Protecting critical infrastructure in a world of escalating cyberattacks

Joe Morgan

Examples of the increasing number and severity of cyberattacks against critical infrastructure are, unfortunately, easier than ever to find.

A recent example occurred in May 2021, when the hacking group DarkSide infected computers of Colonial Pipeline – the operator of the largest pipeline system for refined oil products in the United States – with ransomware that brought 45% of east coast U.S. fuel distribution to a halt.

The hackers took over command and control of the pipeline, forcing a shutdown that cost millions of dollars in damages and lost revenue in addition to the disruption to businesses and consumers reliant on the supply of fuel.

On maybe a smaller scale but with the potential to directly affect the health of thousands, in February this year, a hacker managed to access the systems of a water treatment center in the town of Oldsmar, Florida. During the attack, the hacker managed to briefly increase the levels of sodium hydroxide to dangerously high levels, from 100 parts per million to 11,100 parts per million.

These incidents have again sparked obvious concern among those charged with protecting critical infrastructure and the wider public. The risks associated with the disruption of critical infrastructure, directly and indirectly, have once again been brought into sharp focus, making the sector an even more attractive target for cyberattacks.

Critical infrastructure cyberattacks: a constant and growing issue

Of course, these incidents are far from the first cyberattacks to target critical infrastructure, and won’t be the last. Previous attacks on power stations in the Ukraine and energy plants in Saudi Arabia are just a couple of the examples that have found their way into the public domain, while many others remain unreported.

Cyberattacks continue to grow in frequency. Check Point Software’s mid-year review found that in the first six months of 2021, cyberattacks against organizations of all types had increased 29% over the previous period and were predicted to grow further into the second half of the year.

It is fair to say that the growth of attacks against critical infrastructure will be in line with these findings, and may well be exceeding them, given the attractiveness of such organizations to those looking to cause disruption and/or extract ransoms.

This is something highlighted by the Center for Strategic & International Studies. Its regularly updated list of significant cyber incidents shows the number and severity of attacks against public and private organizations providing energy and fuel, telecommunications, transportation, defense, and cloud services, among others, is rising.

Different motivations for cyberattacks, but similar methods

Broadly speaking, the motivations for cyberattacks fall into three groups: financial gain, widespread disruption, or, most simply, personal challenge.

It would be easy to think that this last group is relatively harmless. These are ‘hobby’ hackers, challenging their skills to see if they can find a way into secure and sensitive networks largely to boost their own ego and their status among fellow hackers. But it can be these hackers who find the vulnerabilities and cyberattack vectors which then find their way to those with more sinister objectives.

Cyberattacks with the goal of financial gain through ransomware, where control of critical systems and access to sensitive data are retained by the hackers until a substantial ransom is paid by the affected organization.

Ransomware has become big business. Cybercriminals are encouraged by the fact that many organizations will be keen to avoid news of attacks finding their way into the public domain and aim to have systems up and running as quickly as possible.

Finally, there are hackers who aim to cause widespread and maximum disruption to a city or nation through cyberattacks, often being state-sponsored groups who have no need to pursue financial gain. The disruption they cause can range from mild inconvenience to a genuine and significant threat to public health.

Sometimes the attacks themselves can be relatively minor; a breach in a less sensitive system within critical infrastructure can prompt an over-reaction, with more important systems central to operation shut down until the extent of the issue can be established. This can then snowball into concerns and panic among broader communities who feel worried about being unable to access essential resources such as fuel, energy, or water.

Whatever the motivation, the approach is broadly the same. Hackers will constantly look for vulnerabilities that allow access to a network, and then aim to move within the network to infiltrate and control more sensitive systems.

A connected world means a hackable world

The world is more connected than ever before. The so-called Internet of Things (IoT) broadly describes the billions of devices and sensors now connected to each other, from data centers to corporate networks, delivering valuable services and creating huge efficiencies to consumers and businesses.

Perimeters around corporate networks have become more permeable by design, facilitating external connections from employees, suppliers and customers, and millions of devices. Networks within critical infrastructure are no different. Though the need to secure any network is important, the risks associated with breaches of critical infrastructure networks are so significant, a robust approach to cybersecurity in the sector is even more imperative.

Unfortunately, all networked devices and systems can be vulnerable. Any device, if unprotected, can be the weak link that gives a hacker access to the system and result in a potentially catastrophic cyberattack. While networked surveillance cameras play a central role in the physical security of critical infrastructure, the ultimate irony would be if these same devices provided the entry point for a critical infrastructure network breach.

Best practice is to trust no one until verified

No network can be 100% cybersecure. Unencumbered by regulation and as well-financed as any start-up, cybercriminals are constantly looking to innovate their methods of attack. It’s therefore essential that operators of critical infrastructure work equally hard to understand the evolving threat landscape and stay one step ahead.

As more devices connect to the networks used by critical infrastructure, the notion of using a firewall to protect that perimeter has become redundant. A new approach has been needed and has emerged in the form of Zero trust networks.

Put simply, as the name suggests, zero trust networks are based on the assumption that no entity connecting to and within the network – whether apparently human or machine – can be trusted. Whatever they appear to be, wherever they are connecting from, and however they are connecting isn’t trusted until they have been verified.

This verification can happen in a number of ways and multiple times, and often also involves only granting access to the specific part of the network needed to undertake a task. Verification also applies to devices – including surveillance cameras – as much as individuals. The ability of any connected device to irrefutably verify its identity is essential in a Zero Trust network architecture.

Additional steps should be taken to ensure that every aspect of the surveillance solution is as secure in its own right as possible – our hardening guide provides in-depth information on best practices.

System health monitoring and management

Just as monitoring our own health is essential for spotting minor problems and weaknesses that could become more significant issues in the future, effective health monitoring of surveillance solutions plays the same role in reducing vulnerabilities.

Without visibility of all surveillance devices connected to the network and their status, it’s impossible to ensure that all risks are mitigated and, critically, if a vulnerability appears in one area that it is effectively contained. Without this, a small breach can quickly become a much bigger issue through an (often understandable) overreaction to contain the breach.

In addition to health monitoring, software tools can facilitate the centralized, remote, and increasingly automated application administration of firmware updates. This is essential in defending against new viruses and in keeping surveillance solutions secure, particularly as organizations add more IoT devices to their networks

Cybersecurity through the value chain

Effective modern surveillance solutions are the sum of many parts. As surveillance cameras themselves have become more powerful computing devices – and with that have the ability to host advanced analytics software on the edge of the network – a key aspect of cybersecurity is a holistic view across the entire value chain. Hardware and software must work together seamlessly, not only to deliver the full benefits of new surveillance technology, but to do so in a way which places cybersecurity at the forefront.

It’s obvious to say that critical infrastructure has always had a focus on physically securing those sites, plants, and buildings upon which millions of people around the globe rely for the fundamental services of everyday life. With today’s threats being as much digital as physical – probably even more so – it’s essential that the same attention is placed on cybersecurity. It’s a focus that will remain a priority for Axis and our partners.

Read more about Axis and cybersecurity here, and about our solutions for critical infrastructure here.

Solutions for critical infrastructure