In our increasingly connected world, cybersecurity is more important than ever before. Hackers are targeting our bank accounts, emails  and smart devices; and now they’re even targeting our infrastructure.  Around the globe, critical infrastructure that sustains the very fabric of our society is under attack by both nation-state and non-state-affiliated actors. Successful cyber attacks on critical infrastructure have damaged equipment, halted operations and cost organizations millions to resolve. No critical infrastructure sector is safe from cyber attacks. Critical infrastructure protection remains more vital than ever, yet many organizations lack an understanding of its importance. Here’s an overview of critical infrastructure protection and the challenges organizations face.

What is Critical Infrastructure?

Critical infrastructure refers to vital physical and cyber systems and assets. It includes those facilities, systems, sites, information, people, networks and processes that are integral to a society. This infrastructure also includes those sites and organizations dealing with highly sensitive information and materials that could be used for nefarious purposes.

Critical infrastructure sectors include agriculture, communications, defense, emergency services, energy, finance, food, government, healthcare, space, manufacturing, transportation, and water. This critical infrastructure often underpins the essential services that keep a nation operating such as food production and distribution, telecommunications, and security services.

The European Union breaks critical infrastructure into the following categories:

  • Energy: energy production sources, storage and distribution (oil, gas, electricity).
  • Information, Communication Technology (ICT): information system and network protection (e.g., the Internet); provision of fixed telecommunications; provision of mobile telecommunication; radio communication and navigation; satellite communication; broadcasting.
  • Water: Provision of water (e.g., dams); control of quality; stemming and control of water quantity.
  • Food and agriculture: Food provision, safety and security.
  • Health care and public health: Medical and hospital care; medicines, serums, vaccines, and pharmaceuticals; bio-laboratories and bio-agents.
  • Financial systems: banking, payment services and government financial assignment.
  • Civil administration: government facilities and functions; armed forces; civil administration services; emergency services; postal and courier services.
  • Public, legal order and safety: maintaining public and legal order, safety and security; administration of justice and detention.
  • Transportation systems: road transport, rail transport, air traffic; border surveillance; inland waterways transport; ocean and short-sea shipping.
  • Chemical industry: production and storage of dangerous substances; pipelines of dangerous goods.
  • Nuclear industry: production and storage of nuclear substances.
  • Space: Communication and research.
  • Research facilities

According to the European Union: “The power grid, the transport network and information and communication systems are among the so-called ‘critical infrastructures’, which are essential to maintain vital societal functions. Damage or destruction of critical infrastructures by natural disasters, terrorism and criminal activity may have negative consequences. Critical infrastructure is vital for the functioning of modern societies. Without reliable supplies of energy or predictable transportation, our current way of life would not be possible.”

Vulnerabilities in Power Grid

Critical Infrastructure Vulnerabilities

Attacks on critical infrastructure have a significant impact on national security and national defense. The destruction or incapacitation of these systems and assets can have a debilitating impact on a country’s physical and economic security, public health, and safety. Attacks on critical infrastructure can have a major detrimental impact on the availability, integrity or delivery of essential services. This can result in a loss of life, power outages, or other economic and social impacts.

There is a growing threat to critical infrastructure around the globe. Critical infrastructure is vulnerable to damage from sources like natural disasters and terrorist activities. In decades past, terrorist attacks involved methods like bombings or other phsyical sabotage. However, today, critical infrastructure is increasingly vulnerable to a new threat: cyber attacks.

According to the International Criminal Police Organization: “Critical infrastructure acts as the life support system of our everyday existence. Our societies are sustained by a highly complex and sophisticated network of infrastructure systems. Our citizens expect and rely upon functioning institutions and services for their health, safety, security and economic well-being. This life support system has become more efficient and productive due to technological advances, the interchanges of globalization and the demands of an increasingly urban population. The advent of life 3.0 – the overlapping of the digital and physical world – allowed us to monitor and even control infrastructure from anywhere in the world. However, with heavy reliance and real-time connectivity comes vulnerability to threats.”

In the past, the systems and networks  controlling and monitoring critical infrastructure were physically and logically independent and separate. These components had little interaction or connection with each other or other parts of the infrastructure.

Today, a large portion of our critical infrastructure systems rely on internet-based technology to function. This includes industrial control systems, operational technology and SCADA systems that are responsible for controlling and supervising services of industrial infrastructures. This technology often involves automated systems composed of a set of industrial engineering devices  tasked with collecting and sending information related to the controlled infrastructure. This makes them susceptible to cyber attacks from virtual hackers who can take control of the technology and exploit it to damage the critical infrastructure.

This internet-based interdependent and interrelated infrastructure is more vulnerable to cyber disruptions because although these systems are complex, they often have single points of failure. In the past, sabotage attempts would result in isolated failures, but saboteurs can now cause widespread disruption because of cascading effects.

“The interdependence of our infrastructure through sectors and industries, between cyber and physical areas, and across national boundaries, means that the consequences of attacks are far-reaching,” says Interpol. “One attack on a single point of failure could lead to the disruption or destruction of multiple vital systems in the country directly affected, and a ripple effect worldwide. This creates an appealing target to those intending to harm us. And as our cities and infrastructures evolve so do their weapons.”

Critical Infrastructure Protection – A Beginners’ Guide

Challenges of Critical Infrastructure Protection

As Interpol posits, critical infrastructure is an appealing target for hackers looking to disrupt essential services or hold a nation hostage.

According to the U.S. Government Accountability Office: “Intentional, or adversarial, threats can involve targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign nations engaged in espionage and information warfare, and terrorists. These adversaries vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include seeking monetary gain or pursuing an economic, political, or military advantage.”

Despite the threat cyber attacks on critical infrastructure present, many countries lack a unified national capability to protect the interrelated aspects of these systems. That’s because critical infrastructure protection presents unique challenges.

Securing this infrastructure depends on an understanding of the interconnected relationships among disparate  elements in these systems. Organizations are tasked with identifying vulnerabilities and analyzing alternatives in order to prepare for incidents. This requires a focus on detecting impending attacks and system failures and organizations must have the capability to identify and monitor these systems to determine when and if disparate elements are under attack.

Critical infrastructure protection requires a multi-faceted approach that secures both the physical and virtual infrastructure systems. A strong critical infrastructure risk management plan starts with an assessment of current and potential risks to the critical infrastructure system. These risks should be ranked from most to least significant so that organizations can allocate resources accordingly. A risk management plan should analyze threats, devise counter measures for guarding against those threats, and create response plans for responding to attacks when they occur.

Once an organization has assessed the threats facing its critical infrastructure, it’s important to take the necessary steps to improve the cybersecurity of the operation. This involves identifying and addressing vulnerabilities in the system. Organizations can start by examining each and every way someone could gain access to the system and then set up safeguards to prevent breaches. Another aspect of security improvement involves educating all involved parties about cybersecurity so that hackers can’t gain access through a weak link within the organization.

According to GAO typical cyber threats include:

  • Terrorists and other non-state actors seeking to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.
  • Criminal groups, attacking systems, using spam, phishing, and spyware/malware, identity theft, online fraud, and computer extortion for monetary gain.
  • Business intelligence operators, including criminal organizations, conducting voluntary and on-demand industrial espionage.
  • Individuals and groups “grazing” the cyber world in search of victims, for a combination of thrill, monetary and “training” purposes.
  • Bot-network operators, using networks, or botnets, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks.
  • Disgruntled insiders, poorly trained employees, incompetent contractors – all creating the opportunities for outsiders to penetrate networks.
  • National intelligence and psychological operations organizations, using cyber tools for information gathering, regime destabilization and as another arm furthering strategic goals.
  • Spammers using the above methods to distribute unsolicited e-mail with hidden or false information to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service).
  • National and/or commercial organization specializing in deploying spyware or malware against organizations or individuals, for political and commercial purposes.

“Cyber adversaries make use of various techniques, tactics, and practices—or exploits—to adversely affect an organization’s computers, software, or networks, or to intercept or steal valuable or sensitive information,” says GAO. “These exploits are carried out through various conduits, including websites, e-mail, wireless and cellular communications, Internet protocols, portable media, and social media. Further, adversaries can leverage common computer software programs, such as Adobe Acrobat and Microsoft Office, to deliver a threat by embedding exploits within software files that can be activated when a user opens a file within its corresponding program.”

These threats present unique challenges for critical infrastructure operators working to protect their assets. For more information on critical infrastructure protection check out the following resources:

Department of Homeland Security Critical Infrastructure Security Toolkit

European Commission Research on Critical Infrastructure Protection