Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 27 September 2023
  • 6 min read

What are critical infrastructure cyber security vulnerabilities and threats?

Critical national infrastructure (CNI) is the backbone of modern society – if CNIs are compromised, the consequences and ramifications are not only financial and legal, but also social and life-threatening.
FAQ Series What are critical infrastructure cyber security vulnerabilities and threats

CNI encompasses the systems and assets that are vital for the functioning of a nation, including energy, water, transportation, and healthcare. As these critical systems are incredibly reliant on digital technology, they are also more vulnerable to cyber threats.

In this article, we will explore the critical infrastructure cyber security vulnerabilities and threats that keep these professionals up at night.

The growing threat landscape

The cyber security threat landscape has evolved rapidly in recent years, with critical infrastructure being a prime target for malicious actors. In 2022, a Waterfall Security report revealed a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents. The report concludes: “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”

Vulnerability #1: Legacy systems

One of the most significant challenges in critical infrastructure cyber security is the prevalence of legacy systems. These outdated systems were often designed without security in mind and can be difficult to patch or update. As a result, they are easy targets for cybercriminals. For example, The State of Authentication in the Finance Industry report reveals that nearly two-thirds (63%) of financial organisations did not upgrade their systems after a breach. These old systems become "digital time bombs," harbouring growing cyber security risks that businesses and individuals must address. Perhaps the biggest example of legacy systems being exploited is the WannaCry ransomware attack of 2017. Exploiting a vulnerability in older versions of Microsoft Windows, WannaCry ransomware affected over 200,000 computers across 150 countries, massively damaging NHS operations in the UK.

Vulnerability #2: Insider threats

Insider threats, whether intentional or accidental, pose a significant risk to critical infrastructure. Employees with access to sensitive systems and data can inadvertently or deliberately compromise security. Bridewell reveals, in the US, over 77% of critical national infrastructure (CNI) organisations have seen a rise in insider-driven cyber threats in the last three years. Increased insider threat could also be linked to increased geopolitical tension and the current economic pressures felt by individuals, with over a third (35%) of critical infrastructure organisations reported a rise in the number of internal employees turning to cybercrime due to poor economic conditions.

Vulnerability #3: Supply chain attacks

Supply chain attacks have gained notoriety in recent years, with attackers targeting software and hardware providers to infiltrate downstream organisations. In 2020, the SolarWinds supply chain attack exposed the vulnerabilities in this approach, compromising the networks of numerous government agencies and private sector organisations. In their State of the Software Supply Chain report, Sonatype state that the number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances.

Vulnerability #4: Remote access risks

The COVID-19 pandemic accelerated the adoption of remote work, and with it came an increase in remote access to critical infrastructure systems. While remote access is necessary for operational efficiency, it also introduces new vulnerabilities. We have seen cyber criminals exploit remote access systems to compromise critical infrastructure.

The cyber threat landscape

The types of cyber threats targeting critical infrastructure are as diverse as the sectors themselves. These threats can lead to devastating consequences, including service disruptions, financial losses, and even endangering lives.

Threat #1: Ransomware

Ransomware attacks have become a pervasive threat, with attackers encrypting critical data and demanding ransom payments to decrypt it. According to Dragos yearly ransomware analysis for the critical infrastructure sector, there have been 214 ransomware incidents globally in the first quarter of 2023, a 13% increase from Q4 2022. Dragos also observed a new, significant trend; the use of zero-day vulnerabilities. The Colonial Pipeline attack in May 2021 demonstrated the crippling effect of such attacks, disrupting fuel supply across the U.S.

Threat #2: Advanced Persistent Threats (APTs)

Nation-state actors often employ APTs, which are stealthy and sophisticated cyberattacks designed to steal sensitive data or establish long-term access to systems. The Cyber security and Infrastructure Security Agency (CISA) has warned of APTs targeting critical infrastructure sectors, including energy and water. Purple Sec reveals APT attacks conducted on EU institutions, bodies, and agencies increased by 30% in 2021. In terms of consequences, 34% of companies experienced damage to their reputation because of an APT attack and 78% of companies experience downtime because of an APT attack.

Threat #3: Distributed Denial of Service (DDoS)

DDoS attacks overwhelm critical infrastructure systems with traffic, rendering them inaccessible. These attacks can disrupt essential services, such as hospitals or power grids. Link11 reveals that during the first half of 2023, they have seen a 70% increase compared to the same period in 2022 and have seen a 67 percent rise in the number of ransom DDoS attacks. And now, we are seeing DDoS attacks supercharged by AI (Artificial Intelligence) technology; the average speed of DDoS attacks in 2021 were 184 seconds … in 2022, it is just 55 seconds!

Protecting critical infrastructure

Given the high stakes involved, protecting critical infrastructure requires a multi-faceted approach:

  • Asset inventory and risk assessment: Identifying and assessing vulnerabilities within critical systems is the first step. Regular audits and risk assessments help prioritise security measures.
  • Security patching and updates: Upgrading legacy systems and promptly applying security patches is crucial to closing known vulnerabilities.
  • Employee training: Training employees to recognise and respond to cyber threats can mitigate insider risks and help build a strong and resilient cyber security culture that checks and keeps itself secure.
  • Supply chain security: Evaluating and enhancing supply chain security measures to prevent compromises is essential. Bring the supply chain’s level of security up to your own to keep a consistent level of awareness and security throughout your business.
  • Access control: Implementing robust access control and monitoring systems can prevent unauthorised remote access. You can employ an access control protocol like ‘Zero Trust’ to make sure only those who require access are granted it, whilst nefarious access requests are spotted, logged, and dealt with promptly.

Frequently Asked Questions (FAQ)

Q1: What are the consequences of a successful cyberattack on critical infrastructure?

A successful cyberattack on critical infrastructure can result in service disruptions, financial losses, compromised data, and even risks to public safety. For example, an attack on a power grid could lead to widespread blackouts, affecting hospitals, transportation, and communication systems.

Q2: How can critical infrastructure organisations prepare for cyber threats?

Organisations should prioritise cyber security by conducting regular risk assessments, updating legacy systems, training employees, and implementing robust access control measures. Collaborating with government agencies and sharing threat intelligence is also crucial.

Q3: Are there any regulations or standards for critical infrastructure cyber security?

Yes, several regulations and standards, such as the NIST (National Institute of Standards and Technology) Cyber security Framework and the EU NIS Directive, provide guidance for critical infrastructure cyber security. Compliance with these frameworks is often required by law.

Q4: What should CISOs, DPOs, and SRIs do to stay informed about the latest cyber threats?

Staying informed requires continuous learning and networking. Subscribing to threat intelligence feeds, TSC’s The Insider, attending cyber security conferences, and participating in industry forums can help professionals stay up to date with the evolving threat landscape.

Wrapping it up

In conclusion, critical infrastructure cyber security vulnerabilities and threats are evolving and pose significant challenges to organisations responsible for these vital services. CISOs, DPOs, and SRIs must remain vigilant, adopt best practices, and collaborate with a tried and tested awareness and training partner to protect critical infrastructure from the ever-present cyber threats.

If you would like informationabout how The Security Company can help you to formulate a cyber security training and awareness program for your critical infrastructure organisation or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.

Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice