The critical infrastructure sector is under increasing risk of cyberattack. Threat actors, ranging from state-sponsored hackers seeking to gain political advantage through to criminals seeking to extort providers for profit, are finding opportunities as the sector embraces digital transformation.
Tim Conway, from leading cybersecurity industry training provider, the SANS Institute, says the critical infrastructure sector has changed significantly over the last two decades. While the poles and wires we see today would remain familiar to Edison should he still be walking the earth, the mechanical and manual systems behind the physical infrastructure have changed substantially.
“There's been a tremendous amount that's changed kind of over the last 15 to 20 years,” says Conway. “Electromechanical or manual controls have migrated to these digital assets now.”
This has been driven by several factors with critical infrastructure providers trying to optimise operations. And there’s also a push towards remotely managing systems, which has led to these systems having increased remote connectivity – something that was considered unthinkable just a few years ago.
“We’re seeing a movement towards cloud integrated operations and untargeted ICS targeted malware is now a serious security issue,” explains Conway.
With legislators around the world setting new rules and myriad standards available to critical infrastructure providers, there’s no shortage of guidance on who to secure these environments. But Conway notes that following standards is important but organisations should also take a risk-based approach. Minimising the risk of attack requires balance across both compliance and risk-based approaches to cybersecurity controls.
Underlying this are people. Conway says, “There's a unique need for hybrid skills in this that field that tie operations, engineering, technology, security and safety together. It's crucial for organisations that are responsible for critical infrastructure to develop these skill sets and harness them in ways that recognise the operational drivers and constraints of the process and the environment and the technology that's all used to control it.”
The industrial control system community needs to focus on the unique demands that are represented by information technology (IT) and operational technology (OT) as these two sides of the critical infrastructure coin are increasingly overlapping.
Cyberattacks on the energy system in Ukraine and the ransomware attack on Colonial Pipeline highlight the increased focus of threat actors and how attack vectors previously thought to only target IT are now affecting OT environments. And while technology is a critical element of the defence, ensuring teams are well-trained, through courses such as those run by the SANS Institute, are critical for ensuring the operators of critical infrastructure are prepared for the new threats they face.