The disruption of critical infrastructure has a ripple effect on national and global economies and societies; directly impacting the sovereignty of nations and its people. When a Colonial Pipelines, Wolf Creek Nuclear Operating Corporation, or a Springhill Medical Center cyber-attack happens repeatedly across the world, the entire critical infrastructure security ecosystem needs to be re-imagined.
A modern-day cyber-attack leverages vulnerabilities across the spectrum. Starting from employee social media reconnaissance, purchasing ransomware toolkits off the deep and dark web, leveraging cloud misconfigurations to move laterally within connected systems and networks and targeting their efforts to compromise the most vulnerable vendors – cybercriminals are maximising impact with minimum effort.
When cyber-attacks are so interconnected, then why is the cybersecurity of critical infrastructure siloed and reactive?
The convergence of IT and OT has revealed more vulnerabilities in critical infrastructure.
In previous years, cyber-attacks on critical infrastructure typically required high investments, physical reconnaissance and access to expensive operational technology. The isolated nature of this sector, yielding low output, ensured threat actors focused their energies on more ‘rewarding’ fields, often including financial services or healthcare.
As business demands for speed, efficiency and interoperability increased, the critical infrastructure sector adapted. Most critical systems were extremely complex to begin with and this complexity is only increasing as the number of IoT devices and connections grows. Additionally, these systems are a mix of unsecured legacy systems and modern technology. The convergence of Information Technology and Operation Technology systems in the critical infrastructure setup have made it a hotbed of cyber threats.
Especially in the Middle East that is at the forefront of 5G and IoT implementation, the pandemic added velocity to a change that was in motion. Transitioning to cloud-based technologies has created a ‘Swiss Cheese’ architecture with multiple entry points – employees are geographically dispersed, connecting to workloads and data that’s now in a multi-cloud fabric. Additionally, customers and suppliers have changed the way they function. The number one issue with a vast digital footprint is the lack of real-time security visibility. Without the right knowledge of cyber risk, businesses are basing their cybersecurity strategies on reactive threat-driven strategies. This is similar to driving forward on a busy highway, while only looking at the rearview mirror!
According to Cybersecurity Ventures, global cybercrime costs are expected to reach $10.5 trillion annually by 2025. During the same period, global spending on cybersecurity products and services is projected to exceed $1.75 trillion. This means for every $2 spent on securing organisations, there is a loss of $10. Unfortunately, organisations are stuck in a catch-22 scenario of being breached more often as they invest more in technology.
Businesses need a totalistic and contextual view of their cyber risk posture and move beyond a product-focused approach and reactive cybersecurity. This is where cyber risk quantification (CRQ) can be a game-changer.
Cybersecurity is all about knowledge
Cyber Risk Quantification platforms enable security leaders to take the guesswork out of cybersecurity by giving them sound data science-driven basis to measure, manage and mitigate cyber risks. When a business knows the risks involved, they’re able to make informed decisions about their cybersecurity initiatives.
Cyber Risk Quantification platforms generate a breach-likelihood score using data science-backed risk engines that can feed information-driven confidence to security teams. It aggregates signals across employees, technology, policies and processes, cybersecurity products and third (nth) parties to generate a score. With it, security teams can locate where the weakest links lie across the enterprise in real-time. Not only does this help in timely prioritising management and mitigation of cyber risks, but also informs the Board and other stakeholders about the efficiency of their cybersecurity strategy, products in use and return on investment. How? Risk Quantification can represent the likelihood of breach as the financial impact of a breach on the overall business – immediately putting cyber risk in perspective to all relevant stakeholders.
Cybersecurity is like a game of chess, where the one with the knowledge and predictive power of the next move has the advantage. To date, cybercriminals have been one step ahead. To succeed, the national and international cybersecurity strategy for critical infrastructure protection (CIP) needs to be predictive and simplified. Cyber risk quantification can provide governments and businesses with the proactive knowledge to make the right move.
Take the example of the most recent instance of critical infrastructure cyber-attack – the Colonial Pipelines ransomware. DarkSide’s goal was not to disrupt the economy but to extort ransom. Cybersecurity experts said Colonial Pipeline would never have had to shut down its pipeline if it had more confidence and better visibility in the separation of its business network and pipeline operations.
The tactics, techniques and procedures used by the new-age cybercriminal use the ‘compromise-one-compromise-many’ approach. As the lines between private and public blur in critical infrastructure, it is essential to proactively safeguard the information of citizens, ensure smooth functioning of all associated organisations and finally, prevent large-scale disruption.
By Saket Modi, Co-Founder and CEO at Safe Security
For more information, visit: www.safe.security