Preparing for critical infrastructure cyber-attacks

Collateral damage caused as a result of cybercrime can have a devasting effect. William Rimington looks at the growing risk of cyber-attacks on national infrastructure assets.

Attacks on critical national infrastructure are nothing new. Well-publicised activities in Estonia, Georgia, Ukraine and Iran over the last decade or so, widely attributed to state actors, show the potential power of such targeted attacks. What has also been interesting in recent years is the collateral damage caused by other incidents also largely attributed to state actors arising from malware and ransomware such as WannaCry, Petya and NotPetya. The large multinational companies affected were not targeted specifically by, for example, the NotPetya disruptors of 2017, but I imagine the instigators could not believe their luck when a significant number of Western organisations were severely impacted and, in some cases, nearly lost the fabric of their business altogether.

The dangers and risks associated with nation states launching offensive attacks go beyond the initial strike. The re-use, re-engineering and re-deployment of so-called “weapons grade” malware time and again amplifies the threat. This repeated use is perpetuated not only by the nation-state(s) involved in the specific struggle, but also by groups that comprehensively reverse-engineer the consequences to direct their own version using their own techniques. For example, the Trisis/Triton malware launched against a multinational energy firm in 2017 reportedly has qualities similar to the Stuxnet malware that was used against the Iran nuclear research industry five years previously. 

So, what does this mean for ‘ordinary’ organisations or public services? 

First, continued collaboration is key. Private and public sector companies, departments and agencies must continue to share indicators of compromise, methods of reaction and actions to help remediation. The blocking of WannaCry (actually, discovery and publication of a ‘kill switch’) that had spread within the UK National Health Service was, at the time, a very well-publicised example of private sector research and response rapidly shared and implemented for the common good.

The cyber security sector abounds with individuals with a passion for combating adversaries and making organisational defences stronger. We may compete against one another commercially, but our experiences show that a widespread cyber-attack tends to bring out the best in everyone in terms of collaboration, not just locally but on an international stage as well.

Second, infrastructure owners and operators need to keep pushing for basic information security hygiene. In complex legacy environments with lots of elements and vintages of operating systems and bespoke applications, the basics are hard work. Keeping an environment patched and security as current as possible is not easy but must be a priority.

My experience of testing company environments, however, shows that you can have the best and most advanced technology in place and some very capable people operating it, but a determined attacker will still get in. Always. 

The aim, therefore, must be to make compromise more difficult to accomplish and at the same time less impactful by doing more of the third key action: planning for the worst and practising your response. Today, there is a greater acknowledgement that systems will be compromised, but this realisation is not usually backed up with simulation tests and preparation for a response. Plans need exercising. This should happen not just in the IT department, but also at the board and all operational levels in between. Some of the most enlightening testing engagements I’ve been involved in are not the ones where the team struggled to get in, but where the response was swift and decisive to identify, block and sweep out the intrusion.

No matter where cyber attacks originate, by collaborating with other organisations, keeping information security systems current and planning for the worst, it is possible to significantly mitigate the harms to your operations, reputation and bottom line. 

William Rimington is associate managing director in risk consultants Kroll’s cyber risk practice.