While the Ukraine war didn’t spark the all-out cyber battle that experts feared, the conflict has raised concerns about the vulnerability of global critical national infrastructure...
Steve Mansfield-Devine asks if organisations will now address their security holes – or are they just too resistant to change?
In spite of initiatives such as the EU’s Network and Information Security (NIS) Directive, critical infrastructure remains vulnerable. A new report from Dragos reveals that many firms in this sector have weak authentication policies and lack visibility into their network assets, among other challenges.
And in the wake of the Ukraine invasion, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a warning about Russian threat actors targeting the US energy industry. To put it bluntly, global stakeholders are worried.
There’s no doubt that cyber attacks form at least a part of the war in Ukraine. DNS provider Quad9, for example, registered a ten-fold increase in Ukraine for DNS queries involving known-bad actors.
Early on in the conflict, Ukrainian organisations were hit with wiper malware, designed simply to delete files and cause disruption. The malware included WhisperGate, HermeticWiper and IsaacWiper, and these have since been joined by several other strains. It’s also highly likely that there is more undetected activity afoot.
Slow to change
Companies running operational technology (OT) are notoriously slow to change – in part because of the nature of the business and the characteristics of their infrastructure. This often leads to systems being behind the curve when it comes to patching.
“In some ways, believing that an event such as the war on Ukraine would serve as a wake-up call and cause CNI operators to take actions not already taken, could be a disaster in itself,” says Chris Grove, technology evangelist at Nozomi Networks. “There could be a very real, valid reason why some of these systems are unpatched. Operational technology sometimes runs for five years straight between maintenance windows. Ignoring the nuances of operational technology and recklessly taking or recommending action without considering the implications isn’t the recommended course of action.”
In this sector, cyber security is often trumped by other concerns, such as continuity of service. People in the energy sector, for example, worry less about hacking than they do about the lights going off for more prosaic reasons.
“We also have to take into account that most organisations are not budgeting for all possible risks, like a directed attack from Russian military on their systems,” adds Grove. “They understand it’s less about prevention, and more about resilience and consequence reduction.”
CNI organisations tend to make long-term investments in infrastructure, with some systems having lifespans measured in decades. This makes dealing with the fast-changing threat landscape difficult.
Regulation and legislation have so far failed to invoke the level of change required. NIS, introduced in 2018, had a noticeable effect, with a UK Government report claiming that 79% of firms had subsequently developed better security policies and 61% having improved disaster recovering. But that’s far short of what needs to be done about the security of the infrastructure itself.
"NIS is intended to establish a common level of security for network and information systems, as well as physical security systems,” explains Colin Tankard, MD of Digital Pathways. “This is the first stumbling block as many CNI systems are closed, in-house systems, which should have had security built in at design but where, as often happens, it was an afterthought.
On the positive side, there are signs of progress.
“Large organisations are definitely waking up to the fact that they need to review their ecosystems and understand their risks, as well as the processes and data critical to them,” says Mathieu Gorge, CEO and founder of VigiTrust. “During a crisis, the priority is always going to be continuity, not security. The good news is that you can do both. One way to deal with it is to look at it longer-term and think about your investment in cyber as asset-based – whether it’s logical, physical or intangible, you can put a value on that asset, and put it on your balance sheet.”
This high-profile conflict seems to have been a spur for some contingents.
“A number of organisations have commissioned emergency risk assessments on their infrastructure and ecosystems and have had penetration tests performed on their mission-critical systems to be ahead of the game,” says Gorge. “There’s a lot more demand for training at the moment. And a lot of firms are rethinking how they can train boards and increase collaboration between law enforcement, military and the private sector to protect critical infrastructure.”