Securing critical infrastructures: Addressing threats and importance of prevention
In the current scenario, it’s not uncommon to hear about cyber-attacks against the critical infrastructure of countries around the world. With a major role in a country’s functioning, they need to be protected from intrusions. Some common cyber threat vectors faced by critical infrastructures include ransomware, compromised credentials, malware, phishing, DDoS attacks, infiltrations of IoT devices, zero-day vulnerabilities, advanced persistent threats (APTs) and social engineering. Media reports confirm there have been many such incidents across the globe, including in India, such as the one that caused the blackouts in Mumbai in October 2020, the blip in National Stock Exchange (NSE) in 2021 and the recent attacks on the power grid systems in Ladakh. Mr. Jagdish Mahapatra, Vice President, Asia, CrowdStrike, in a discussion with CXOToday shared more insights on the same.
- Please provide an overview and the importance of critical infrastructure in the nation and the reasons for it being targeted.
A nation’s critical infrastructure is a collection of systems and networks that are required to keep the country running. Financial services, energy, communication, food and agriculture, healthcare, and emergency services are among the sixteen vital infrastructures identified. Needless to say, they are critical to a country’s effective functioning and must be protected from both internal and external threats. Because of the importance of critical infrastructure, governments are increasingly concerned about its security and resilience.
Cybercriminals have continued their relentless cyber-attacks on critical infrastructure in countries all over the world. Some common cyber threat vectors faced by critical infrastructures include ransomware, compromised credentials, malware, phishing, DDoS attacks, infiltrations of IoT devices, zero-day vulnerabilities, advanced persistent threats (APTs) and social engineering.
Over time, the scale and frequency of these attacks have only grown. In just the first half of 2021, CrowdStrike observed $164 million in ransom demands, with an average cost of $6.3 million. In the last few years India’s government bodies, CERT-In (Computer Emergency Response Team) and National Critical Infrastructure Protection Centre (NCIIPC), which keep an eye on malicious cyber activities, have reported numerous attacks on India’s critical infrastructure. For example, the state-sponsored attacks that caused blackouts in Mumbai in October 2020, the blip in the National Stock Exchange (NSE) in 2021, and the recent attacks on the power grid systems in Ladakh.
India has decided to release a National Cybersecurity Strategy given escalating cybersecurity threats to national assets and infrastructure.
- What makes critical infrastructure vulnerable to such threats?
Critical infrastructure, such as government services and defence, is an appealing target for state-based cyber attackers given geo-political tensions. With a high level of dependency and real-time connectivity comes vulnerability to threats. Disruption, financial gain, and espionage are the three major motivations for attacking critical infrastructure, and these objectives can apply to all types of attackers, from nation-states, to eCriminals. One attack on a single point of failure could result in disruption or destruction of multiple vital systems in the country directly affected, and a ripple effect worldwide.
For example, the attack on Colonial Pipeline interrupted operations until the ransom was paid. For the target company, however, the attack led to uncertainty about the security of its operational technology (OT) systems, given the absence of proper network segmentation and security controls. This type of collateral damage not only impairs availability in process-control environments but may also jeopardise the safety of personnel and citizens. CrowdStrike’s Global Threat Report 2022 highlights how state-sponsored adversaries weaponized vulnerabilities to evade detection and gain access to critical applications and infrastructure. As per the report, in 2021, China-nexus actors emerged as the leader in vulnerability exploitation and shifted tactics to increasingly target internet-facing devices and services like Microsoft Exchange.
The same web-based strategies, techniques, and processes that have been utilised against IT systems are now being used against OT systems highlighting the need for a new organisation-wide strategy for cyber resilience that blends IT and OT security.
- What kind of visibility is required into threats to critical infrastructures?
To get a better view of the security of networks, just meeting compliance standards is not enough. It has the potential to put any country at a considerable disadvantage. Instead, government agencies and critical infrastructure firms should engage in proactive threat hunting, looking for unknown threats and attack patterns. Organisations need to establish visibility into their business-technology assets as well as their operational technology systems. The journey begins with gaining and maintaining real-time visibility into the assets on these industrial networks but also protecting the access to these networks through the adoption of a zero-trust architecture.
Organisations must increase their systems’ ability to respond swiftly, regain control, and bounce back. They can use scenario planning and threat mapping to identify primary and secondary consequences. These capabilities can predict what measures to take in the case of a large-scale disruption. In a crisis, time is of the essence. Organisations must know what to do, acquire the necessary capabilities, and then rehearse their crisis-response action in advance of the incident. Most importantly, organisations need to understand who the adversary is. To get this, they need access to proactive threat hunting and threat intelligence. Automation alone cannot protect against such sophisticated cyber attacks.
- What is the importance of threat prevention in critical infrastructure sectors?
Critical infrastructure can best prepare to protect themselves against ransomware and other disruptive attacks by having a thorough strategy.
Pre-emptive activities such as mapping IT-OT interdependencies, conducting simulations where organisations rehearse and improve cyber crisis-response scenarios and making the required changes needed to achieve cyber resilience are some of the actions that critical infrastructure organisations should take for threat prevention. Mapping IT-OT interdependencies will enable organisations to grasp quickly the full resulting implications of a ransomware attack against any one part of the organisation. Simulations or running table-top exercises are usually most effective when they include third parties such as law enforcement, public-sector industry groups, key customers and suppliers. Gaining greater clarity on the roles, responsibilities, and decision making that will form the core of their response in the event of a cyberattack is important too.
In addition to these, organisations should adopt threat hunting proactively which allows them to have a more comprehensive view of the threat landscape and enable them to stay ahead of any attacks as well as to understand the likely motivations of the attackers. It will further boost their ability to stop breaches by providing better situational awareness and allowing them to respond to attacks more quickly.
Whether the goal of cybercriminals is financial gain, compromising data, or causing operational disruptions; timely intervention and visibility across the threat landscape with continuous learning about new tactics will be critical. Further, any internal vulnerabilities can be detected pre-emptively and fixed ahead of time. Again, speed is critical here, and there is tremendous value in embracing proactive threat hunting. Moreover, including these tactics in risk management sets a higher standard of accountability for protecting public sector data against the ever-increasing number of cybercriminals.