Imagine this scenario: A bad actor has successfully accessed a computer network that helps to operate a water supply system and has tampered its supply, leaving thousands of civilians without running water. Scenarios like this are a reality because of digitalization. All systems used in our everyday lives are now interconnected, and it only takes a press of a button for a bad actor to shut down a critical infrastructure network – like a city’s water supply.
Christopher Dickens is Security Engineer at HackerOne (opens in new tab).
Accessing a major critical infrastructure network is very appealing to cybercriminals, as they can maximize societal impact and demand large ransom sums to ‘fix’ tampered systems. With recent high-profile attacks, including that against the Colonial Pipeline in March 2021, it has become clear that the organizations handling critical infrastructure networks are now in the firing line. Critical infrastructure is vulnerable to both threat groups that are evolving their tactics, and public scrutiny if they do not remain transparent when an attack occurs.
So, how can critical infrastructure networks best protect against increasing cyber threats? Cyber-attacks on critical infrastructure will not go away, but we can reflect on previous industry attacks to understand the lessons learned and identify areas of improvement that may help to prevent future attacks.
You’re only as secure as the weakest link
One of the biggest cybersecurity (opens in new tab) lessons of this year is that organizations are only as secure as their least secure supplier, and basic security (opens in new tab) failings are often the main access routes into critical company systems. This is because most large organizations struggle to have visibility over their own asset inventory, and even less visibility into their supply chain asset inventory. A bad actor doesn't have to target the most direct route into an application, instead they look for the clearly forgotten legacy system, integration or less protected supplier.
Cybercriminals set out to generate large ransom pay-outs with the least amount of effort, and are potentially monitoring targets that continue to use legacy systems to operate networks that are relied upon by thousands. Legacy systems have outdated and unpatched software, misconfigurations, and weak credentials – all extremely easy routes for threat actors to access and shut down. Critical infrastructure networks must have sufficient security to ensure that bad actors are kept at bay.
After the ransomware (opens in new tab) attack, which affected around 2,000 companies worldwide, Kaseya managed to restore encrypted data 20 days after the organization's incident response team detected the security incident, but reports emerged showing that the company was warned of serious security flaws on its software between 2017 and 2020, which were not addressed. The company was aware of seven vulnerabilities present on systems because they had a vulnerability disclosure program, or VDP in place. However, only four out of the seven vulnerabilities that were flagged by security experts were patched. This example demonstrates that although organizations can have effective security programs in place, they can still fall victim to an attack because of a vulnerability in a third-party network.
Critical infrastructure is being exploited right now
Coordinated cyberattacks against the Ukrainian government are happening right now, and the methods being used come as no surprise: CMS and Log4j attacks against an essential member of the supply chain, an IT firm, that manages part of the government's websites. This comes less than 2 months after log4j was discovered, an unreasonably short time for any scanner, pentest or security team to find and fix every instance of a zero day. Demonstrating that critical infrastructure needs different and innovative ways of detecting new vulnerabilities at speed in their huge attack surfaces.
Detection capability is key for critical infrastructure
When reflecting on the recent attacks on critical networks, it’s not all doom and gloom. Security teams observing critical systems are learning from the consequences of previous attacks. Take the Houston Port hack, that happened back in September 2021, for example. A nation-state actor attempted to shut down a major U.S port in Houston, Texas, but the early detection of unusual activity on the targeted network resulted in systems being shut down by the port’s security team before the network was impacted or any data (opens in new tab) was stolen by bad actors. A quick response time was central to the success of Houston Port’s security team, and this demonstrates that detection capability is essential when protecting critical infrastructure networks. Despite this, cyber-attack remediation time is increasing to an average of 3.1 days and, with attack surfaces widening and critical infrastructure networks being a top target for cybercriminal groups, organizations that manage these vulnerable networks simply cannot afford the risk of being hacked.
Left-field methods are here to help
The only means for protection against cyberattacks is prevention. More traditional organizations and industries – including the UK’s Ministry of Defence – are starting to embrace more unconventional security ideas to minimize security risk, like leveraging the ethical hacking community with vulnerability disclosure programs - VDPs and bug bounty.
A global team of ethical hackers can work together around the clock and across time zones to keep a close eye on vulnerable networks, and these security specialists have significant knowledge that can be utilized to identify the exploitability of vulnerabilities and provide detailed feedback to organizations that can help them to improve their remediation speed. With the help of hackers, security teams managing critical infrastructure can spot malicious activity at speed and stop bad actors in their tracks before any damage is done.
What’s more, through a VDP or bug bounty program (BBP), security professionals are invited to search for new and cutting edge vulnerabilities – ‘back door’ gaps that many bad actors are using to access critical infrastructure networks - think log4j for the Ukrainian Government. This is an opportunity for ethical hackers to provide their specialist, ‘outsider’ knowledge of hacking, which is instrumental to help forecast the tactics approaches that can be potentially made by bad actors. For added precaution, organizations can also require third party suppliers to have similar security protocols in place and audit their suppliers to be security ready, which will help towards improving the cyber hygiene of all the links present in a software chain – a win-win for interconnected critical infrastructure networks.
The importance of transparency
Organizations have a responsibility to openly share information on security gaps because transparency builds trust. Every organization is vulnerable to cyber-attacks and there’s too much at stake if a critical infrastructure network were to be successfully accessed by malicious actors as these services are heavily relied upon by the public. Security teams have a duty to reveal as much information as possible about any vulnerabilities that are discovered, especially when an intrusion occurs, to share knowledge and help others to be secure against the same threats.
We’ve seen how transparency benefits organizations that have experienced a breach or attack. Back in March 2019, Norsk Hydro - a global aluminum manufacturer - was hit by an extensive cyber-attack that affected its entire global organization. In response to the attack, the company distributed frequent and candid communications, not only to inform the public about the events that were unfolding, but to help expose the tactics being used by the cybercriminal group to curb future cyber-threats. This is a great example of how transparency helps organizations to tackle intruders while also building trust when a cyber-attack takes place. Cybersecurity leaders, including the CEO of Dragos, widely praised the company in the media for how it handled the attack. Houston Port’s security team was also praised for its transparency when systems were accessed in September 2021.
The only way critical infrastructure can tackle growing cyber-threat is through industry, government and public collaboration (opens in new tab). By working with others to openly share information, security teams can build strength in numbers, learn from previous events, and ultimately build trust - crucial for organizations handling our most critical infrastructure.
At TechRadar Pro, we've featured the best malware removal software (opens in new tab).