Who Owns Responsibility for Industrial Cybersecurity?

It is rare for a week to go by without at least one report of a serious new data breach. The majority of these incidents are data breaches suffered by enterprises caused by cyber-criminals seeking data that can be used to commit fraud or sold on the dark web for some easy cash: any hardship suffered by organizations and individuals is usually only collateral damage to the perpetrator’s objective of financial gain.

Only a small minority of cyber-attacks go beyond an immediate mercenary aim for cash and seek to inflict specific harm. However, while mercifully much rarer, incidents such as attacks on critical national infrastructure (CNI) can have devastating consequences for an entire country. 

Indeed, recent research from Claroty with 1,000 IT security professionals found that 74 percent believed that attacks on CNI have greater potential to inflict damage than an enterprise data breach. Electric power infrastructure was widely seen to be the most vulnerable CNI target, while other critical areas that are vulnerable to cyber-attack include oil and gas infrastructure, chemical industries, and transportation. 

A serious attack in any of these areas can easily have huge economical impacts, as well as directly threatening human life. Such attacks are limited to the realm of nation-state level threat actors, both due to the resources required, and the fact there is much less readily accessible data such as personal and financial records.
What are the biggest threats?
CNI is vulnerable to a number of different cyber threats. The greatest risk comes from attacks where threat actors are able to gain unauthorized access to the network, as this opens the door for a huge number of potentially devastating results.

Attackers could potentially disrupt or totally disable essential utilities such as power or water supplies, cause physical damage to infrastructure, or even engineer directly harmful events such as explosions or traffic incidents. 

Accordingly, our research found that a clear majority of respondents (43 percent) believed hacking and unauthorized network access to be the attack types they were most concerned about in 2020. Malware infections were also seen as one of the biggest threats, and more specifically ransomware was flagged as a leading concern.

While a ransomware outbreak’s ability to lockdown systems is bad news for any organization, it can be particularly devastating for critical industries that cannot afford anything more than an absolute minimum of downtime at the best of times. 

Most CNI industries also rely on operational technology (OT) systems to govern their physical assets. OT systems work very differently to standard IT networks, and their disparate natures means there are more likely to be vulnerabilities and blind spots that can be exploited by attackers unless specialist security measures are taken. 

Who is responsible for defending against threats to CNI?
Organizations that maintain CNI are in a unique position. Not only will any threat to their operations impact their shareholders and customers, but it may also affect the wider population and even the country as a whole.

When it comes to nation-state cyber attacks, this means that, for the first time in the history of modern warfare, industry – not government – is on the front lines. 

Whereas a more standard enterprise will be expected to account for its own security, this unique situation means that securing CNI is often considered to be a joint responsibility between the private and public sectors. A cyber threat to CNI is a potential nation-level threat, which means the government has a vested interest in preventing incidents.

Indeed, 91 percent of security practitioners responding to our research stated that they believe it is the government’s responsibility to ensure that critical national infrastructure is properly protected from a cyber-attack.

However, CNI organizations cannot afford to simply sit back and expect their government to take care of their security. While the government certainly has an important role to play, it could be considered to be up in the crow’s nest, monitoring the horizon of cyberspace for incoming threats. Governmental bodies should use their access to greater intelligence and security resources to work closely with CNI organizations and inform them of potential threats.

Individual organizations have the responsibility to deal with any adversaries that have already closed in and made contact. In practical terms this means being able to effectively monitor their own networks and rid them of any intrusions and malware. 

Overcoming the security challenge of OT
As mentioned, the OT systems that are essential for most CNI present unique security challenges due to the fact they are distinct from modern IT infrastructure. This means that one of the biggest issues in securing CNI is accounting for these differences and ensuring that attackers are not able to exploit security gaps and vulnerabilities where the two networks overlap.

Alarmingly, our research found that, despite a clear consensus (80 percent) that IT security teams are responsible for protecting an organization’s industrial networks, 25 percent had not been trained on the differences between IT and OT networks. If they are to keep their infrastructure secured against intrusions, organizations must ensure their security personnel are educated and trained with the skills they need.

Alongside this, they need to implement security solutions that can bridge the gap between OT and IT, enabling them to identify threats that seek to take advantage of the complex network architecture. 

With a unified view of security, backed up by intelligence from the government, organizations can keep their CNI – and the country at large – safe from major cyber-attacks.

What’s Hot on Infosecurity Magazine?