CNI encompasses the systems and assets that are vital for the functioning of a nation, including energy, water, transportation, and healthcare. As these critical systems are incredibly reliant on digital technology, they are also more vulnerable to cyber threats.
In this article, we will explore the critical infrastructure cyber security vulnerabilities and threats that keep these professionals up at night.
The cyber security threat landscape has evolved rapidly in recent years, with critical infrastructure being a prime target for malicious actors. In 2022, a Waterfall Security report revealed a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents. The report concludes: “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”
One of the most significant challenges in critical infrastructure cyber security is the prevalence of legacy systems. These outdated systems were often designed without security in mind and can be difficult to patch or update. As a result, they are easy targets for cybercriminals. For example, The State of Authentication in the Finance Industry report reveals that nearly two-thirds (63%) of financial organisations did not upgrade their systems after a breach. These old systems become "digital time bombs," harbouring growing cyber security risks that businesses and individuals must address. Perhaps the biggest example of legacy systems being exploited is the WannaCry ransomware attack of 2017. Exploiting a vulnerability in older versions of Microsoft Windows, WannaCry ransomware affected over 200,000 computers across 150 countries, massively damaging NHS operations in the UK.
Insider threats, whether intentional or accidental, pose a significant risk to critical infrastructure. Employees with access to sensitive systems and data can inadvertently or deliberately compromise security. Bridewell reveals, in the US, over 77% of critical national infrastructure (CNI) organisations have seen a rise in insider-driven cyber threats in the last three years. Increased insider threat could also be linked to increased geopolitical tension and the current economic pressures felt by individuals, with over a third (35%) of critical infrastructure organisations reported a rise in the number of internal employees turning to cybercrime due to poor economic conditions.
Supply chain attacks have gained notoriety in recent years, with attackers targeting software and hardware providers to infiltrate downstream organisations. In 2020, the SolarWinds supply chain attack exposed the vulnerabilities in this approach, compromising the networks of numerous government agencies and private sector organisations. In their State of the Software Supply Chain report, Sonatype state that the number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances.
The COVID-19 pandemic accelerated the adoption of remote work, and with it came an increase in remote access to critical infrastructure systems. While remote access is necessary for operational efficiency, it also introduces new vulnerabilities. We have seen cyber criminals exploit remote access systems to compromise critical infrastructure.
The types of cyber threats targeting critical infrastructure are as diverse as the sectors themselves. These threats can lead to devastating consequences, including service disruptions, financial losses, and even endangering lives.
Ransomware attacks have become a pervasive threat, with attackers encrypting critical data and demanding ransom payments to decrypt it. According to Dragos yearly ransomware analysis for the critical infrastructure sector, there have been 214 ransomware incidents globally in the first quarter of 2023, a 13% increase from Q4 2022. Dragos also observed a new, significant trend; the use of zero-day vulnerabilities. The Colonial Pipeline attack in May 2021 demonstrated the crippling effect of such attacks, disrupting fuel supply across the U.S.
Nation-state actors often employ APTs, which are stealthy and sophisticated cyberattacks designed to steal sensitive data or establish long-term access to systems. The Cyber security and Infrastructure Security Agency (CISA) has warned of APTs targeting critical infrastructure sectors, including energy and water. Purple Sec reveals APT attacks conducted on EU institutions, bodies, and agencies increased by 30% in 2021. In terms of consequences, 34% of companies experienced damage to their reputation because of an APT attack and 78% of companies experience downtime because of an APT attack.
DDoS attacks overwhelm critical infrastructure systems with traffic, rendering them inaccessible. These attacks can disrupt essential services, such as hospitals or power grids. Link11 reveals that during the first half of 2023, they have seen a 70% increase compared to the same period in 2022 and have seen a 67 percent rise in the number of ransom DDoS attacks. And now, we are seeing DDoS attacks supercharged by AI (Artificial Intelligence) technology; the average speed of DDoS attacks in 2021 were 184 seconds … in 2022, it is just 55 seconds!
Given the high stakes involved, protecting critical infrastructure requires a multi-faceted approach:
Q1: What are the consequences of a successful cyberattack on critical infrastructure?
A successful cyberattack on critical infrastructure can result in service disruptions, financial losses, compromised data, and even risks to public safety. For example, an attack on a power grid could lead to widespread blackouts, affecting hospitals, transportation, and communication systems.
Q2: How can critical infrastructure organisations prepare for cyber threats?
Organisations should prioritise cyber security by conducting regular risk assessments, updating legacy systems, training employees, and implementing robust access control measures. Collaborating with government agencies and sharing threat intelligence is also crucial.
Q3: Are there any regulations or standards for critical infrastructure cyber security?
Yes, several regulations and standards, such as the NIST (National Institute of Standards and Technology) Cyber security Framework and the EU NIS Directive, provide guidance for critical infrastructure cyber security. Compliance with these frameworks is often required by law.
Q4: What should CISOs, DPOs, and SRIs do to stay informed about the latest cyber threats?
Staying informed requires continuous learning and networking. Subscribing to threat intelligence feeds, TSC’s The Insider, attending cyber security conferences, and participating in industry forums can help professionals stay up to date with the evolving threat landscape.
In conclusion, critical infrastructure cyber security vulnerabilities and threats are evolving and pose significant challenges to organisations responsible for these vital services. CISOs, DPOs, and SRIs must remain vigilant, adopt best practices, and collaborate with a tried and tested awareness and training partner to protect critical infrastructure from the ever-present cyber threats.
If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your critical infrastructure organisation or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
