In the last few years, owners of critical national infrastructure (CNI) have accelerated digital transformation initiatives to keep up with the country’s growing demand for energy, transportation, and water services. Many providers have recognized that automating operational processes is essential to gaining the level of efficiency and reliability they will need in the coming decades. As any security professional is aware however, with increased connectedness comes increased cyber risk which must managed proactively.
Managing cyber risk to a connected infrastructure
For all the benefits digital transformation can deliver, and there are many, a connected infrastructure also carries risks that CNI operators may not be well equipped to address. While all enterprises must consider cyber threats as a risk of doing business, and put forth protection to manage that risk, those involved in CNI must consider the risk more broadly. As CNI operators are responsible for delivering essential public services, the interruption of those services can have a far-reaching impact on the population.
In data-oriented sectors such as retail or finance, a severe security incident can impact the company’s ability to process information and conduct business, it may put personal information or trade secrets at risk, and it can cause lasting reputational damage. A successful cyberattack on CNI such as a power grid, on the other hand, could lead to nationwide disruption and potentially put lives at risk.
Most will recall the Wannacry attacks in 2017, in which organisations from more than 100 countries had their data access blocked by ransomware. Two hospitals in Indonesia were among those affected, locking patients’ medical records and bills in 600 computers and slowing down operations since patient handling had to be done manually.
The potential impact also makes CNI a prime target for malicious nation-state activity. A successful cyber strike against critical infrastructure has become a less dangerous alternative to the use of military force and sends a powerful message to both the targeted state and the international community.
For example, the Philippines has accused the Chinese government of cyber espionage over the territorial claims in the South China Sea, and this has also raised concerns over China’s involvement in its energy and transport infrastructure.
As Asia Pacific continues to be fraught with territorial disputes and the risk of terrorism, cyberattacks on CNI should be seen as a matter of when, not if, they will happen.
Balancing risk and opportunity
While cyberattacks present a very clear threat to CNI, digitalisation does present the industry with several impressive benefits, both on a national and global scale. Embracing a more interconnected infrastructure, which combines advanced computing with industrial automation, can increase both productivity and output. This also makes it possible to use powerful strategies such as predictive and remote maintenance, making it easier to identify and resolve issues early before they have a chance to deteriorate and become more serious.
As a result, many organisations working in CNI have sought to find a balance between harnessing the benefits of interconnectivity without significantly increasing their exposure to cyber risks.
This challenge is exacerbated by the fact that much of the world’s infrastructure was never designed to be defended against cyberattacks, relying instead on a highly secured environment to keep them safe from intrusion. It also tends to be difficult to gain a coherent, unified view across different systems as they will often be running on a wide variety of old and obscure protocols that are not designed to work together. This means that it is often far too easy for cyber attackers to exploit security vulnerabilities while remaining undetected.
Visibility is the answer
One of the most drastic solutions to be proposed has been to “go retro”, moving some systems away from digitalisation entirely. Last year, the US Senate passed the Securing Energy Infrastructure Act to study ways of replacing automated systems with low-tech redundancies to protect the country’s electric grid from hackers. In 2016, the Singapore government made the move to unplug all public servants’ workstations from the Internet, to safeguard against data leaks.
No one, however, is suggesting stepping back from digitalization completely is a realistic solution, as the benefits are too great. There may be certain, very specific CNI processes in which any risk of compromise is too high, and special measures must be taken to protect them. But across the broader CNI landscape, the priority must instead be to close the visibility gap that allows cyber aggressors to prepare and implement complex attacks without being detected.
Because a significant amount of CNI is governed by the private sector, it falls to organisations to equip themselves with the visibility into their own networks required to discover and mitigate cyberattacks.