Critical Infrastructure: The latest target for cybercriminals?
How to protect critical infrastructure from cyber threats
Critical infrastructure (CI) is the name for all of those systems that keep our country running. Whether it’s energy and water networks, or telecommunications and transportation, if their networks are compromised, the consequences could be severe – even life-threatening. With over two fifths of CI having suffered a cyber breach to date, it is clear such organisations have become a prime target for cybercriminals. Ensuring protection of these essential services is therefore a necessity for maintaining our society’s stability and security.
Given the barrage of threats targeted at CI organizations, we need to understand what these risks look like and how organizations can tackle them before potentially disastrous knock-on effects become a reality…
Managing Director for Cyber Security & Trust at Thales.
The threat landscape
According to Thales’ 2024 Data Threat Report, these attacks are on the rise – and the vulnerabilities being exploited are diverse.
Common threats include human error (34%), exploiting known vulnerabilities (31%), and failure to apply multifactor authentication (20%). Concerningly, almost a third (30%) of CI organizations also experienced an insider threat incident, underscoring the need for a comprehensive insider threat program to identify and mitigate malicious behavior.
The tactics of bad actors are varied too, with the most common threats including malware, phishing, and ransomware. A quarter have reported falling victim to a ransomware attack in the past year alone, with 11% paying the ransom, making it an incredibly lucrative tactic for criminals.
While financial loss is one of the obvious knock-on effects for victims, when it comes to CI the compromise of sensitive data and halting of essential services poses greater, and potentially disastrous risks, too.
The impact of emerging technologies
Emerging technologies are also posing a risk, with CI organizations experiencing difficulty in maintaining the pace of change required across large and distributed infrastructure. Quantum computing is one example, with its potential to be powerful enough to decrypt the algorithms we all rely upon to secure valuable data. Despite 69% of respondents being worried about the eventual impact of quantum, it’s clearly not front of mind, with only half of organizations planning to create resilience contingency plans to satisfy quantum resistance security concerns in the next 18-24 months.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
On the other hand, while moving to the cloud presents operational efficiencies and offers greater agility and accessibility, the shift has also proved problematic for some CI organizations. Over half (51%) agree that managing security in the cloud is more complex than within on-premise environments. The majority (55%) also stated they are concerned about the security of their data in the cloud, highlighting the need for robust cloud security measures.
One solution: compliance
While the threats are vast, there’s a clear correlation between improving processes and procedures required to achieve data protection compliance, and the likelihood of a resulting breach. In fact, only 17% of compliant organizations have any breach history whatsoever, and just 2% have been impacted by a breach in the last 12 months.
So, how did organizations that failed their compliance audits fare? As it turns out, a large majority of non-compliant organizations (84%) reported having experienced a breach to date.
The takeaway? Compliance and robust defences go hand in hand, and while passing an audit may seem like a tick-box exercise, organisations will reap the rewards of heightened security that compliance promises.
The business takeaways
It’s clear the risks on the table are diverse – from human error and access management concerns to ransomware threats and compliance shortcomings. This complexity necessitates robust, multi-faceted defenses to build cyber resilience.
Business should consider the following:
• Understand the risks: As a first step, conduct an audit of your network to establish what critical data and processes actually need protecting. From there you can assess the vulnerabilities within your infrastructure and safeguard all routes to these priority assets.
• Encrypt your data: Data travelling through CI or stored in the network is often incredibly sensitive and must be encrypted to prevent unauthorized access or tampering. In the event of a breach attempt, encrypted data will be of little value to the attackers, establishing a protective barrier.
• Implement the principle of least privilege: Given the risk of insider threats, organizations should prioritize digital asset management by only granting users the minimum access necessary to perform their job function, alongside regularly reviewing such access rights.
• Implement multi-factor authentication: In addition to access controls, verify users using more than just passwords. Digital identities, for example, provide a more secure and streamlined means of authentication than the likes of traditional passwords that are at risk of being stolen, lost, or guessed.
• Harden your systems to be proactive – not just reactive: Software needs to be regularly kept up to date with new layers of defense to counter emerging threats, alongside airgapping your sensitive systems. In addition, sophisticated threat detection and monitoring capabilities are essential to help speed up reaction times.
• Address human error: With human error the crowning threat for CI, providing extensive cybersecurity awareness training will be paramount in tackling this risk and instilling the reality that cyber hygiene is a collective responsibility. This goes beyond your core employees; CI organizations still have a supply chain with vendors and third parties who could act as a gateway for cybercriminals, too.
• Undergo regular exercises: When the stakes are as high as with CI, organization should regularly stress test their networks and evaluate the security of their environment. Simulating attacks can accurately reflect on your preparedness to sufficiently deal with impending threats.
• Develop a response and recovery plan: It’s not just about prevention, but preparedness so you are ready to mitigate the fallout in the event of a successful breach when it does occur. This should involve creating and maintaining offline backups of critical data as contingency and considering your ransomware response ahead of time.
• Look ahead: Given the lack of preparedness for the likes of quantum, forward looking planning needs to be prioritized to account for game-changing emerging technologies. Considering the impact of such technologies, and how to offset their risks, will ensure organizations aren’t on the back foot when they become a reality.
The final word
It’s clear that CI organizations support the fabric of everyday life for all of us and as such they are increasingly attractive to cybercriminals, activists, and nation states alike – whether it be for financial gain, political goals, or other malicious ends.
With stronger measures needed to offset this high-threat environment, organizations must continually identify security gaps, establish adequate threat responses, and update their mitigations and responses in line with regulation and best practice. Cyber threats are a matter of when, not if.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Tony Burton is Managing Director for Cyber Security & Trust at Thales.