Critical Infrastructure: Batten down the hatches

Recent cyberattacks and exploits of vulnerabilities have had a profound impact on critical infrastructure and are worth studying to secure systems against future attacks 

Critical infrastructure systems like those driving power generation, water treatment, electricity production and other platforms are interconnected to form the energy “grid”. Although beneficial to the public, this grid is vulnerable to cyber-attacks by “hacktivists” or terrorists. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.  

Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors. An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption, says Nigel Pearson, Global Head of Fidelity, AGCS. “A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue,” he explains.

In addition, ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports, adds Georgi Pachov, Global Practice Group Leader Cyber, CUO Property AGCS.

While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries. For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day. And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals. 

The time to secure critical infrastructure is now. Security Buyer catches up with Maher Jadallah, Senior Director Middle East & North Africa, Tenable to find out why. 

Cyberattacks have been grabbing headlines across the Middle East for all the wrong reasons in recent years. Help AG’s Middle East-focused ‘State of the Market Report 2021’ revealed: DDoS attacks have become the norm with a 183% increase in the UAE alone; ransomware incidents were on the rise due to a high rate of success; VPNs were attacked monthly as work from home continued; over 18,343 vulnerabilities were identified per the NIST National Vulnerability Database (NVD). Unfortunately, the increase in attacks isn’t limited to just the Middle East.  

What is the current landscape of critical infrastructure? 

In the United States, the 2021 Colonial Pipeline ransomware attack showcased how the surge in vulnerabilities in IT systems can severely impact operations, and the US economy at large. The attack is a stark reminder for Middle Eastern organisations to protect their critical infrastructure or risk a similar fate. 

Globally, to automate workflows and find efficiencies, organisations are investing in Supervisory Control and Data Acquisition (SCADA) systems. According to the Middle East SCADA Market 2021-2027 report by Research and Markets, the market will reach US$2.68bn by 2027. Operational technology (OT) systems like SCADA offer a number of benefits to businesses but the process of securing them can have an impact on operations. Despite this, they absolutely must be secured against cyberattacks. 

Generally speaking, IT and OT systems have common touch points, however each faces a diverse set of challenges. With OT systems, patching vulnerabilities can be challenging because small errors can shut down entire plants and facilities, resulting in loss of time and money. Challenges also arise here because, often, OT involves legacy systems that require specialised knowledge, the absence of which makes working with these systems complicated. 

That said, securing these systems is a must because the impact cyberattacks can have on critical infrastructure and the supply chain will be far more challenging and costly to recover from. 

Are these cyberattacks a modern precedent?  

Attacks against critical infrastructure are not a modern age reality, the first attacks in the 1960s involved phone hacking mechanisms exploiting public phone systems. The introduction of ‘ARPANET’ – the first public packet-switched computer network – in 1969 was followed by the first computer ‘worm’ in 1971 (CREEPER) – it was also the first instance of a Denial of Service attack as it took control of printers. In the early 1980s, the 414s become hacking pioneers when they broke into institutions’ computer systems. 

With the growing adoption of the internet and greater number of cyberattacks, organisations needed a platform to share vulnerability data so others could protect themselves. So, in 1999, MITRE introduced the Common Vulnerabilities and Exposures (CVE) list system, which was followed by the National Institute of Standards and Technologies’ (NIST) National Vulnerability Database (NVD) in 2005. 

From a cybersecurity standpoint, 2014 is associated with the Heartbleed vulnerability, which made its mark on industrial control systems. More recently, vulnerabilities such as Ripple20 have proven to be of significant concern, as it can affect software libraries that are used by OT, IoT and IT devices. 

With the arrival of the 2020s, cyberattacks have continued to grow; the 2020 breach of the SolarWinds Orion platform signaled the start of attacks on the software supply chain. In this case, the attack targeted the auto-update features of the vendor’s software.  

It’s worth highlighting here that attacks don’t always need to target OT systems directly to have a significant impact on critical infrastructure. This was proven b…

To read the full exclusive see our latest issue here.

Never miss a story… Follow us on:
LinkedIn Security Buyer
Twitter logo @SecurityBuyer
Facebook @Secbuyer

Media Contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com

Subscribe to our newsletter

Don't miss new updates on your email
Scroll to Top