in cases of espionage. Finally, we have also seen the rise of hacktivist groups such as Iran’s ‘Hackers of Savior’ and the ‘IT Army of Ukraine.’
Dragos, a Qatari critical infrastructure partner, recently revealed some alarming statistics regarding critical infrastructure attacks across the globe for the first quarter of 2023:
Several high-profile cyberattacks on critical infrastructure have underscored the severity of this threat. This increased risk has been felt across the world with various national and public bodies being targeted, from governmental bodies to water companies, train operators to the NHS. With heightened political tensions across the globe, the potential for another attack on our critical infrastructure is not just concerning but highly likely.
Some notable recent critical infrastructure cyber-attacks include:
In 2022, India faced so many damaging critical infrastructure attacks that it changed its cyber security policies forever. In the span of one year, Oil India Limited was targeted by a ransomware gang, Spice Jet Flights was targeted grounding flights for multiple hours, Goa’s flood monitoring system was hit with a ransomware attack and multiple healthcare organisations were crippled by cyber-attacks.
Western intelligence agencies and Microsoft revealed one of the largest known cyber-espionage campaigns against US infrastructure organisations. The cybercriminal group, known as Volt Typhoon, aimed to disrupt critical US-Asia communications infrastructure that would be deployed in the event of a crisis. They also targeted oil and gas pipelines, as well as transport and rail systems.
An organised crime group associated with Lockbit ransomware group attacked an Irish Royal Mail distribution office, forcing all their printers to push out pages that read “Lockbit Black Ransomware. Your data has been stolen and encrypted.” International shipments were disrupted due to a compromised and failing internal IT systems. The attack also scrambled large swathes of the international shipping database. And, whilst the attackers demanded $80 million in return for the decryption key, Royal Mail set up ‘operational workarounds’ for some affected systems to be bypassed. In the end, Royal Mail turned to the UK’s National Cyber Security Centre for help with its ransom negotiations. As a result, the UK government established the Government Cyber Coordination Centre (GCCC) to set foundations for higher cyberattack resilience at local and national levels.
Mitigating the risks associated with critical infrastructure attacks requires a multi-faceted approach, with cyber hygiene, awareness, and training playing a vital role. Here's how organisations can enhance their cyber security posture:
Invest in comprehensive cyber security training for all staff members to raise awareness about potential threats and teach best practices for identifying and responding to them. At TSC, we recommend formulating targeted employee training built on employee behaviour analysis and pinpointed towards specific departments, individual employees and the treats and risks most likely to infiltrate your organisation.
Conduct regular risk assessments to identify vulnerabilities in critical systems and develop strategies to address them. TSC’s Security Awareness and Behaviour Research (SABR) tool is a detailed and comprehensive analytical survey that can be leveraged by small, medium, and large businesses to assess their security culture across five dimensions. You will gain quantitative data that can help support board engagement initiatives and specific data that can inform your future cyber security program. You should conduct regular assessments like this to keep your training and awareness initiatives fresh and engaging.
Implement advanced threat detection and monitoring systems to identify and respond to suspicious activities in real-time. Critical infrastructure organisations should also consider segmentation; creating virtual internal barriers that stop hackers from moving laterally and creating widespread damage.
Keep systems up to date with the latest security patches to minimise vulnerabilities that could be exploited. You must transform employees into active security champions that exhibit safe and proactive behaviours on a day-to-day basis. This may include adding digital nudges and physical awareness materials that remind employees to regularly patch security vulnerabilities.
Develop and regularly test incident response plans to ensure swift and effective actions in the event of an attack. This will be extremely helpful for both your security team and your workforce as they will be tried and tested to deal with a cyber-attack when it happens.
Collaborate with industry peers and government agencies to share threat intelligence and best practices for mitigating cyber threats. For example, after a string of damaging breaches in 2022, the Australian government pushed for critical infrastructure reform, setting up a new national office for cyber security within Home Affairs to consult on a new seven-year cybersecurity strategy. You must also keep up to date with cyber threats and emerging threats by following awareness blogs such as The Insider, so you can stay informed of all things cyber security. It is also crucial that an open dialogue exists between the IT department, board members and every single department. You are only as strong as your weakest link, so it is crucial that employees are educated on how to stay secure.
In conclusion, the rising threat of cyberattacks on critical infrastructure poses significant challenges for organisations and society.
Understanding the motivations of cybercriminals, the vulnerabilities of critical sectors, and the importance of proactive cyber security measures is essential in safeguarding our critical infrastructure from potentially crippling attacks.
Cyber hygiene and a commitment to continuous training and awareness are key to defending against this ever-evolving threat landscape.
If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your critical infrastructure organisation or if you would like a demo of our product line ... please contact our Head of Business Development and Sales, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51