Cyber, Criminality and Critical Infrastructure
There is always bad news with Cyber security and rarely any good. This blog will try to be different, although we will start with the bad, but we hope to reinforce and reassure with some good news. We will examine the context of cyber security for critical infrastructure [of which waterworks is a major but forgotten area], the current thinking, and how we can stay one step ahead.
Cyber security is a complex issue[1], but at its most simplistic it is the awareness of threats against the cognitive, physical, and virtual systems we use to handle almost all of our everyday activity. These systems are integral to the second by second, minute by minute, day by day operation of the critical infrastructure we all trust and rely upon.
So, the main question we need to ask and answer is why? Why would anyone want to attack the critical infrastructure of a country or community? For different players there are different reasons, some may be monetary [ransom], the challenge [hacktivists] or disruption [bad actors within rogue regimes, for example]. Each of these reasons are supported by the criminal theory of opportunity[2], if an opportunity exists, there is little doubt that bad actors will target the weaknesses. The following quote shows how serious we should take the threat:
“I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack,” Ciaran Martin [Head of the UK National Cyber Security Centre].[3]
The UK National Cyber Security Centre [NCSC] is a leading voice in the preparedness of businesses and government to the threats we face. They have led the field within governance and it is well worth becoming familiar with the NCSC 10 Steps[4]. So much so that many other countries are adapting the similar operations, advice, and approaches[5].
The 3Cs – Cyber, Criminality and Critical Infrastructure
Two-thirds of critical infrastructure firms have suffered service outages in last two years[6], 35% of these outages were believed to have been caused by cyber-attacks. Most of these attacks targeted weaknesses within the energy grid, but this is likely to change. When we think of cyber-attacks against critical infrastructure, we immediately think of the energy infrastructure and the damage that could be made. This theory is well evidenced by previous attacks[7] and the level of cyber security focusing upon this area.
Good news! Governments, Intelligence Services and Cyber Companies are taking these threats seriously. Working together we have developed effective risk mitigation solutions and monitor many channels to maintain our understanding. We can never say that we are totally secure but it does mean we are in a good place.
However, when bad actors see reduced opportunity they look elsewhere, areas with reduced security or more opportunity. The displacement theory is different for different offending[8], yet anecdotal evidence suggests cyber attackers as versatile and adaptable. As we examine their behaviour we must look at where there is opportunity perhaps with governments, or regulators or a different challenge such as infrastructure which could cause massive disruption or provide monetary opportunities – waterworks.
Perhaps it has already started, risks against waterworks are increasing; the Netherlands [9] and other countries are noting their weaknesses within waterworks[10]. The result of these threats are a serious hazard for health, economy and the environment. With the details being released they will be like a reg flag to other bad actors or opportunists. Just like other cyber-attack targets the weaknesses, modus operandi, and awareness will gain traction.
More good news! We have already started this discussion and can learn greatly from other leaders within critical infrastructure or cyber resilient businesses. Adaptation is key to efficiency and gaining from best practice. Waterworks with the right partnerships and initiatives can do more to understand the threats, manage the risks and incidents and in the long-term develop better capabilities. Now is the time to start.
[1] https://www.ncsc.gov.uk/blog-post/mice-and-cyber
[2] https://popcenter.asu.edu/sites/default/files/opportunity_makes_the_thief.pdf
[3] https://www.theguardian.com/technology/2018/jan/22/cyber-attack-on-uk-matter-of-when-not-if-says-security-chief-ciaran-martin
[4] https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
[5] Australia, Netherlands, Lithuania, France amongst many others
[6] https://www.information-age.com/critical-infrastructure-firms-service-outages-123471732/
[7] https://www.smartcitiesworld.net/smart-cities-news/smart-cities-news/critical-infrastructure-operators-reveal-extent-of-cyber-attacks-4049
[8] http://www.crimeprevention.nsw.gov.au/Documents/displacement_theory_factsheet_oct2014.pdf
[9] https://www.nu.nl/internet/5814282/rekenkamer-waterwerken-niet-goed-beveiligd-tegen-cyberaanvallen.html