Critical national infrastructure organisations need an integrated approach to cyber-security based on effective threat detection and response, says Martin Riley.
The past year has seen a spate of cyber-attacks on critical national infrastructure (CNI) globally – from Colonial Pipeline in the US to Npower in the UK and the Oldsmar water treatment system in Florida. Each attack had a different motive and threat vector, making the prevention of such crimes a formidable challenge.
With any security risk having the potential to cause significant damage and disruption to daily life, the recent wave of attacks serves as a warning to all CNI organisations to be hypervigilant to an ever-widening range of threats. However, preventing such crimes is almost impossible, particularly if carried out by a nation state. To strengthen cyber-defences, organisations must re-evaluate their strategy and shift to more intelligence-led cyber-security approaches, such as managed detection and response.
Understanding the risks
According to Bridewell Research over three quarters (79%) of UK CNI organisations’ main operational technology (OT) systems are over five years old and a third over ten years old. These often lack effective security controls against modern attack types. At the same time, attack surfaces are increasingly vast with most organisations now making OT systems accessible remotely and over the internet. And as IT and OT infrastructure converges and legislative requirements grow, pressure to transform quickly is rising.
For cyber-criminals, this presents new opportunities to infiltrate networks through increasingly advanced techniques. Ransomware has evolved from being a malware issue to a highly sophisticated and profitable human endeavour, with CNI organisations now at risk from skilled operators with high levels of offensive security knowledge.
Supply chain risks are also escalating, with attacks providing a foothold in and allowing criminals to compromise large sections of an organisation. With companies only able to protect what is in their control, they must review their own cyber posture through an integrated approach to cyber-security based on effective threat detection and response.
As cyber-attacks grow in complexity, traditional preventative methods do not have the agility or sophistication to effectively ward them off. Interconnectivity within CNI is both an asset and a liability and making cyber-attacks on organisations is a case of when, not if.
The government has already taken some important steps to improve the cyber resilience of the UK’s critical national infrastructure, however, to be truly effective, a step change in cyber-strategy is required. For organisations, this means developing a holistic view of cyber-security that ensures visibility into site level OT traffic and vulnerabilities, the protection and understanding of cloud and SaaS assets, through to the analysis of user and identity behaviour.
Basic cyber-security hygiene practices, such as regular testing and patching of any systems connected to the internet and segmentation of networks, should be supplemented by proactive measures such as threat hunting and detection and response, to reduce the time from intrusion to discovery and limit damage from attackers. While regular red team assessments should be used to identify and plan entry vectors into a cyber-system, including physical security.
Cyber-threats will always evolve so organisations must assume breach and be diligent in implementing appropriate prevention, detection and response to reduce risk. With the help of the right security partner – one that truly understands the OT environment – organisations can overcome operational and technical complexities to transform cyber-security while maintaining the system up-time required to keep critical services running.
Martin Riley is director of managed security services at Bridewell Consulting.