By Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior
Increasing technical complexity and a widening attack surface are making life tough for IT security professionals. Faced with an evolving threat landscape, the pressure is on to deploy and maintain effective protection for critical infrastructure.
The challenge is made more acute by the fact that digital resources across the world are highly prized targets for nation-sponsored threat actors—a trend likely to ramp up in the coming years. Critical infrastructure has increasingly been singled out for attempted large-scale disruption, with global agencies reporting a higher frequency of attacks during the past couple of years.
Incidents in the not-too-distant past, such as the attack affecting Colonial Pipeline, or the widespread fallout from the ransomware attack on Johannesburg’s electricity grid, and the cyber attack on Queensland-headquartered Goodline in the resources sector are stark reminders that the digital connectivity of these systems creates a much higher risk profile than many understand.
Related article: Why energy organisations must choose the right cybersecurity partner to reduce cyber-related risks
The growing risks facing critical infrastructure
When electricity grids were first being constructed around the world, the concept of protecting them from invisible, digital threats would have been inconceivable. Decades on, the world is left with retrofitted, digitised monoliths of legacy physical infrastructure and code, which requires a careful defensive strategy to fortify.
Attacks on power grids, oil and gas, water supply, hospitals, and public transport are devastating enough, but the real potency comes from their ability to disrupt proceedings well after an incident is effectively stopped, and the effects they can have on their respective supply chains.
With a rapidly increasing susceptibility to successful attacks there is no time to waste in mobilising security personnel and developers to defend these systems efficiently.
The evolving threat landscape
There is evidence to suggest that the most prominent perpetrators of critical infrastructure attacks are nation-state actors. However, the implications of disruption to the supply chain and access to downstream systems also make them attractive for enterprising criminal groups.
Either way, threat actors will take any opportunity to seize control and, too often, gain a foothold in critical systems due to small, exploitable mistakes. For instance, the devastating Colonial Pipeline attack was helped along thanks to a SQL injection bug, which resulted in weeks of disruption to production and the payment of a ransom of more than $US4.4 million.
More recently, in the Netherlands, security researchers alerted solar technology manufacturer Enphase to six zero-day vulnerabilities affecting its Enphase IQ Gateway devices. Many of these vulnerabilities related to poor access control and authentication, and, if connected to an untrusted network, could be exploited to seize control over the Enphase IQ Gateway and any connected devices.
More than four million of these systems are deployed across 150 countries and, if an attacker had discovered them first, they could have leveraged them for a catastrophic incident that would have revealed just how fragile IoT infrastructure can be when not properly secured, and how devastating they can be in the supply chain.
Related article: Endeavour Energy first to tick global cybersecurity standard
Achieving effective infrastructure security
Recent government-level directives, such as the US Cyber Resilience Act, the NIS2 directive, the Australian Cyber Security Act and the 2023-2030 Australian Cyber Security Action Plan call for greater cyber resilience, including more accountability for software developers to ensure the code they produce is free from vulnerabilities.
This advice is sound, however, it needs to be more robust, prescriptive, and result in measurable positive outcomes. This requires:
- Increased developer security skills: If developers are only being given basic annual compliance training or education solutions that are not applicable to the language and frameworks they use and scenarios they encounter day-to-day, it will be functionally useless. Ideally, developers should be a central fixture in the overall security program, with continuous learning pathways. Their skills should be assessed regularly, with data-driven insights providing visibility into knowledge gaps that must be overcome before they can commit code in more sensitive repositories.
- Vendor transparency: It is important that vendors, suppliers and contractors care as much about security as their clients. Whether manufacturing physical or digital products, if it runs on software, every component should be disclosed and verified as safe.
If vendors are not forthcoming about their internal security processes, dependencies used, and certifications gained, then there is more chance of supply chain security issues that can dramatically affect the critical infrastructure sector. - APIs, access control, and authentication: While basic, it is these pathways that threat actors target first as the “low-hanging fruit” that can lead to escalated privileges and vast access beyond the initial point of compromise. Documentation, processes, and know-how in securing these access points is something every developer working on any software powering infrastructure must know like the back of their hand.
Critical infrastructure will continue to be an attractive target for cybercriminals. For this reason, organisations must take the steps necessary to achieve effective security now, or risk the expensive consequences.
