By Deryck Mitchelson, Field CISO EMEA, Check Point Software Technologies.
Last week, news reports indicated that a European government agency lost hundreds of classified NATO documents to cyber criminals. The stolen information was leaked online and sold on the dark web. The affected nation’s intelligence services failed to detect the breach, highlighting the urgent need to discuss cyber security strategy and resilience planning for Critical National Infrastructure groups, including the government sector.
As you may know, in the UK, Critical National Infrastructure (CNI) consists of thirteen unique sectors. They include Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Around the world, some governments maintain more than thirteen different CNI sectors, while others have as few as four CNI sectors. Regardless of how individual governments classify critical infrastructure services, a cyber attack on any one of such groups could yield deleterious societal repercussions.
This is especially true in the highly interconnected age in which we live…
The interconnected age
Attacks against Critical National Infrastructure are not new. From disrupting water supplies in besieged Constantinople during the 14th century, to the strategic Allied bombing campaign of WWII, throughout history, adversaries have continually used critical infrastructure as means through which to harm perceived opponents during times of political conflict. What is new is that critical infrastructure is more interconnected than ever before, increasing cyber security risk and complicating security measures.
Interconnected infrastructure sectors that are not bound to the same security policy requirements may be at risk of cascading cyber attack effects. The deliberate and malicious modification of data belonging to the water system, for example, could affect firefighters’ abilities to respond to catastrophic fire events. Conversely, malicious modification of data belonging to firefighters could lead to poor or inaccurate decisions around regional water distribution. While interconnectivity can proffer new opportunities, if managed incorrectly, it can also create unnecessarily difficult outcomes.
The industrial IT/OT risk
If we look beyond cross-sector interdependencies, within individual industrial sectors, the convergence of Operational Technology (OT) and Information Technology (IT) massively intensifies cyber security risk. Historically, OT systems were designed with isolation in mind, operating a limited number of software programs, if any at all. Power stations were entirely isolated; requiring physical security alone. Gradually, isolated power stations were connected to one another. Today, OT systems are often connected to Information Technology networks, making these legacy systems uniquely vulnerable to an advanced generation of cyber security threats.
Interconnectivity and interdependencies require support from a wide range of stakeholders, whose motivations and incentives are wildly divergent. For example, in some nations, certain CNI sectors are not subject to stringent regulations. If these sectors retain privately funded organizations within them, adoption of critical security infrastructure may boil down to a cost-benefit analysis. When high costs outweigh clear and immediate benefits, organizations are actually incentivized to deprioritize cyber security, despite potential long-term gains and/or threats to human health.
The nature of CNI ownership and operations are such that synchronization of strategic planning, policy development, and remodels of incentive frameworks are essential in building higher levels of resilience, stronger security programs, and smart solutions for all. Synchronization of efforts can also help avoid duplicative efforts or unnecessary expenses.
Federal governments are uniquely positioned to bring CNI sectors, and other invested parties, including academia and private groups, together. Close critical national infrastructure partnerships will facilitate greater cyber and physical safety for all. Despite the difficulties, it is possible to limit the probability of cascading attacks and widespread cyber security damage across critical national infrastructure groups.
Shortage of staffing
Another obstacle that must be overcome in securing critical national infrastructure includes finding and retaining enough highly-skilled security staff to fill vacant cyber security roles. As of last year, the shortage of cyber security professionals reached 2.72 million, globally. By June of 2022, the number of filled cyber security positions was nearly equivalent to the number of cyber security job vacancies.
Given that cyber security teams are often over-stretched and under-resourced, to help teams stay ahead of threats, CISOs can consider supporting them through technology. One way to temporarily alleviate the strain caused by the talent shortage is through use of artificial intelligence (AI). Of course, AI will not replace the need for staff, but it can augment security and help proactively address security vulnerabilities. In addition, AI can assume the more mundane tasks, freeing up your human capital to focus on more strategic cyber security work.
Solving for secure CNI
CNI organizations need to proactively account for policies, interconnectivity, OT/IT infrastructure, the human element, and processes, along with other factors and security risks as they go about upgrading security strategies and resilience plans. There’s a lot to think about and plenty of options in terms of where to start. But here’s what I’d recommend…
While a single cyber security solution will not serve as a panacea, a critical first step, and means of increasing cyber security situational awareness, is to obtain a high degree of visibility into critical systems. This will assist organizations in discovering internal and external threats, eliminating blind spots, and resolving emergent issues or security gaps in real-time.
Visibility data also creates new understandings of processes and business interdependencies, it can shape new expectations, provide direction around elevating security performance, and can generally lead to a significantly stronger cyber security posture. Get ahead of the curve. Create more value and reduce vulnerability through greater visibility.
For more information about how critical infrastructure groups can proactively enhance security visibility, please see Check Point Software’s resources. For more insights from cyber security expert Deryck Mitchelson, please see 10 best practices: How to prevent cyber attacks in healthcare settings.
Lastly, to receive cutting-edge cyber security news, exclusive interviews, more expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.