Protecting critical infrastructure from cyber threats

It’s the final week of the National Cyber Security Awareness Month and the theme is ‘Protecting Critical Infrastructure from Cyber Threats,’ which focuses on the essential systems that support our daily lives – such as electricity, transportation and banking – and their vulnerability to attack and exploitation by criminals.

These are not just potential vulnerabilities:  they’re all too real.  Over the past two years, power, transportation and banking services have all been targeted by criminals, resulting in major disruption and financial losses.  Here’s a brief recap of those attacks:

• Hackers’ power play: In September 2017, a highly-sophisticated, ongoing series of attacks against multiple electricity companies was revealed.  The group of hackers, dubbed ‘Dragonfly’, used spear-phishing techniques to install Trojan software on target machines, enabling them to move laterally across networks and access operational systems.  Researchers at Symantec warned that the group now “potentially has the ability to sabotage or gain control of these systems, should it decide to do so.”
• Ransomware gives a free ride: Over Thanksgiving weekend in 2016, a ransomware attack on the San Francisco Muni Metro locked up 900 employee workstations and froze its email and payroll systems.  Rather than pay the ransom demand of $73,000, Muni Metro instead opened the gates at its stations and gave passengers free rides.  Great for the public, but not so good for the company’s bottom line.
• Banking fraud: 2016 saw an ongoing series of sophisticated cyberattacks targeting SWIFT, the international cooperative that facilitates global bank transfers and handles trillions of dollars daily.  One of the largest attacks succeeded in stealing $81 million from the Bangladesh central bank.

These attacks were damaging enough.  But they’re also a clear warning that future attacks on critical infrastructure could be even worse, directly impacting the lives of millions of people.  For example, what if the electricity supply to a city was cut off, even just for 48 hours?  Businesses would not be able to function; hospital patients and vulnerable people could die;  citizens may have to be evacuated.  A large-scale attack on the banking system could paralyze the financial markets and cause businesses – even economies – to fail.  And attacks that disrupt transportation systems such as air-traffic control or satellite navigation could have obvious, deadly consequences.

Diverse systems, common security challenges

So how do we build better security into critical infrastructure, to stop attackers being able to target these vital systems and disrupt day-to-day operations?  It’s a huge challenge, because of the sheer variety (and complexity) of the networks and systems in use across the different industries and sectors globally.

For example, in power and water utilities as well as in the transport sector, there are large numbers of cyber-physical systems consisting of industrial equipment such as turbines, pumps and controllers, which are managed by computerized industrial control systems.  These operational systems were not designed with security in mind:  they simply carry out the instructions they receive from their command and control centers.  These connections and communications are done via IP-based networks – which, without proper network defenses, means they can be accessed over the Internet.  As we saw earlier with the attacks launched by the ‘Dragonfly’ group, a hacker that infiltrates the networks of the organization can then gain access to, and control over those operational systems to cause disruption and damage.

In the banking sector, there’s also a diverse range of systems, handling functions such as funds transfers between banks, payments processing, managing business and customer accounts, and much more.  But as we saw with the attacks on the SWIFT network in 2016, these systems and networks are poorly protected and allow attackers to create fraudulent transactions.

So despite the substantial differences between industry sectors and their networks, the security challenges for all critical infrastructure organizations are similar:  stop hackers being able to infiltrate networks – and if they do succeed in breaching the organization’s perimeter defenses, stop them being able to move laterally across networks to access critical systems and resources.

Securing critical infrastructure

As such, network segmentation is one of the core foundation strategies for securing critical infrastructure organizations.  This means keeping critical assets and operational systems separate from other networks in the organization, and from the public Internet, and surround them with firewalls so that they cannot be accessed by unauthorized people.

With the rapid rise in ransomware attacks over the past 18 months, which are designed to exploit internal network connections and pathways to spread rapidly and cause maximum disruption,  organizations should also employ security best-practices to block and mitigate the impact of ransomware attacks on their critical systems.

In conclusion, protecting critical infrastructure against cyberattacks is a complex challenge, as each industry sector has its own unique use cases and requirements.  However, the established security best practices we’ve outlined here can be extremely effective in protecting these vital systems – for the benefit of every one of us.