Protecting CNI: It’s About the Collective

With every aspect of daily life becoming more digitized and connected, the number of threats seeking to exploit this has grown exponentially. The ramifications of course vary, with attacks differing in terms of methods, scope, severity and more. However, a truly worrying trend has materialized in recent years with critical national infrastructure (CNI) becoming a hot target for cyber-criminals because of its importance to daily life and the economy. These attacks, which often target Operational Technology (OT) and Industrial Control Systems (ICS) range from modifying industrial processes through to disrupting them entirely.

Take for example the ransomware attack against shipping company Maersk that occurred in 2017. It disrupted operations at shipping terminals around the globe for weeks and cost the company up to $300m, even causing the largest cargo terminal at the Port of Los Angeles to shut down for a brief time. In this case, the attack affected not only the global supply chain, but highlighted a vulnerability in the company’s cyber resilience as the attackers used the NotPetya malware to exploit unpatched Microsoft Windows software.

According to a study by Bridewell Consulting, 86% of CNI organizations (across aviation, chemicals, energy, transport and water) in the UK have experienced a cyber-attack over the last year, with nearly a quarter (24%) experiencing between one and five successful attacks. A jarring number to say the least. Even more alarming was the fact that just over 90% of the UK IT decision makers surveyed in these sectors revealed that they experienced at least one successful attack in the same timeframe. Similarly, IBM reported a 2000% increase in cyber security incidents targeting OT in 2019, most of them involving Echobot IoT malware.

The interconnectedness of CNI is such that to truly be secure, you cannot simply focus on securing your own system, but need to instead consider everyone else in the chain too. This issue came to the fore during the pandemic when CISA issued an alert warning that malicious actors were targeting US healthcare. Following this, in the UK, the NCSC and partners ramped up their defenses. In particular, the Health & Social Care Network (HSCN) was brought under Protective DNS (PDNS), which helped secure an additional 950 HSCN organizations.

However, it’s not only public sector organizations that were targeted as part of the pandemic related cyber-attacks. PDNS was also used to protect the vaccine supply chain. This was part of the NCSC’s ACD (Active Cyber Defence) Broadening project - which was created in 2020 with the aim of expanding the impact of ACD beyond the public sector. A more cyber-resilient society – regardless of public or private - benefits everyone.

Another prime example of this is when the water supply in Oldsmar, Florida was almost poisoned after the systems of the water treatment facility were breached - potentially by a disgruntled employee. Were it not for the watchful eye of a plant operator who noticed the system implementing a large-scale increase in the amount of sodium hydroxide, otherwise known as lye, into the water supply, thousands of people in the town could have become severely ill.

In this incident, the third-party remote software was accessed. Technology might make our lives easier, but the nature of it also serves to highlight the potential dangers lurking in the cyber supply chain.

The supply chain risk was made evident for all after the discovery of the SolarWinds Orion software supply chain breach. With multiple types of organizations, from government and CNI to private organizations suffering the impact. In the UK, the PDNS – which has been a key cyber defense used by the NCSC for several years now – was the primary data source used by NCSC to help the UK public sector understand where it might be vulnerable and execute the appropriate mitigation tactics. This also provided reassurance to many core parts of the UK government that they were not affected.

These examples, alongside the continued demand for remote working as a result of the pandemic, the growth of IoT and Industry 4.0 show that the attack surface is becoming larger. To help stop these threats, we need to make it as difficult and as costly as possible to attack the UK’s CNI. One way to achieve this is through closer collaboration between governments and the private sector; sharing skills, information and best practices. This type of collaboration will enable organizations to benefit from a greater scale of information which they cannot reach on their own.

An approach such as this would strengthen and benefit all parties, as an effective cyber strategy going forward needs to account for protecting not only the infrastructure system itself, but the overall cyber supply chain that feeds into it. A chain is only as strong as its weakest link. The more we share intelligence and threat mitigation tactics, we can ensure that facilities are not siloed and benefit from collaborative defence. By pulling together in identifying new threats and where education needs to take place, the stronger all sides will be. The more we generate awareness, the sooner we can start taking the necessary steps towards creating a long-term change and a more robust cyber defense across our most critical industries.

What’s Hot on Infosecurity Magazine?