The world is not ready for cyber-attacks on critical infrastructure. Governments are not ready, law enforcement isn’t ready, the facilities themselves are not ready, and the people who design, build and operate them are often the least ready of all. Unfortunately, the criminals are very ready indeed.
The world needs to wake up to the vulnerability of critical infrastructures to cyber-attack and to respond, emphatically, with Government regulation, industry-wide collaboration, education and deep, tailored protection. This is the conclusion of a group of industry figures who came together in London in late April to debate the cyber-threats now facing critical infrastructures.
There was widespread consensus that critical infrastructure sits in a cyber-security category of its own. Attacks occupy the boundary between the physical and the cyber-world, and are rapidly increasing in number and complexity. Most of them target industrial systems, production lines, transport and telecommunications networks, hacking into SCADA systems, sometimes through basic tactics such as spear-phishing or malware, before spreading out to manipulate or even disable the infrastructure.
Eugene Kaspersky, founder and CEO of Kaspersky Lab, said: “Traditional crime has recognised the power of cyber. And the criminals are becoming more professional and more creative.”
According to the panel the threat is global. Known victims to date include power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals, among others. And those are just the organisations that both spotted an attack and publically acknowledged it. Many of those hit do neither. This means that robust data on the number and impact of attacks can be hard to come by, hampering risk assessment and response.
The panel categorised infrastructure attacks into two main groups: some are so sophisticated that they can only be backed by nation-states intent on cyber-sabotage and cyber-terrorism; while others, implemented by criminals, are purely about theft.
The discussion recognised the urgency of addressing both dangers, with the experts acknowledging that the more advanced and software-controlled critical infrastructure becomes, the more vulnerable it will be to attack, and the higher the impact – not just in terms of economic performance but in risk to human life.
Organisations that manage critical infrastructure increasingly appreciate and want to address this. Cevn Vibert, Industrial Control Systems Security Evangelist at Solutions PT warned, however, that “the complexity of the systems as well as the complexity of the attacks is a really big challenge for them. They can’t just change overnight.”
A further complication is that the computer management systems running the critical infrastructure are rarely checked with the rigour and regularity applied to physical components. The panel felt that this was largely the result of a lack of Government regulation.
“Buildings are built with strict standards, regulations and penalties. Cyber-systems can be set up in whatever way they want,” said Eugene Kaspersky, adding that there’s a widespread attitude of “it works: don’t touch” towards computer systems. In such a landscape it’s hardly surprising that the Paris airport of Orly was discovered recently to be partly managed by a 1992 version of Microsoft software. “It’s a mess,” said Eugene Kaspersky. And it’s a mess that criminals can easily exploit.
Their job is made easier by the fact that law enforcement organisations have struggled in the past to respond effectively to cyber-attacks on critical infrastructure. Fortunately, this is changing, as police forces worldwide increasingly understand the need for and value of international collaboration and shared intelligence.
The telecommunications industry – itself a top target for critical infrastructure attack – is also in the vanguard of this collaborative approach, as are a number of other IT security firms including Kaspersky Lab.
Panel member Jose Palazon, CTO of ElevenPaths, Telefonica said that the telecommunications industry is collaborative because downtime is not an option for any of them, “We compete with other operators, but we also help each other in terms of maintaining the infrastructure.” If one of them goes down, they can use each other’s network. When asked what organisations should do to reduce if not remove risk, the panel members were unanimous on the priorities for action. Top of the list is a need to transform the approach to IT security. The panel agreed that it is no longer about protecting corporate endpoints, networks and traffic with a robust security solution – it’s about a deep, multi-layered, tailored and continuous approach to security.
“Protecting an industrial segment is not a product, it’s a project,” said Eugene Kaspersky. “You have to design and adapt technologies for each individual infrastructure. No two will ever be exactly the same.”
Jose Palazon agreed: “Do security in depth, putting in many layers of security knowing that some are going to fail at some point. Think about security as a process and understand the motivations and resources of the people who might want to attack your infrastructure.”
Leon Brain, Land Transport Security Policy, DG MOVE at the European Commission also concurred: “Cyber-threats should be dealt with in the same way as other security threats: a full risk assessment should be undertaken to identify the vulnerabilities; security planning must identify clear protocols to be followed; staff need to be appropriately trained and there needs to be regular sharing of information between the different parts of the business.”
This need for education and communication should not be underestimated. The functions directly involved with the critical infrastructure, from automation to IT and security, need to understand the threats and collaborate to identify and address them. But to be truly effective, education should extend to all employees. A successful phishing attack can penetrate the perimeter anywhere in an unprotected network, including an office computer or mobile device.
Traditional roles need to evolve to meet the long term impact of the cyber-threat. As Sr. Andrea Tonini, Owner & Sales Director at BMGroup explained, “The system integrator of the future will need to engineer the IT system to include protection alongside smart access and high productivity – and to develop and integrate this protection into the existing plant.”
The same applies to the civil engineers who design and build the critical infrastructure facilities. Andrew Comer, a partner at BuroHappold and member of the Institute of Civil Engineering said, “I am a great believer that we should be encouraging computer sciences to run alongside engineering degrees. At the moment there is a limited degree of understanding about technology and its impact and, more importantly, the consequences of getting things wrong. We need to rethink the whole way we’re being trained.”
According to the panel, partner networks and education and training all supporting an advanced security solutions play a critical role in protecting critical infrastructures, but Governments must step up too.
“Critical infrastructure is about national security; about global security and the global economy,” said Eugene Kaspersky. “So Governments should play the leading role. They need to introduce regulation for the cyber-systems that manage critical infrastructures. Any regulation will do, as today it’s zero.”
The overall message communicated by the panel is that, regardless of whether cyber-attacks on critical infrastructure are motivated by politics or piracy, they will continue and increase unless they are stopped. Now. As Eugene Kaspersky said, “All nations depend on infrastructure, and infrastructure depends on the cyber-systems. These systems are vulnerable so we need to redesign them to make them immune. We are all facing the same enemy and we have a lot of work to do.”
