Cyberattacks on critical national infrastructure have the potential to cause massive damage and disruption to entire nations.
And research suggests that the threat is growing.
A recent survey of CNI organisations in North and South America, for example, reveals 43 per cent have seen an increase in cyberattacks over the past year while three quarters said these attacks are getting more sophisticated. The type of attacks range from stealing information to manipulating equipment through industrial control systems (ICS) to shutting down entire networks.
Governments are starting to recognise this threat against CNI. Here in Europe the EU has proposed a cybersecurity law called the Network and Information Security Directive, which includes mandatory reporting of security breaches for operators of critical infrastructure. The scope of these CNI organisations includes energy, banking, health, transport and internet exchange points. There is still some debate around its powers and at the moment member states will be left to decide at a national level which organisations are designated as operators of critical infrastructure.
Individual countries are also stepping up cyberdefences of CNI. France is one of those leading the way in Europe. The Agence Nationale pour la Sécurité des Systèmes d’Information (ANSSI), France’s national authority for the defence of information systems, has the power to enforce measures on so-called ‘opérateurs d’importance vitale’ (OIV), such as shutting down networks in the event of an attack or breach. There are also proposals to force these OIV operators to report any cyberattacks to the ANSSI so it can create an inventory.
And in Italy there is the Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche (CNAIPIC), national computer crime centre for critical infrastructure protection body. The CNAIPIC operates 24/7 and is responsible for the protection of infrastructure in the healthcare, transport, telecommunications and energy sectors, providing operational and technical support.
But at a practical technical level what can any organisation that comes under the classification of CNI do to protect against cyberattacks?
Firstly, why is CNI security so different to standard IT security? It comes down to availability being the most important thing for any CNI operator. Being available 24×7 year after year tops the list of priorities. In the past that has led to CNI organisations either not putting any kind of security protection around their SCADA and ICS architectures or deploying standard antivirus technology. For a CNI organisation antivirus technology needs to be connected to the internet to stay up to date and this introduces certain risks.
One of the key trends we are now seeing in CNI protection is the move to white-listing, which takes the opposite approach to antivirus. This is essentially where CNI organisations know exactly what operations their computers or robots need to be allowed to do and so everything else is by default unauthorised and blocked outside of those standard actions.
White-listing doesn’t need an internet connection — important for CNI operators — and helps in terms of performance as it’s faster than the blacklisting approach used by standard antivirus technologies. The other added value is around the false/positive risk, where something is defined as bad when it’s not, which is reduced through white listing.
There is also the idea also of white-listing the network. When you have an operating system talking with an engine in the plant for example you know exactly what kind of discussions they will have between the robot and the interface. You can secure the network by only authorising the standard discussion blocking all other things.
One example of this new approach is the global energy management specialist Schneider Electric, which is offering application white-listing capabilities to its customers in the water, oil and gas, electric and transportation sectors. The technology ensures only trusted applications run on critical infrastructure systems and monitors and manages changes to mitigate malicious or accidental system modifications, preventing execution of unauthorised code and many common malware on their systems.
For many reasons ranging from theft to espionage operators of CNI will see an increasing volume and sophistication of cyberthreats in the coming years. Tackling these requires both concerted efforts at national and international level by governments as well as a change in mindset when it comes to the technology needed to protect this kind of infrastructure. The standard way is ‘I need to know the bad’. With CNI it should be ‘what is good’ and then block the rest.