Protecting Critical Infrastructure from Cyber Threats

In observance of National Cyber Security Awareness Month, Bitdefender delivers a series of articles on hot topics such as best practices in online safety and protecting your company’s assets and integrity. We also provide prerequisites to consider before seeking a career in cybersecurity. We encourage you to bookmark this blog or connect with Bitdefender on LinkedIn or Twitter to receive follow-on articles (filled with security tips) as they are published.

Earlier this year at the RSA Conference 2017, Bitdefender surveyed a number of chief information security officers (CISOs) about their top cybersecurity concerns. More than 37 of the CISOs surveyed ranked advanced persistent threats (APTs) as one of their top concerns. (APTs are complex cyber tools crafted to target high-profile entities. They operate by silently gathering sensitive data over long periods. This type of attack aims to exfiltrate sensitive data or silently cripple industrial processes.) Survey results also indicated that zero-day vulnerabilities are a concern for 39% of CISOs surveyed.

In the modern landscape of interconnectivity of critical infrastructure assets and technology systems, attention has never been more focused on the security of critical infrastructure. Cyberattacks can go undetected for months and, in most cases, breaches stem from zero-days and kernel-level malware. This is precisely what APTs turn to, because it keeps them from being detected. APTs are not limited to state-sponsored attacks, as enterprises can also fall victim when competitors exploit zero-day vulnerabilities to install highly targeted malware for corporate espionage and intellectual property theft.

Sophisticated targeted attacks could aim at critical national or transnational infrastructures (i.e. nuclear power plants, national energy grids, urban water supplies, transportation management systems, traffic controller systems, hospitals and other healthcare facilities). In an environment of widespread automation, targeted attacks can practically paralyze countries.

Governments could also abuse exfiltrated sensitive data for military purposes. An obvious example of information-stealing APTs is Net Traveler. Quietly stealing information since 2004, more than 22 gigabytes of data pertaining to aerospace, nanotechnology, nuclear power cells, lasers, drilling, manufacturing in extreme conditions, and radio wave weapons have been exfiltrated without triggering any alarm bells.

According to a report of the European Union Agency for Network and Information Security (ENISA), continued reliance and networked nature of these systems is resulting in a “new chapter of information security. One that can be called Security of Things. While modern economies rely on the newly developed cyber infrastructures, assuring their security has become the main priority of many actors (governments, companies etc.) as this may have implications for the protection the economies and of business,” the organization wrote in The cost of incidents affecting CIIs report.

IT executives believe the consequences of an advanced persistent threat – that gives an attacker access to their companies’ most valuable assets, including critical infrastructures – could be as severe as interstate armed or cyber conflicts or loss of life. And according to 39 percent of Swedes, loss of life is a severe yet real consequence of an APT. Loss of life was also mentioned by nearly 30% of respondents in Germany and almost 20% in the United States.

58 percent of organizations have an incident response and disaster recovery plan in case of an APT attack or massive breach, and 37 percent have started developing such a strategy. Less than four percent lack these types of procedures. According to the survey, the best prepared are companies from the United States and Italy (more than two-thirds of respondents indicate they have an APT incident response plan in place), while the least prepared are those from Sweden and Denmark (where only four in 10 respondents have completely implemented such a mechanism).

Of the 193 member states, 38 percent published a cybersecurity strategy and as few as 11 percent have a standalone strategy, says The Global Cybersecurity Index, a U.N. International Telecommunication Union (ITU) survey. "The degree of interconnectivity of networks implies that anything and everything can be exposed, and everything from national critical infrastructure to our basic human rights can be compromised," it states. "There is still an evident gap between countries in terms of awareness, understanding, knowledge and finally capacity to deploy the proper strategies, capabilities and programs," reads the report.

Key takeaways:

Critical and strategic data related to national safety and key infrastructures must be stored on premise only, with access restricted to authorized personnel.

The private cloud requires complete isolation from public Internet access to prevent attackers from exploiting vulnerabilities to remotely access the data.

Only authorized personnel require access to critical and sensitive data, and only by adhering to strict security protocols and advanced authentication mechanisms.

Besides two-factor authentication, two-man authentication could be set in place for critical systems, similar to financial institutions in which large transactions must to be authorized by two or more individuals.