By Peter Lenk, Tech Lead at Goldilock
Critical national infrastructure (CNI) faces a mounting threat landscape, necessitating a fundamental overhaul of security strategies.
Consider last summer’s attack on London hospitals, where just one cyber incident resulted in the postponement of 1,255 planned operations and 3,396 appointments. Incidents like this are unfortunately no longer exceptional. Following the attack, the National Cyber Security Centre (NCSC) warned that the “scale, pace, and complexity” of threats to CNI is rising. Meanwhile, the UK science secretary called Britain “desperately exposed” to cyber threats, raising the alarm that national resilience is in jeopardy.
From transport networks to utility providers, pipelines, port facilities, and healthcare systems, CNI is integral to the smooth running of countries. That makes it an alluring target for criminals who can ignite rippling chaos from just one successful cyber incident.
Traditional security isn’t enough for CNI
With cyber threats to CNI on the rise, experts around the world are increasingly calling for legislation “that will mandate cyber resilience measures for CNI systems,” as seen by the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity, as well as the Strengthening American Cybersecurity Act of 2022, which addresses cybersecurity threats against US critical infrastructure and the federal government.
New legislation is a welcome step forward, but if CNI organisations wish to protect themselves from bad actors, they need an entirely different approach. With 93% of CNI organisations citing an increase in cyberattacks, it’s clear traditional security measures are no match for today’s sophisticated criminals. The trouble isn’t only that CNI organisations too often rely on outdated security techniques, they’re using the wrong kind of techniques altogether.
CNI systems require different defences than typical IT systems. After all, CNI organisations must safeguard cyber-physical systems, such as power grids and water supply networks. Should bad actors successfully infiltrate these systems, they can do much worse than steal data or cause operational downtime. Rather, cyberattacks on CNI can result in property damage, physical harm, or even death.
The framework for greater cyber resilience
To protect systems against increasingly frequent and sophisticated attacks, CNI organisations must pivot their cybersecurity defences. Specifically, they should adopt a proactive approach prioritising prevention, detection, and rapid recovery, in other words, a “timeline of resilience” framework.
Importantly, this framework isn’t limited to the defence function of typical cybersecurity postures. Instead, it seeks a balance between investment in prevention and recovery capabilities, insisting both are required to adequately shield CNI organisations from cyber risks.
The timeline of resilience framework encompasses three critical phases: preparation, response, and recovery.
1. Preparation
The first phase in the timeline of resilience framework is preparation, focusing on fortifying defences through advanced cyber measures.
Rigorous preparation should involve a combination of traditional cyber techniques, such as firewalls, encryption, alongside physical network segmentation, where networks are divided and critical assets and data isolated, reducing the attack surface, slowing the attackers’ movements and limiting their reach in the event of a breach.
By deploying both strategies, CNI organisations can fortify their cybersecurity postures with multiple defence layers to better thwart bad actors and increase their overall resilience.
2. Response
No matter how many safeguards CNI organisations implement, cyber incidents will happen. If crafty cyber criminals can be expected to breach even the most robust defences, then CNI organisations need to take their cybersecurity precautions one step further. Enter the response phase of the timeline of resilience framework.
The main goal is to quickly detect and arrest security breaches. This requires advanced monitoring tools and threat-detection systems that identify breaches in real time. Key stakeholders must be notified. This should include IT, legal, and management teams, as well as external partners and regulatory authorities. Of course, this phase also includes the deployment of predetermined incident response plans. This can include reactive network segmentation to impede attack propagation and isolate compromised assets and data. This can be done remotely, without internet connection and from anywhere in the world, giving leaders complete control over connected networks and devices.
Often, organisations prioritise only the preparation phase, dedicating most resources to building defences to keep bad actors out. While understandable, this is a major misstep. Certain bad actors will prevail no matter the strength of security measures, and eventually organisations must be prepared to face.
3. Recovery
Finally, the third phase of the timeline of resilience framework is the most overlooked but perhaps the most important. Recovery and rapid restoration of isolated systems are critical to mitigate both the immediate impacts as well as the long-term damage of cyberattacks.
For example, recovery activities include restoring data from backups, patching affected systems, and reconfiguring security protocols. Like businesses tackling the fall-out of an attack on IT systems, these steps are crucial to mitigate financial loss and operational downtime. But unlike typical IT breaches, an attack on CNI organisations can also directly impact public safety and security, making it even more essential to get critical systems back up and running with minimal delay. Again, to ensure efficient recovery, physical network segmentation can be considered to support troubleshooting. By using technology like next generation physical air-gapping, rapid reconnection of previously isolated, known safe, network segments it is possible to ensure services are restored as soon as possible.
Beyond system recovery, an important part of the final phase of the timeline of resilience is conducting a post-incident analysis. By analysing forensic data and incident logs, organisations can better understand how bad actors were able to defy security barriers and carry out the attack. They can then feed this information back into the first and second phases to improve defences and response strategies.
By strategically allocating resources throughout the three phases of the timeline of resilience, CNI organisations can significantly enhance their abilities to withstand and recover from cyber incidents, ensuring continuing service delivery in the face of evolving threats.
The future calls for cyber resilience
Given their foundational roles in public safety and national security, CNI organisations will continue to attract cyber attackers whose success is not a question of if, but when.
CNI cyber-physical systems are in another world compared to traditional IT systems, so it’s time to stop relying on traditional security measures for protection. CNI organisations need to think differently and innovate when it comes to their cyber and operational defence. They need to change the status-quo and by simply adding more firewalls and encryption this won’t be achieved.
More depths and layers of security are required and one such approach is physical segmentation, which adds far deeper protection across multiple sectors than most traditional approaches alone. When integrated into the three-phase timeline of resilience, CNI leaders will be able to considers the 360-degree scope of cyber threats and what it takes to safeguard nations.