Cyber attacks can be anticipated and prevented with the right approach, but not before you build resilience into your critical national infrastructure, says Paul Dickens of Fujitsu
It is easy to take advantage of resources like energy or the internet, so ingrained in our daily lives they have become. So much so, that we rarely think about the behind-the-scenes operations powering the critical national infrastructure (CNI) that underpins it all. However, heightened geopolitical tensions mean the security of the organisations responsible, needs to be put into the spotlight. With modern organisations relying so heavily on digital systems and cyber criminals extending their scope of influence across borders, it isn’t hard to imagine the widespread impacts future hacks could have.
In February last year, dozens of European oil terminals were affected when cyber criminals launched attacks on Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands, delaying fuel shipments across the continent. For as long as organisations like this don’t comprehensively complete work to plug the holes in their back-end processes, the potential for more widespread disruptions to occur rises by the day.
Old tech, new problems
The vast majority of CNI relies on a mixed IT estate. This means systems adopted in recent years live alongside legacy operational technologies based on old protocols that were designed when the internet was less accessible and cyber crime was not common. Equipment was commonly operated with little consideration for security as it was often housed remotely and therefore assumed to be “safe”.
Today, to meet modern security standards a major overhaul is needed. What once qualified as resilience has been blunted by rapid changes to technology, such as the removal of point-to-point circuits and the migration to systems that connect to the internet, creating a slew of monitoring and control challenges that has complicated achieving the right balance of investing in the correct security posture, whilst matching risk appetites. But it is a good sign that state bodies already appear to be on board, with the UK setting new cyber resilience targets for CNI with a compliance deadline of 2025 and European Commission proposing the Cyber Resilience Act last year. That said, the scale of the challenge is huge and will require multi-sectoral buy-in to be solved – even with significant state support.
Fixing the leak in the ship
The first step towards safeguarding CNI requires organisations to identify the highest priority cybersecurity risks they face and begin taking measures to directly mitigate them. For example, many organisations don’t completely understand what – or more pertinently, “who” – is connected to their network, so an audit of linked devices would be a simple way to assess their vulnerability exposure.
Device discovery tools that let administrators map out who and what are connected to their network are part of the solution here, especially when paired with a regularly updated unified configuration management database. Teams can only manage software and systems they know about and fully understand, and this greatly simplifies matters.
Unfortunately, it’s common for the IT team that are experts in cybersecurity, to be disconnected from the operational technology unit itself, which can lead to friction as their security needs are so different. Corporate IT policies and ways of working are commonly tailored to staff in home or office environments, where workers largely use assets that are easy to secure.
Meanwhile, operational technology teams may be responsible for things like a chemical processing plant, rather than a network of laptops and applications. Picture a factory where various chemicals need to be mixed at the right temperatures at the right times under highly hazardous conditions. It’s a far cry from the settings their IT counterparts are accustomed to and is why operational teams’ needs are often unaccounted for.
The next step that organisations need to prioritise is getting these units on the same page, which will require training to improve their awareness of each other’s needs so the right policies can be developed, trialled, and implemented.
With threats already becoming more sophisticated and frequent, investment in technologies like AI and machine learning is another necessity. While their generative capabilities have hogged column inches, their predictive abilities are more applicable to a security setting. CNI providers could use them in concert to proactively identify where threats are so that vulnerabilities can be addressed – either automatically by machines or via human intervention – before they are exploited.
Getting it right – before it’s too late
Much has been made of the technological skills gap organisations have been facing, but that’s no excuse to ignore security especially in industries critical to national wellbeing and stability. And in fact, people with the right skills undoubtedly exist, but are being sidelined in many cases by the hunt for “perfect” staff. Chasing talent with the exact qualifications, skills, knowledge, and experience often prevents those full of enthusiasm and drive from getting the opportunity to develop and grow into the role.
Any delays to the overhauls needed to protect CNI could be catastrophic. The pandemic and war in Ukraine have shown how impactful disruptions to the delivery of basic goods and services can be globally. While private or public organisations can hardly prepare for those crises, cyber attacks can be anticipated and prevented with the right approach.
The question is, whether it has to take a breach to drive an organisations to action safety? We’d all better hope not.
About the Author
Paul Dickens is Public Sector UK Security Director & CISO, Enterprise Cyber
Security at Fujitsu.