The effects of cyberattacks on critical infrastructure can be catastrophic. Security breaches in this sector can be incredibly disruptive to society and are attracting considerable attention from governments and regulatory bodies around the world. With that in mind, Thales has launched the 2022 Thales Data Threat Report Critical Infrastructure Edition, which includes responses from 300 security leaders and practitioners within critical infrastructure organizations.
From the ransomware attack that compromised a major U.S. gas pipeline in 2021 to the rise of nation-state attacks, critical infrastructure organizations are under siege. The threat of attacks against Critical National Infrastructure (CNI) – energy, utilities, telecommunications, and transportation – is now front of mind for many. When these attacks happen, and as a consequence of living in an increasingly interconnected world, they are frequently and acutely felt on a global scale. Reducing the risk of attacks such as ransomware and malware on CNI will be of paramount importance to the stability of nation states for years to come.
The Threat of Ransomware
CNI attacks, both targeted and untargeted, have never been easier to carry out. Over the past decade, once siloed, Operational Technology (OT) systems have become increasingly connected to the internet, as water and energy systems become powered by intelligent IoT sensors and government operations are deep-rooted in data. The increasing reliance on cloud platforms provides a vulnerable attack surface for threat actors and hostile nation-states. According to the Thales Critical Infrastructure report, more than half of the surveyed organizations report that more than 60% of their data in the cloud are sensitive.
Also in the report, 55% of security and IT professionals across all critical infrastructure organizations ranked malware as the leading source of increased security attacks, followed closely by ransomware (53%). Malware and ransomware attacks are relatively low-cost operations but can result in big pay-outs for threat actors.
In fact, in recent years, ransomware has almost completely changed breach economics. Given the highly regulated nature of the industries that operate CNI, the risks of financial loss due to penalties from lawsuits and legal expenses, lost productivity, and recovery costs as a result of an attack are extremely high. For many organizations, paying the ransom can be less damaging than risking any additional impacts. However, this stance indicates a lack of understanding of the effects of all the parties involved, such as cyber insurance underwriters, incident response firms, government regulations, and ransomware attribution.
Despite the culminating threats, the report also showed insufficient ransomware preparedness across critical infrastructure organizations. Ransomware’s power comes from the immediate “kidnapping” of data and critical systems, requiring a rapid, rehearsed response plan. Yet less than half of respondents (45%) stated they have a formal ransomware plan in place.
A Very Human Problem
When tackling these security challenges, the human element is the most important factor. Most successful malware and ransomware attacks gain an initial foothold in organizations due to user error. This includes using easily guessed passwords and falling victim to phishing and socially engineered techniques such as business email compromise. The situation has worsened considerably in recent years due to large-scale shifts to hybrid and remote working arrangements, particularly in industries that operate CNI – as prior to the events of 2020, all activity would likely have been contained on site.
Additionally, the convergence of Information Technology (IT) and Operational Technology (OT) makes it easier for attackers to move laterally within organizations, turning IT problems into much more impactful OT system issues. The ongoing attacks and threats to CNI demonstrate that the entire landscape of OT security has changed and can no longer be considered separate from IT. More than three-quarters (79%) of respondents were very or somewhat concerned about security risks and threats from employees working remotely.
Despite these challenges, only half of leaders (51%) currently have security precautions like Multi-Factor Authentication in place, to combat against these human challenges. As ransomware concerns increase, organizations across every sector need to prioritize a holistic approach to cyber resilience, which covers IT and OT and includes physical and human factors to ensure robust protection.
A Zero Trust Approach
CNI organizations typically have highly distributed infrastructure, and these can include everything from warehouses, shipping ports, power lines, transmitting sites, and railroad assets. Additionally, the transition of OT from proprietary, dedicated connections to the internet of things (IoT) has greatly increased the size, complexity, and elasticity of underlying networks while greatly increasing attack surfaces.
When it comes to improving security across these environments, adopting a data-centric security architecture, such as a zero trust model, protects individual information rather than system boundaries. In turn, this securely protects vulnerable and vital data that is at risk of being not only exposed but affecting critical infrastructure. Therefore, adopting zero trust principles can be a key strategy by ensuring “least privileged” access to highly distributed, high-value data and assets.
According to our report, only a third (30%) of security and IT professionals across all critical infrastructure organisations have a formal zero trust strategy. It’s extremely important that leaders look at these strategies in earnest. Unsurprisingly, organizations with a formal zero trust strategy are less likely to have been breached.
Go on the Cyber Offensive
Attacks on Critical National Infrastructure will continue to rise in 2022 and beyond, to be just as frequent if not more so than attacks on IT networks. As we continue to use technology to bring all aspects of our lives online, connecting everything from healthcare to banking to energy and utilities, threat actors can now target these systems that, once offline, have the potential to cause widespread societal and economic disruption.
Business and industry leaders, as well as national governments, cannot be complacent in the face of the real-world implications of CNI. It’s clear they will need to go on the cyber offensive to ensure they can effectively prevent and protect against these ever-growing threats.
Download the full Thales 2022 Data Threat Report for the Critical Infrastructure for more information.