The notoriety and frequency of cyberattacks is growing by the day. Russia’s recent cyberattacks on Ukrainian government websites and Ukraine’s allies’ increasing concerns for industrial control systems prove the magnitude and chaos these attacks can reach.
Gartner estimates that by 2025, attackers will have weaponized a critical infrastructure cyber-physical system (CPS) to successfully harm or kill humans.
Attackers are increasingly choosing to deploy cyber-physical attacks that target critical infrastructure systems, which can cause outages and be fatal. Unfortunately, no business is immune.
Every executive and every business in every country relies on critical infrastructure throughout daily life. Critical infrastructure sectors include energy production and transmission, water and wastewater, healthcare, and food and agriculture. Not only are each of these sectors critical to the appropriate functioning of modern societies, but they are also interdependent, and an attack on one can have a direct impact on others.
For example, in the event that drinking water production or wastewater treatments are impacted as a result of the ongoing threats on U.S. water and wastewater systems, citizens would be deprived of safe drinking water and sanitation. In addition, hospitals would not be able to operate, fire hoses would not work, and schools, offices and government facilities would be impacted. Similar domino effects would occur in the event that any other critical infrastructure sector is targeted.
In December 2015, an attack on the power grid plunged parts of the country into darkness. In June 2017, an attack dubbed “NotPetya” impacted many organizations including banks, ministries, newspapers and even radiation monitoring systems at Chernobyl.
Speaking specifically to NotPetya, it attacked Ukrainian tax preparation software, halting operations across the globe and costing many organizations, including banks and ministries, billions of dollars. After the attack, CISOs and security and risk management leaders learned to establish a governance process that includes the CEO, the board and key operational staff.
On the security controls front, they learned to define their high-value assets so they could perform triage and pre-plan decisions on what to bring back up first. On the leadership and business management front, they learned to update personnel reporting and internal emergency communications trees both in IT and operations.
Looking forward, CISOs and security and risk management leaders should define what their high-value assets are, so that triage and decision making about what to bring back up first doesn’t occur on the fly, and secure mission-critical backups offline or in cloud environments.
They need to review with urgency their network segmentation both in enterprise IT systems and for high-value cyber-physical systems in operational or mission-critical environments.
Another best practice is to update personnel reporting and internal emergency communications trees both in IT and operations and maintain a copy offline. Several NotPetya victims had to revert to social media to get in contact with their own personnel; adequate preparation can help avoid this kind of disruption.
The author is Katell Thielemann, VP Analyst at Gartner