In light of Critical Infrastructure Security and Resilience Month and with the threat of a cyber attack against Critical National Infrastructures (CNI) growing, Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organisations, conducted a poll to learn what services the public thought would be most likely to have an outage as a result of a cyber attack. The majority of respondents (47%) believed that water, electricity & gas utilities were the most likely CNI to be disabled due to a successful hack. Twenty-two (22) percent felt that transport would be the most susceptible to a power blackout following a cyber attack, whereas 20% voted that the emergency services would be the main organisations to suffer. A further 12% answered with other suggestions, with many suggesting that an attack on Telcos and communication systems would cause the most disruption to their country.
The world depends on critical infrastructure every day to provide energy, water, transportation, financial services, and other capabilities that support our needs and way of life. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being. We have already seen attacks against these institutions take place in the form of Industroyer, which attacked the Ukraine’s power grid, depriving part of its capital, Kiev, of power for an hour and WannaCry, which brought the UK’s NHS to a standstill.
David Meltzer, chief research officer at Tripwire said “Before the Internet brought almost universal connectivity, industrial security was very different from what it is today. Traditional industrial and critical infrastructure organisations had no Internet as we know it today. Perimeter defence typically meant physical security — gates, fences, barriers, and guards. Nowadays, these systems are Internet‐connected, more virtualized in many cases, and more remotely accessible than ever before.
“Internet connectivity changed the whole security landscape because it enabled attacks that didn’t require physical access. Now, all organisations need to think about cyber security, and it would be naive to believe that Industrial Control Systems should be immune to those same cyber risks. There is no dispute that connectivity provides many business advantages, such as centralised management and control, remote engineering access, and resource consolidation. However, it’s important to remember that it also brings with it a large number of additional risks, mainly increased attack vectors, exposure of inherently insecure and sometimes obsolete IT systems, and the opportunity for attackers to exploit vulnerabilities that have not been patched.
“It is incumbent on those responsible to carry out detailed risk evaluations and to identify and implement the necessary security solutions to ensure that the most effective security measures are applied. Otherwise, there will be a major breach, and regardless of intention, we will experience an environmental disaster that could include a significant loss of life.”