There has been a dramatic increase in cyber-attacks on critical infrastructure but regional organisations remain unprepared.
The threat against critical infrastructure such as power grids, water supply systems, and oil and gas plants, is getting greater and at the same time potential adversaries are learning techniques from the exposure of sophisticated state-sponsored cyber-attacks.
Recently, Eugene Kaskpersky, Founder and CEO of Kaspersky Lab, has famously remarked that ‘a bad bad incident’ awaits critical infrastructure as cyber-terrorism attacks could become a harsh reality before slow-moving government agencies act to secure them better.
Often, organisations with critical infrastructure to protect are even slower to move on security infrastructure upgrades than corporate enterprises. Just how much at risk is our region’s critical infrastructure?
“These days, critical infrastructure every in the world is a potential target. Cyberattacks on critical and industrial environments are on the rise and Kaspersky Lab has detected incidents in every corner of the world. As the world’s largest exporter of oil and gas, the Middle East is a particularly attractive target for threat actors, whether it’s state-sponsored or criminally minded,” says Matvey Voytov, Solution Business Lead, Critical Infrastructure Protection Business Development, Kaspersky Lab.
He cites the examples of highly complex Shamoon attack on Saudi Aramco and other incidents including the attack on RasGas. “In addition to these outside attacks, the Middle East has its own dangerous cyber gangs such as Desert Falcons – cyber mercenaries operating exclusively in the region and attacking a number of different industries, including military and government organisations, as well energy and utilities providers.”
Adam Philpott, Director –EMEAR Cyber Security, Cisco, agrees that attacks on critical infrastructure have become a growing cause of concern for governments and private providers around the globe – whether inflicted by cybercriminals seeking financial gain or by hackers as political acts. “The trepidation around these threats is justified, as research demonstrates that attacks on critical infrastructure have increased in both prevalence and sophistication and will continue to grow in the near future,” he adds.
Ryant Brichant, CTO for Global Critical Infrastructure, FireEye, echoes a similar opinion: “Critical infrastructure faces a substantial level of risk across the world. Unfortunately, hackers are not just motivated by monetary gains but also notoriety and credibility – it’s very appealing for a hacker to attain fame among his/her circle of peers for carrying out a certain attack, especially if it’s a high-profile incident. The ramifications behind hacking the world’s most critical infrastructure and assets are far more severe to national economies than any other type of hacking attempt we have seen today.”
One of the reasons why the region’s critical infrastructure is susceptible to cyber threats is the fact that organisations that run these facilities using supervisory control and data acquisition (SCADA) gear are still gathering data about threats and aren’t close to implementing new defences to counter them.
“If you look at the control systems for critical infrastructure such as within the utilities sector, historically they were asynchronous control sessions to a main frame unit and security was pretty straightforward to achieve. However, the adoption of IP in most organisations means that the control networks in production facilities have become interconnected and could potentially be subject to the same attacks as any other systems in a connected world,” says Nicolai Solling, Director of Technology Services, Help AG.
Today any SCADA or DCS system will be based on protocols such as IP, MPLS and other normal network technologies plus standard operating systems such as Windows, Linux and Unix– thereby creating a similar threat picture as any other connected system. But obviously with a much higher impact as production is controlled by the system which if affected can lead to decreased productivity. Solling warns lack of any productivity or in the worst case, overload of production environment, can cause larger scale damages.
Security experts say the emphasis should be on detection and rapid response rather than prevention when it comes to critical infrastructure security.
“The prevention and preventive protection mindset has recently failed us at almost every occasion. This is why organisations and CISOs are shifting to a detection and response mindset. They acknowledge the fact that breaches are very likely to happen, and it’s a question of quickly you can close the gap and respond, and how you can adapt your defense strategy to the evolving threat landscape,” says Roland Daccache, Senior Systems Engineer, Fidelis Cybersecurity.
The real issue is that, in most cases, conventional prevention technologies can’t be used efficiently inside critical and industrial environments. These technologies weren’t designed for the unique conditions of critical infrastructure environments, such as airgaps, technological processes continuity and highly specialised software and hardwares.
Voytov from Kasperksy says just because traditional prevention approaches aren’t always appropriate in critical/industrial environments, that doesn’t mean we should rely on detection and response to make up the gap. The key difference between traditional information security and industrial cybersecurity is the high stakes: a successful breach on critical infrastructure can have an impact far beyond information or financial damages, it can cost lives or result in environmental destruction, among other serious consequences.
“Prevention is better than cure and rapid response is always required because you don’t know when threats can affect your organisations investment. There needs to be the right technology investment in place, and neither end-user or vendor can have the slightest idea of the severity of a threat. We also have to understand that when a device is compromised, how much of that compromise can actually be mitigated. The last thing one needs is a broken down system. That’s why security is always implemented as layers,” says Nader Baghdadi, Regional Enterprise Director, Fortinet.
Tareque Choudhary, Head of Security and BT Advise at BT Global Services, agrees: “With cyber attacks growing more and more sophisticated, you need to detect problems earlier, and at a greater distance from your perimeter, to protect your key infrastructure and operations. If you want to manage and pre-empt attacks, you need a clear understanding and visibility of the global threats you’re facing as they emerge.”
The key to being prepared for massive cyberattacks on critical infrastructure is creating a framework that fosters collaboration between private and private sector partners, as no single business or no single level of government has sole ownership or control over critical infrastructure.
“Countries and companies must collaborate now, more than ever, to protect the services essential to a nation. Threats to a company’s information systems and assets could come from anywhere. Whether the incident comes as a direct physical attack or an electronic one, the nature of these events is essentially borderless. No single company could possibly possess all of the intelligence, expertise and resources needed to combat threats originating from such a plethora of fronts,” says Philpott from Cisco.
The strategic approach to cyber security is based on the hard reality that it is not possible to defend all of a country’s digital assets without the collaboration and integration of all of the primary stakeholders from the private and public sectors, and citizens using the nation’s digital networks.
“The U.S Government have shown through the Automated Indicator Sharing Program and the recent cyber security law signed last December that governments have to take an active role in supporting the private sector in general and specifically those engaged in critical infrastructure. The sharing of threat intelligence will be vital for protecting critical infrastructure and governments have to take an active leading role, setting an example and encouraging the private sector to step out of the shadows and share threat intelligence that they have derived from their own environments,” says Cherif Sleiman, GM-Middle East, Infoblox.