Critical infrastructure is under the most significant threat since the cold war, writes Josh Breaker-Rolfe.
Soaring cybercrime, an increasingly tumultuous geopolitical climate, and a declining global economy have created the most dangerous environment for critical infrastructure in decades, and organizations must act accordingly.
When we think of critical infrastructure cyber incidents, we typically think of attacks targeting industrial control systems, such as the infamous Colonial Pipeline ransomware attack. However, critical infrastructure possesses vast quantities of sensitive data of enormous value to specific individuals, and thus data breaches pose a significant threat.
What is critical infrastructure?
The Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as “those assets, systems, and networks that provide functions necessary for our way of life” and lists sixteen sectors that fall under that definition:
•Chemical
•Commercial facilities
•Communications
•Critical manufacturing
•Dams
•Defense industrial base
•Emergency services
•Energy
•Financial services
•Food and Agriculture
•Government facilities
•Healthcare and public health
•Information technology
•Nuclear reactors, material, and waste
•Transportation systems
•Waste and wastewater
Data loss
While we typically associate critical infrastructure with cyber-attacks targeting industrial control systems, data theft is an equally serious issue. As with all organizations, critical or otherwise, critical infrastructure data breaches can result in significant reputational, financial, and legal damage.
However, it’s essential to remember that critical infrastructure data is generally far more sensitive than that of non-critical organizations; criminals could use the information stolen from a non-critical organization to steal someone’s identity, but critical infrastructure data could facilitate a terrorist attack. While both are serious crimes, the potential impacts are incomparable.
And critical infrastructure data theft isn’t merely hypothetical. In 2014, US courts charged Chinese cybercriminals with stealing data related to US fighter jets from Lockheed Martin and Boeing. In 2019, unknown threat actors stole information from India’s Kundankulam nuclear power plant. This year, researchers confirmed that the Chinese hacking group “Volt Typhoon” had compromised critical infrastructure in Guam and the mainland United States.
Since the beginning of the Russo-Ukrainian war last February, Western media has debated the concept of “cyber warfare.” While the implications of such a conflict currently appear to be overblown, we cannot ignore the role of critical infrastructure in cyber warfare.
Critical infrastructure data breaches, even in peacetime, can turn the tide of war. In their attack on Lockheed Martin and Boeing, for example, hackers are thought to have stolen information on US fighter planes and sold it to the Chinese military, who then built a fighter jet based on that data. The implications of the theft, should the US and China go to war, are both evident and disquieting.
It’s essential to remember that while non-critical organizations have a legal and ethical responsibility to protect private information, a successful breach of a critical infrastructure organization could have significant national security implications, potentially tipping the geopolitical balance of power.
Cybersecurity best practice is essentially the same for critical and non-critical infrastructure. Still, the potential consequences for critical infrastructure organizations are much more severe, and their cybersecurity programs must reflect that fact.
Data encryption is the essential security protocol for mitigating critical infrastructure data loss. The complex Hybrid IT and OT networks used by modern critical infrastructure organizations are vulnerable to intrusions, and attacks on critical infrastructure are at an all-time high. The reality is that critical infrastructure organizations will most likely suffer an intrusion at some point. By encrypting their data, those organizations prevent cybercriminals from stealing anything of any real value.
It’s also imperative that critical infrastructure organizations harmonize their approaches to cybersecurity. Cyber-attacks can have cross-sectoral effects, particularly for critical infrastructure organizations. Earlier this year, the Voice over IP (VoIP) provider 3CX suffered a cyber-attack that has already spread to other critical infrastructure organizations. If organizations fail to standardize their cybersecurity practices, incident response, and upcoming regulations could do more harm than good.
Regulation plays a huge role in mitigating data loss risk for critical infrastructure organizations. Regulatory standards for critical infrastructure are some of the most stringent in the world and are only getting tougher. For example, many experts have lauded the UK’s Telecoms Security Act (TSA), which went into effect in October last year, as a harbinger of further incoming regulation, particularly for critical infrastructure.
Finally, critical infrastructure organizations must keep up to date with evolving threats. Publicly available artificial intelligence (AI) tools like ChatGPT have emerged as a new data loss risk to critical infrastructure. Critical infrastructure is a highly competitive market, and organizations are always looking for ways to gain an advantage over their competitors; ChatGPT, at first glance, is an opportunity to do just that. However, staff must refrain from inputting sensitive data into machine learning tools like ChatGPT, as the chatbot could expose that information to other users. If it can happen to Microsoft and Samsung, it can happen to anyone.
Data loss is an oft-overlooked yet grave threat to critical infrastructure organizations. Not only could a data breach result in significant financial and reputational damages, but it could also even threaten national security. Critical infrastructure organizations must harmonize their approaches to cybersecurity, encrypt their data, adhere to regulations, and stay vigilant for evolving threats to protect themselves from data loss.
