Prosperous and highly-connected regions of the world are and will be lucrative targets for various adversaries. South Africa is and will be one of the most worthwhile targets on the African continent. A recent global study found that South Africa ranks as one of the top ten most vulnerable countries to cyber attacks. Our critical infrastructure is at stake!
Societies around the world are highly reliant on the safety and stability of critical infrastructure. The effect of an unplanned shutdown at a power station could be enormous, not to mention the negative impact it could have on business reputation and the potential damage to stakeholder confidence and value. Hence, no wonder that all countries and societies depend on critical infrastructure. In turn, this infrastructure increasingly depends on modern information systems, which are still very much vulnerable.
Until recently, cyber attacks typically aimed to steal money, corporate secrets, or personal identities. Increasingly, attacks are now directed towards physical infrastructure targets such as energy power stations and grids, oil transportation installations, or large water systems. The Internet of Things (IoT), which links our daily life, work, home, health and leisure with information technologies via the Internet, is under a progressive attack.
There are dozens of examples in which infrastructural control systems have been attacked. For example, in 2011 the US Northwest Rail Company experienced signal disruption. In 2014 one of Germany’s steel mills was denied access to the company’s technology and operating environment. More recently, there have already been a number of high-profile ransomware attacks against critical infrastructure, including Israel’s Electricity Authority, Michigan’s Board of Water and Light in its capital Lansing, and various hospitals and universities worldwide.
The newest (12 May 2017) ransomware cyber-attack dabbed ‘WannaCry’ swept across the globe, hitting over 100 countries. The malware most severely affected computer stems from Britain’s National Health Service (NHS), Russian telecom company Megafon, Spain’s largest telephone company, and international shipper FedEx.
The number of cyber-attacks against critical infrastructure is rising fast so that many consider cyberspace as the new battlefield. Attackers use ever more sophisticated techniques to attack digitised infrastructure which, for example, cost European utilities and energy companies millions of Euros.
Christopher Frei, director general of the World Energy Council, has recently pointed out that the UK was one of the several countries facing a growing critical infrastructure threat: “In the last two years this issue has really come close to, if not to the top, of the issues keeping energy leaders awake at night”.
Thorough understanding of how to best protect vast and complex critical infrastructure systems requires extensive analysis, combined with expertise in cybersecurity and related disciplines. However, the very first step in protecting national critical infrastructure is to understand what infrastructure is critical (what would be attacked) and who would attack, and how. We deliberately use the modal verb “will” as it is commonly accepted among savvy cybersecurity professionals that cyber-attacks will – sooner or later – happen to organisations, individuals and nation states.
What is likely to be attacked?
Critical infrastructure is usually defined as physical and virtual systems and assets (e.g. facilities, technologies, networks, data) that provide services essential for the national economy, security, and well-being. In other words, an infrastructure is ‘critical’ when the services it provides are vital to various facets of national security. Thus, it is needless to say that possible destruction of only a part of critical infrastructure would wreak havoc in our everyday lives – and further degrade our trust in government abilities to administer and protect the country.
As the online networks meet the physical systems and machines, the risk of cyber attacks will only increase. Critical infrastructure does not operate in isolation but is highly dependent on other systems such as digital networks. Hence, generally, cyber-attacks will be directed towards Operational Technology (OT) that govern and control critical infrastructure. In other words, adversaries will attack hardware and software (IT) that detects or causes a change through the direct monitoring and control of physical devices, processes and events in the critical infrastructure systems such as agricultural, energy or transport systems, pharmaceuticals or waste management systems.
Critical infrastructure can include the following sectors: ● Government Facilities. ● Defence industry● Critical manufacturing ● Energy ● Water supply ● Food and agriculture ● Healthcare & Emergency ● Information & communication technology ● Transportation ● Financial ● Chemical ● Atomic energy.
Cyber-attacks actually happen at IT/OT convergence. In other words, the most critical cybersecurity points are these places where IT systems meet with operational technology (OT), which is used to monitor events, processes and devices and make adjustments in operations of critical infrastructure. Currently, Internet of Things (IoT) is increasingly being targeted as it is still the ‘Achilles heel’ of OT/IT convergence.
There is another major vulnerability at the OT/IT convergence: legacy control and information systems. While individuals and companies tend to upgrade their computers and software more frequently (in average, every three to five years), massive organisations running critical infrastructure typically tend to upgrade their control systems every couple of decades.
It is then easy to understand why control systems of critical infrastructure are targets of choice on the part of cyber-attackers: the devices and software running these systems are usually outdated, often years behind current technology trends. For example, some systems still use an old version of MS Windows operating system, which is difficult, if not impossible, to protect.
Who would attack our critical infrastructure?
Infamous ‘Stuxnet’ attack on the Iranian uranium enrichment facilities in 2009 resulted in the devastation of (estimated) 60% of attacked centrifuges, while 2012 cyber attack on Saudi Arabia’s state-owned oil giant Aramco caused devastation of 35,000 computers. It took about five months for Aramco to bring its computer networks back online.
A cyber attack on the Ukrainian power grid in 2015 and 2016 left hundreds of thousands of people without electricity for hours. In December last year, a successful attack against the Ukrainian power grid caused power outages that impacted over 200,000 people. The power distribution companies described the hacking as a sophisticated attack comprised of a vicious mixture of ‘phishing’ for employee’s’ credentials and deployment of malware named ‘BlackEnergy’.
A common thread of these cyber-attacks is a belief that these attacks were carried out by the state-sponsored cyber-attacking groups, which have considerable resources and usually choose long planning and short execution – long execution is easier to detect and confront. A recent report from the UK warns that these hackers now have the ability to disrupt the UK’s national power grid and other critical infrastructure. National state-sponsored attacks on critical infrastructure are, fortunately, still rare but a very real possibility – though this likelihood might sound like a Hollywood movie to many uninformed people.
The importance of power grids lye in the fact that this infrastructure is one of the few, if not the only, truly “national” infrastructures in which it is theoretically possible that a failure in a region could cascade to catastrophic proportions before it could be dealt with.
Defence against cyber-attacks on critical infrastructure may increase the possibility that attacks can be carried out by opportunistic hackers, such as terrorists or organised criminal groups that will exploit vulnerabilities for their own ends. A special warning defence refers to an inside job by, for example, a disgruntled employee or recruiting an untrustworthy individual without proper screening. This kind of cyber-attack is much harder to detect and counter.
What can be done to protect our precious infrastructure?
Some international experiences suggest that two measuring parameters are important for assessing the criticality of infrastructure: (1) possible number of causalities if the infrastructure is successfully attacked and (2) damages to the national economy. Hence, it seems logical that the responsibility for setting goals in protecting national critical infrastructure rests primarily with the government as it has the power to deliver regulation.
The implementation of steps to reduce the vulnerability of corporate assets depends primarily on private sector knowledge and action as well as on the good understanding of operations and potential risks. In South Africa, this knowledge (particularly technical) and experience of the private sector, as well as potential funding, are dearly needed at all levels of government. However, the question is if the private sector would have adequate commercial incentives to cooperate with the government in funding and addressing vulnerabilities of critical infrastructure.
An equally important issue is building trust between government and the private sector in order to create an effective partnership for protecting South Africa’s critical infrastructures.
Complexity is another big challenge in protecting critical infrastructure. For individuals to protect their digital equipment and data is a relatively simple task. However, protecting companies is a more intricate mission. This requires the deployment of the cybersecurity solution throughout the entire organisation.
For industrial facilities and critical infrastructure, it becomes even more challenging. This protection requires designing of entire cybersecurity systems specifically dedicated to a particular industrial plant or infrastructure. Designing, implementing and maintaining these systems, however, still faces significant difficulties, one of them being a huge shortage of skilled cybersecurity professionals: engineers, technician and strategist.
Dealing with a skills shortage
To address the skill shortage, we can ‘borrow’ experience from nations having advanced thinking and technology for confronting sophisticated cyber-attacks on their critical infrastructure. In order to secure necessary expertise, these countries promote the introduction of cybersecurity subjects in high and sometimes in primary schools and foster competitions through, for example, hackathons.
Though, in South Africa, we are still battling to properly introduce general technology subjects in our schools, leapfrogging by introducing cybersecurity within the IT curriculum can give us, in times to come, a leading cybersecurity skills edge on the continent.
Robust implementation of efficient national legislative policy is another critical success factor for the effective protection of national critical infrastructure. In 2016, South Africa has published ‘Draft Critical Infrastructure Protection Bill’, a replacement for the apartheid-era National Key Points Act.
The aim of the Bill is to secure critical infrastructure against threats; ensure that information pertaining to certain critical infrastructure remains confidential; ensure that objective criteria are developed for the identification, declaration and protection of the critical infrastructure; ensure public-private cooperation in the identification and protection of critical infrastructure; secure critical infrastructure in the Republic by creating an environment in which public safety, public confidence and essential services are promoted.
However, the Bill is still to be scrutinised and amended in order to be functional. We trust, that once all stakeholders have had the opportunity to make submissions on the Bill, a government policy will emerge that ensure our collective well-being emboldened by a secure national critical infrastructure. The questions we should demand the Bill or other relevant documents address are, however, how much are we aware of looming threats to cybersecurity; why there is a need for an informed, educated and aware citizen and user of modern technologies about national critical infrastructures, and what would be the ways to act as a collective? Some initial evidence suggests that this awareness is either non-existent or still embryonic.