As I attend the Gartner Security & Risk Management Summit in London I have been thinking a lot about how critical national infrastructure (CNI) (or critical infrastructure) plays a pivotal role in ensuring the functioning and security of a nation.
Whether it’s energy, transportation, water, healthcare, or finance, these systems are able to run smoothly because they are all interconnected. But because of this, they are also part of an attack surface that’s constantly expanding and prone to data breaches, ransomware, supply chain attacks, and zero-day vulnerabilities.
A key stat in the World Economic Forum’s Global Cybersecurity Outlook found that 91% of cyber leaders believe that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Critical infrastructure is the backbone of society; and for society to function, the public needs to trust that these services and institutions are safe.
Technological advancements also mean vulnerabilities
The rapid evolution of technology has led to the integration of digital systems into critical infrastructure, which can boost efficiency and effectiveness. However, this integration has also introduced vulnerabilities that cybercriminals can exploit.
Hackers can target outdated software, weak passwords, or unpatched systems to gain unauthorised access to critical systems. Advanced persistent threats (APTs), malware, and ransomware attacks pose serious threats, potentially disrupting operations, stealing sensitive data, or causing financial losses.
Earlier this year, SecurityScorecard released a report on the state of critical infrastructure, and it found that critical manufacturing is the most at risk. After analysing a cohort of all critical manufacturing organisations included in the 2022 Global 2000 Forbes list, we determined:
- • 48% of critical manufacturing organizations ranked “C,” “D,” or “F” on SecurityScorecard’s Security Ratings platform
- • Last year, 37% of critical manufacturing organizations had malware infections
- • Critical manufacturing saw a 38% year-over-year increase in high-severity vulnerabilities from 2021-2022.
Patching cadence continues to crop up as an area where critical infrastructure can improve. In the case of critical manufacturing, patching cadence experienced a significant drop from 2021-2022, likely due to an increased volume of high security vulnerabilities.
Evolving threat landscape
Cyber threats are becoming increasingly sophisticated and diverse. Nation-states, criminal organisations, hacktivists, and even insiders can pose significant risks to critical infrastructure. To underscore this, a recent report from Microsoft found that nation-state attacks on critical infrastructure doubled between July 2021 and June 2022.
These threat actors, with their considerable resources and expertise, can carry out highly coordinated cyber attacks that compromise key infrastructure elements. Additionally, criminal groups leverage ransomware attacks to extort money or disrupt services, and hacktivists aim to convey political or ideological messages through cyber attacks. Meanwhile insiders, including disgruntled employees or contractors, can exploit their privileged access for malicious purposes and cause untold financial and reputational harm.
Inadequate regulations and standards
The lack of comprehensive and standardized regulations is another factor that has exacerbated the cyber security trust deficit. For decades, regulations and standards have varied across sectors and countries, creating inconsistencies in the security measures applied to critical infrastructure. The absence of a unified regulatory framework has made it difficult to ensure consistent cybersecurity practices, leaving vulnerabilities unaddressed. Complying with multiple standards can also be burdensome and costly for organizations, hindering their ability to invest effectively in cyber security.
But leaders worldwide have seen the increase in cyber attacks and recognize the need for a solution that restores trust in the resilience of our societies. For instance, the European Union introduced the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, part of a raft of new cyber security regulations poised to take effect that seeks to create a more standardised approach to cyber security.
While the adoption of new cyber regulations is an important step, it’s key to avoid a prescriptive, “catch-all” approach. Every government works differently and has its own unique set of needs; which is why it’s less about what is done and more about how it’s done.
Insufficient investment and resource allocation
Insufficient investment in cyber security is another factor that further widens the trust gap in critical national infrastructure. Many organisations within the critical infrastructure domain struggle with budget constraints and must prioritise immediate operational needs over a strategy of long-term cyber security preparedness.
Allocating adequate resources for cyber security measures is essential to combatting evolving threats. This can include investments in: advanced technologies; training and development of skilled cybersecurity professionals; and regular security assessments and audits.
International cooperation and information sharing
Cyber threats transcend national borders, so it’s absolutely necessary for countries to share crucial information with each other. Sharing threat intelligence, best practices, or lessons learned will only enhance our collective understanding of cyber threats and bolster preparedness and response mechanisms.
Addressing the cyber security trust deficit in critical national infrastructure is an urgent imperative. Technological advancements, evolving threats, inadequate regulations, insufficient investment, public awareness, and international cooperation are all critical components that need attention. Which is why a proactive and collaborative approach is essential to stay ahead of cyber threats, ensure the robust protection of critical national infrastructure, and enhance our collective cyber resilience.
Steve Cobb is CISO at SecurityScorecard, a risk assessment, management and ratings specialist that addresses how companies understand, improve and communicate cyber risk to their boards, employees and vendors.