The cyber threat against critical infrastructure

Representational image of a cybercriminal
(Image credit: Future)

As defined by the UK government, there are 13 Critical National Infrastructure sectors in Britain, incorporating finance and food, communications, and health. The diverse range of public and private sector organizations is the lifeblood of our communities. During the pandemic, the range of services that we considered critical to our livelihoods, health and wellbeing ballooned. From our local supermarket to our children’s schools, it became more apparent how essential this ecosystem of services, retailers, and community assets is. The idea that critical infrastructure only refers to ‘big ticket’ organizations like banks, hospitals, and power stations is redundant.

About the author

Adam Vincent is the Co-Founder and CEO of ThreatConnect Inc.

For cybercriminals, our dependence on this increasingly critical ecosystem means one thing. There are riches to be had in holding it hostage.

When cybercriminals unleash their digital weapons on the world, they care little about who may fall victim. While some attacks may target a particular institution, like a national bank or global telecommunications company, collateral damage is often inevitable. Viral attacks such as ransomware are indiscriminate, and it doesn’t matter whether the virus’ victim is a bank, a school, or a local supermarket. As long as they pay up, it’s a win.

Small ticket attacks amass attractive returns

Increasingly, cybercriminals are seeing the benefits of this smaller-scale hostage-taking. Why invest heavily to take on a cyber-savvy global financial institution when you can deploy low-effort attacks against the unprepared? The payouts from each victim might be lower, but the cumulative effect is the same - riches in the pocket for minimal effort.

For example, the National Cyber Security Centre (NCSC) recently alerted schools to a surge in ransomware attacks. As reported by Schools Week, a “highly sophisticated ransomware attack” against a Cambridge multi-academy trust saw its 17 schools and colleges shut for several days, with 24 schools across South Gloucestershire also hit in the same month. Zoom out, and you will find a 93% rise in attacks against schools and colleges in the UK.

The hospitality and retail sectors are also experiencing a cascade of cyberattacks. Over 300 Spar convenience stores were affected by a ransomware attack that forced some to close in December. An example of hard-hitting collateral damage coming via an attack on a software supplier. The ransomware net will happily catch anyone. Although hotels, bars, and restaurants are not traditionally considered ‘critical infrastructure’, they are being targeted more frequently, and the effects on customers and employees are costly. With the hospitality sector employing over 2.3 million (the UK's third-largest private-sector employer), the economic impact of an attack extends well beyond a few missed meals.

Despite so many examples of successful attacks, many organizations in sectors such as education and hospitality are still optimistically naïve about cyber risk. The truth is that critical infrastructures and supply chains are the targets because they are not identifying the cyber threats that matter most.

Weaponizing risk-blindness

Criminals are weaponizing this risk-blindness. Everyone is fair game in the cybercrime economy, and the risks are ever-growing.

What does this mean for our communities’ services? There is an urgent need for critical infrastructure to adopt a risk-led cybersecurity program. A risk-based approach to cybersecurity means organizations must identify, understand, prioritize, and remediate the primary cyber risks they face.

This Risk – Threat – Response paradigm can ensure leaders understand the risks they face, quantify potential costs, prioritize effective responses, and allocate resources, even within a threat landscape that is constantly changing. Many organizations struggle to prioritize vulnerabilities. For example, one of the most widespread threats comes from unpatched, known vulnerabilities - of which there are thousands. Patch prioritization is an uphill battle without insight into which poses the most significant risk to your business.

However, organizations can use the latest data-led technologies to use established mathematical models to align response with risk. Such tools assign a financial value to risk and make recommendations based on how much risk a vulnerability contributes. For example, this can provide short-term recommendations for real-time prioritization of patching and demonstrate how financial risk is being reduced.

Cyber risk quantification helps organizations balance cyber threats with other mission-critical priorities. After all, the return of spending a substantial amount mitigating a cyber risk that may not cause much harm must be weighed against the requirement to spend funds on other vital areas of the business. However, if you can’t quantify risk, you are shooting in the dark.

The who, where, how, and when

Within this risk analysis paradigm, a cyber threat intelligence (CTI) program enables continuous assessment of the who, where, how, and when of digital threats. A risk-led cybersecurity program focuses on the most significant risks and uses threat intelligence to drive an orchestrated, effective response. When proactivity and prevention are the best defenses against attack a CTI must be the first step for critical infrastructure leaders.

This may seem like a tall task for organizations not used to prioritizing cyber security, especially when so many issues compete for resources, but help is available. From our local convenience store to our community college, the businesses and organizations we rely on are at increased risk of attack. Without a risk-based cyber threat intelligence program that proactively tackles threats head-on, the services that underpin our everyday existence are at risk. That’s a mighty high cost to pay.

At TechRadar Pro, we've featured the best malware removal software

Adam Vincent

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect, the first-of-its-kind threat intelligence platform. He has more than 16 years of working experience.