The disruption of critical infrastructure has a ripple effect on national and global economies and societies; directly impacting the sovereignty of nations and its people. When a Colonial Pipelines, Wolf Creek Nuclear Operating Corporation, or a Springhill Medical Center cyberattack happens repeatedly across the world, the entire critical infrastructure security ecosystem needs to be re-imagined.
A modern-day cyberattack leverages vulnerabilities across the spectrum. Starting from employee social media reconnaissance, purchasing ransomware toolkits off the deep and dark web, leveraging cloud misconfigurations to move laterally within connected systems and networks, and targeting their efforts to compromise the most vulnerable vendors – cybercriminals are maximizing impact with minimum effort.
When cyberattacks are so interconnected, then why is the cybersecurity of critical infrastructure siloed and reactive?
The convergence of IT and OT has revealed more vulnerabilities in Critical Infrastructure
In previous years, cyberattacks on critical infrastructure typically required high investments, physical reconnaissance, and access to expensive operational technology. The isolated nature of this sector, yielding low output, ensured threat actors focused their energies on more ‘rewarding’ fields, often including financial services or healthcare.
As business demands for speed, efficiency, and interoperability increased, the critical infrastructure sector adapted. Most critical systems were extremely complex, to begin with, and this complexity is only increasing as the number of IoT devices and connections grows. Additionally, these systems are a mix of unsecured legacy systems and modern technology. The convergence of Information Technology and Operation Technology systems in the critical infrastructure setup have made it a hotbed of cyber threats.
Especially in the Middle East that is at the forefront of 5G and IoT implementation, the pandemic added velocity to a change that was in motion. Transitioning to cloud-based technologies has created a ‘Swiss Cheese’ architecture with multiple entry points – employees are geographically dispersed, connecting to workloads and data that’s now in a multi-cloud fabric. Additionally, customers and suppliers have changed the way they function. The number one issue with a vast digital footprint is the lack of real-time security visibility. Without the right knowledge of cyber risk, businesses are basing their cybersecurity strategies on reactive threat-driven strategies. This is similar to driving forward on a busy highway, while only looking at the rearview mirror!
According to Cybersecurity Ventures, global cybercrime costs are expected to reach $10.5 trillion annually by 2025. During the same period, global spending on cybersecurity products and services is projected to exceed $1.75 trillion. This means for every $2 spent on securing organizations, there is a loss of $10. Unfortunately, organizations are stuck in a catch-22 scenario of being breached more often as they invest more in technology.
Businesses need a totalistic and contextual view of their cyber risk posture, and move beyond a product-focused approach and reactive cybersecurity. This is where cyber risk quantification (CRQ) can be a game-changer.
Cybersecurity is all about knowledge
Cyber Risk Quantification platforms enable security leaders to take the guesswork out of cybersecurity by giving them sound data science-driven basis to measure, manage, and mitigate cyber risks. When a business knows the risks involved, they’re able to make informed decisions about their cybersecurity initiatives.
Cyber Risk Quantification platforms generate a breach-likelihood score using data science-backed risk engines that can feed information-driven confidence to security teams. It aggregates signals across employees, technology, policies and processes, cybersecurity products, and third (nth) parties to generate a score. With it, security teams can locate where the weakest links lie across the enterprise in real-time. Not only does this help in timely prioritizing management and mitigation of cyber risks, but also informs the Board and other stakeholders about the efficiency of their cybersecurity strategy, products in use, and return on investment. How? Risk Quantification can represent the likelihood of breach as the financial impact of a breach on the overall business – immediately putting cyber risk in perspective to all relevant stakeholders.
Cybersecurity is like a game of chess, where the one with the knowledge and predictive power of the next move has the advantage. To date, cybercriminals have been one step ahead. To succeed, the national and international cybersecurity strategy for critical infrastructure protection (CIP) needs to be predictive and simplified. Cyber risk quantification can provide governments and businesses with the proactive knowledge to make the right move.
Take the example of the most recent instance of critical infrastructure cyberattack – the Colonial Pipelines ransomware. DarkSide’s goal was not to disrupt the economy but to extort ransom. Cybersecurity experts said Colonial Pipeline would never have had to shut down its pipeline if it had more confidence and better visibility in the separation of its business network and pipeline operations.
The tactics, techniques, and procedures used by the new-age cybercriminal use the ‘compromise-one-compromise-many’ approach. As the lines between private and public blur in critical infrastructure, it is essential to proactively safeguard the information of citizens, ensure smooth functioning of all associated organizations, and finally, prevent large-scale disruption.