Food, transport, financial services, energy, information systems, and healthcare are indispensable to everyday life. Cybercriminals are aware that critical infrastructure – physical, cyber, and human assets – underpin these socioeconomic functions. It could be a minor disruption, a long-standing conflict zone, or a mere rumor of something amiss in these critical services. But it can bring individuals, organizations, governments, and entire economies to their knees.
Energy companies, healthcare providers, government bodies, train systems, and ports in Europe have all come under cyberattack. These attacks underline the importance of safeguarding critical infrastructure while being resilient to continue operations with minimal discomfort.
Vishal Salvi is SVP, CISO and Head of the Cyber Security Practice at Infosys.
Understanding the threats to critical infrastructure and their impact
Today, cyber threats to critical infrastructure and resilience can manifest as a data breach, ransomware, supply chain attack or political disruption. These threats do not always occur in isolation. For instance, a large bank might experience a data breach and ransomware attack simultaneously.
Today, when economic and digital ways of disruptions increasingly displace conventional warfare in the global arena and power struggles, data holds immeasurable value (directly and indirectly) for the cyber criminals and terrorists and is therefore an alluring target. Organized and targeted data breaches are becoming more sophisticated than the average unauthorized data collection. For example, certain bank employees have privileged access to SWIFT international transfers involving authorization codes. If a cybercriminal through social engineering, gets hold of the code as a privileged user and conducts fraudulent transactions, the bank (and even the customers or larger economy) could lose billions.
The Ferrari data breach was a great example of hackers launching ransomware attacks on car owners who are typically HNIs and were the intended target. Similarly, every sector owns valuable data and trade secrets. When the target is an organization or a nation, the impact is much more extensive.
Supply chain attacks are also a serious concern for businesses relying on several suppliers that could lead to disruptions in critical infrastructure. While manufacturers might adhere to necessary security protocols, every vendor must also follow supply chain risk/third-party risk management protocols, and this need to be baselined and tracked with regular corrective or preventive actions – during onboarding, offboarding and ongoing operations. Otherwise, any of them can be a weak link and bring down the entire chain. Recently, for instance, train services in Denmark were disrupted due to a supplier experiencing a cyberattack.
Then there are physical threats. A manufacturer’s physical systems are driven by operations technology (OT) which are often proprietary and legacy, developed long before IT systems reached their current state of maturity. Here, the level of security differs greatly from typical IT. Securing OT systems and its touch points with modern IT systems is critical especially when there’s a high level of digitization and automation. Back-door access must be prevented at all costs to avoid its misuse.
These trends signal larger implications beyond crippling IT systems as cyberattacks become disturbingly common and sophisticated, with potential for a wider community impact including loss of lives – cases in point were the incidents observed in the CNI space like the Colonial Pipeline attack or Florida water plant hacking. Securing critical infrastructure in this complex scenario is not easy and it must be prioritized.
The defense-in-depth approach
Every organization must identify the infrastructure most critical to its existence and operations. IT assets of the organization across locations and departments must be first inventoried, then classified based on business criticality - including potential impact to financial position/reputation, the country’s economy, and other criteria. Classified assets must then be fortified at multiple levels with a defense in depth approach, ensuring the most valuable ones receive maximum protection. Multiple levels of protection are more cost-effective and practical than providing uniform level of protection to all assets.
The AI Act and implications for cybersecurity
Advanced AI-based security tools can sort through piles of historical data to pick behavioral patterns. These can correlate various data points, find loopholes, and arrive at probable suspects behind an attack as well as predict its likelihood.
However, applying AI needs to be balanced with compliance with privacy laws and rights. Europe has a strong stance on protecting individual rights while giving due attention to organizational and national security. As uncontrolled data analytics and AI carry the potential of being misused by individuals, organizations or rogue nations with nefarious intentions, the European AI Act (in progress) classifies assets based on four levels of risk identified, namely, unacceptable risk, high-risk, limited risk, and minimal or no risk, and recommends a discretionary risk-based approach for using AI, with hefty fines for non-conformity – up to 30M EUR or 6% of global annual turnover, which is much higher than even the GDPR.
Organizations leveraging AI-based tools, especially in cyber threat management functions must factor in these sensitivities and regulations while implementing cybersecurity measures for their critical infrastructure.
