Critical infrastructure (CI) has become a prime target for malicious actors seeking to manipulate, disrupt, or undermine the operation of industrial control systems (ICS). Motivated by various factors – from monetary to geopolitical – malevolent actors seek to disrupt critical operations. With the convergence of physical and digital domains increasing, the disruption of these services can have catastrophic consequences, affecting millions and causing significant economic damage.
CI comprises physical and digital systems vital to a nation's security, economy, and safety. Despite their varying functions, these industries share a common vulnerability: a growing dependence on the internet makes them increasingly susceptible to cyberattacks. Thales surveyed 367 CI businesses from 18 countries around the world to understand the trends, threats and the progress made in the cybersecurity domain.
The Critical Infrastructure edition of the 2024 Thales Data Threat Report highlights the threats that businesses in the Energy, Utilities, Telecom, Transportation, and Logistics sectors face. 15% of the CI organizations have experienced a breach in the last 12 months, with ransomware being the biggest threat. 24% of the businesses have felt the consequences of a ransomware attack. However, it is worrying that only 15% of the surveyed organizations have a formal plan in place to respond to such attacks.
Cybersecurity agencies have repeatedly issued advisories to warn CI businesses and executives. According to the International Energy Agency, these attacks at least doubled across most sectors between 2020 and 2022. At the same time, the European Union Agency for Cybersecurity (ENISA) Threat Landscape 2023 report identified ransomware and supply chain attacks as top threats.
The Thales report findings discovered that among CI organizations, human error was the leading cause of cloud-based data breaches, accounting for 34% of the cases. This was followed by the exploitation of a known yet unpatched vulnerability at 31%.
Finally, it is important to recognize that the coexistence of legacy technology with modern IoT devices creates a complex ecosystem to protect. Operational complexity remains a security concern for more than half of the survey respondents, although there are signs of stabilization.
The global nature of cyberattacks on critical infrastructure—from attacks on Costa Rica’s social security system and Australia’s financial sector to assaults on South African ports and Norwegian energy companies—highlights the need to strengthen cybersecurity.
Critical infrastructure sectors, historically reliant on legacy operational technology, are rapidly embracing digital transformation. Industries like energy, water, and transportation are integrating AI, IoT, and cloud computing to enhance efficiency and resilience. In fact, our report findings show that 26% of CI respondent organizations plan to integrate AI into their core products and services in the next 12 months, while 29% of CI organizations are experimenting with AI.
This shift, while promising improved operations, also introduces new cybersecurity challenges, necessitating a delicate balance between innovation and protecting these vital systems from evolving threats. Consequently, the Thales report on CI reveals that a staggering nine out of 10 (93%) respondents experienced increased attacks.
Another emerging threat facing CI organizations today is quantum computing, particularly the future compromise of classical encryption techniques, which would enable "harvest now, decrypt later" (HNDL) attacks. These attacks involve the assailants harvesting encrypted data now with the intention of decrypting it in the future when quantum computing becomes available. 69% of the Thales survey respondents agreed that these attacks as well as post-quantum cryptography is an emerging security concern.
Unfortunately, Gartner’s recent report entitled: “Postquantum Cryptography: The Time to Prepare Is Now!” highlighted how most IT entities do not know which type of cryptography they are using, which applications are using it, how it is used, or even who makes decisions about cryptography.
On a more positive note, the Thales report revealed that among CI respondents who identified post-quantum cryptography as an emerging security threat, 49% indicated they would likely create resilience contingency plans, and 48% said they would prototype or evaluate PQC algorithms in the next 18-24 months.
In response to this growing threat, governments worldwide recognize the importance of securing infrastructure against cyber threats. The EU has introduced regulations like the Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive (NIS2) to enhance the cybersecurity resilience of critical infrastructure across the EU by imposing stricter security requirements and incident reporting obligations.
Similar initiatives have also been launched in the United States to bolster critical infrastructure security. Executive Order 13636 and Presidential Policy Directive 21 (PPD-21) highlight the federal government's commitment to enhancing the cybersecurity and resilience of the nation's critical infrastructure. Finally, the NSA released a memorandum emphasizing the need for critical infrastructure entities to adopt robust cybersecurity measures and prepare for potential quantum threats. This memorandum outlines steps for enhancing cyber resilience, including adopting post-quantum cryptography and implementing advanced threat detection and response capabilities.
There is a strong correlation between compliance and resilient posture leading to reduced breaches, which is a trend identified across all Thales Data Threat Report findings. In the 2024 survey, of the CI respondents whose organizations failed a compliance audit in the last 12 months, 84% reported having experienced some breach in their history. In contrast, for those CI organizations that have not failed a compliance audit only 17% have any breach history, with just 2% having a breach in the last 12 months.
The cybersecurity landscape for critical infrastructure is becoming increasingly complex, driven by the rise of sophisticated cyber-attacks and emerging technologies. However, it is also operational complexity that is a source of concern. Tools and apps sprawl create cracks in the cybersecurity posture. The Thales report indicates that 57% of the CI respondents use five or more key management systems, while on average they have 90 SaaS apps in use.
Governmental regulations and initiatives reflect the growing recognition of the importance of securing critical infrastructure. By implementing comprehensive cybersecurity strategies, fueling collaboration, and preparing for future quantum threats, critical infrastructure can be enhanced and protected from evolving cyber threats.
Download the 2024 Thales Data Threat Report – The Critical Infrastructure Edition to comprehend the evolving threat landscape and what you can to protect your business and your country’s economy and safety.