GDI Shorts: Critical Infrastructure and Cybersecurity
GDI Shorts are an ongoing series where we explore interesting ideas affecting the data economy through three simple questions: What is the idea? Where is it located? And why should I care?
What’s the deal with cybersecurity and critical infrastructure?
With the growth of the Internet of Things (IoT) and increased use of ‘smart’ systems in critical national and sectoral infrastructure has also come a rise in cyberattacks aiming to disrupt or corrupt these systems.
Infrastructure is made up of the basic physical and organisational structures and facilities needed to operate society (like roads, power plants, and water treatment facilities), along with the workers that operate & facilitate them. Critical infrastructure — also referred to in the UK as ‘critical national infrastructure,’ or CNI — are those infrastructure assets, networks, systems, and workers needed to ensure the functioning of services considered essential for society, as well as those considered critical for national security, defense, or the functioning of the state.¹ The likelihood of criminal or foreign state-sponsored cyberattacks against these critical assets and systems has become so significant that the UK government identified ‘cyber’ as one of six Tier 1 threats to UK national security back in 2017. Ongoing risks to critical infrastructure have only increased since then.
Cybersecurity threats typically target control systems rather than data itself, according to a 2015 report by the Organization of American States and Trend Micro. Historically, these attacks primarily took the form of ransomware attacks — cases where malicious software is used to gain access to systems or files, which are then blocked and held ‘hostage’ until a user pays ransom for the decryption key (often through Bitcoin). Statista reports the most targeted global industries remain the public sector, private sector, and manufacturing sector as of 2019 (see graph below). Ransomware has evolved since its early days to more advanced malware, with a ransomware-as-a-service business model (including CryptoWall, Cryakl, and TeslaCrypt) even being offered by organized cybercriminals.
Yet in recent years, these types of cybersecurity threats have shifted from targeting organizations and consumers as a way of extorting payment to instead, targeting CNI with the intent to disrupt or disable at a macro-level. These remote attacks have the potential to incapacitate entire regions in ways previously never imagined.
Being aware of and planning for cyberattacks on CNI has grown extremely important as more facilities and CNI sectors are becoming increasingly digitized, bringing with them the benefits of ‘smart’ systems yet also associated risks of increased connectivity. It is necessary that governments and private industry overseeing the management of CNI protect both these systems (and to a lesser extent, data itself) from cyber threats. While it is admittedly impossible to guarantee complete protection from cyberattacks, cybersecurity experts agree that it is possible to take measures to ensure a) service continuity during an attack and b) full recovery after the attack.
Where is this happening?
Cyberattacks on CNI are increasingly being reported worldwide, with localised effects impacting security concerns globally.
Ukraine is reported to have experienced the first confirmed case of a disruptive cyber-attack on a power grid in 2015, resulting in a power outage across the Ivano-Frankivsk region impacting over 200,000 customers. In 2016, the San Francisco Municipal Transportation Agency was attacked and its train ticketing and bus management systems disrupted with a demanded ransom of 100 Bitcoin. While the SFMA was able to avoid paying this through having made previous backups, passengers did not have to pay any fares while the entire ticketing system was down. More recently, the city of Oldsmar in Florida, USA, experienced a malicious cyberattack on the town’s water treatment plant, raising the water supply’s levels of lye (sodium hydroxide) from 100 parts per million to 11,100 parts per million. While this attack was caught and stopped mid-process, similar cyberattacks are possible on any one of these primary types of CNI².
In a 2018 report, the UK Government noted that, “while states still represent the most acute and direct cyber threat, non-state actors such as organised crime groups are developing increasingly sophisticated capabilities.” Over 30 nations are also thought to be developing offensive cyber capabilities (including the UK), and the US government’s Department of Homeland Security has recently called the commodification these offensive cyber capabilities a ‘Grand Cyber Arms Bazaar.’
Why should I care about this?
Cyberattack risks to CNI are of international and national concern. As such, countries have been and are continuing to pursue specialized cyber security planning for the protection of critical infrastructures. Two high-profile examples include the United States’ 2013 National Infrastructure Protection Plan, which highlights the complementary goals of cyber and physical security and critical infrastructure resilience, and the EU Agency for Cybersecurity’s ongoing planning across sectors.
Admittedly, cyberattack threats against CNI can seem rather large and existential given they operate at a scope never previously encountered in the history of civilization. This, combined with the ‘hidden’ digital nature of these attacks until their effects are felt, can lead to individuals and organizations not familiar with the technologies involved discounting them as a threat, or fundamentally failing to understand the threat(s). Unfortunately, there has been a known global cyber skills shortage that is especially hard felt in the UK.
Beyond human factors, researchers and practitioners have identified a number of ways to proactively protect against and respond to these types of threats. These strategies include developing a robust first line of defense to ensure data encryption and advanced data encryption of valuable assets (i.e., appropriate cryptographic protocols) along with physical security essentials. Paired with this is the need to perform maintenance of digital infrastructure through routine assessments, audits, and regular back-ups³. Experts also focus on ensuring fault tolerance and resilience in cloud computing environments along with creating plans for disaster recovery in anticipation of any successful attempt to breach existing data security. Finally, at a more macro-level, researchers and practitioners suggest that organizations simply be prepared for the increase in cyber warfare that is already here.
For more information about the Good Data Initiative, visit our website at: https://www.gooddatainitiative.com/
Footnotes
[1] The UK government’s official definition of CNI is:
“Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:
a) major detrimental impact on the availability, integrity or delivery of essential services — include those services whose integrity, if compromised, could result in significant loss of life or casualties — taking into account significant economic or social impacts; and/or
b) Significant impact on national security, national defense, or the functioning of the state’.”
[2] CNI comprises the following types of infrastructure within the UK: Chemicals, Civil Nuclear, Communications (e.g., data networks), Defense, Emergency Services, Energy, Finance, Food (e.g., farming equipment), Government, Health, Space, Transport, and Water. Similar critical infrastructure categories can be found in countries around the world.
[3] Such preparedness can ensure that organizations looking after CNI are able to respond quickly and efficiently to a variety of cyberattacks. One particularly relevant successful example of this from the healthcare sector is that of the March 2016 ransomware attack on Ottawa Hospital, whose IT staff proceeded to respond by wiping the impacted drives. Ottawa Hospital’s IT staff were able to do so because of diligent backup and recovery processes already in place — so consider this a personal reminder to back-up your own digital assets as well!
