The world is experiencing the most difficult time due to the ongoing pandemic. India did well during the first wave of Covid-19 last year, but the second wave virtually created an emergency-like situation due to unprecedented pressure on the healthcare infrastructure and ancillary services around it.
Due to the lockdown, production and supply chains—which were already impacted—faced more pain. Thankfully, the information and communication technology (ICT) infrastructure across the country worked very well and no major outage has been reported yet. But imagine, if, in this critical time, any of our critical infrastructure or supply chains had come under cyberattack, which could have made it non-functional for hours and days?
Recently, there were two major instances of cyberattacks on the supply chain and healthcare infrastructure. In the first instance, the U.S. declared a state of emergency as a cyberattack had shut down a major pipeline. In the second incident, Ireland's health service was forced to shut down its IT systems after a ransomware attack.
The recent major cyber incidents have clearly warned us that, increasingly, critical infrastructure (CI) and essential services are more vulnerable to widespread cyberthreats. As a result, cybersecurity is becoming a strategic challenge requiring the highest level of oversight in the complex global industrial environment.
Why CIs are so critical
CIs are our nation’s backbone. It refers to both physical and cyber systems vital to our nation’s physical or economic security, health, and safety. For every nation, national security and critical infrastructure sectors have become increasingly dependent on commercial information systems and technologies. These system architectures are fragile and already proven to be compromised when subjected to ever-increasingly advanced and adaptive cyber-attacks, resulting in failed, disrupted, or compromised mission operations which can adversely impact the whole nation. Today, the financial sector, power and energy distribution, dams, nuclear power plants, public utilities, trains, airports, defence, and research establishments, among others, are always on the radar of cybercriminals for a variety of reasons.
Without a strong resilient cybersecurity programme, cybercriminals could destroy how our economy and nation operate.
National critical infrastructure—a prime target
The intensity and frequency of cyberattacks continue to grow exponentially as the world becomes increasingly connected. According to Gartner, by 2020 there were around 20.4 billion IoT devices, and approximately 37% of these were used outside consumer settings, including large numbers dedicated to infrastructure monitoring and control.
The world has witnessed plenty of attacks on CIs in recent times. One of the famous attacks was the WannaCry ransomware crypto-worm—a virus which encrypted data and demanded money to re-access it—which, in May 2017, infected more than 200,000 computers in over 150 countries.
While financial institutions have comparatively stringent privacy and security protocols, even these aren’t completely safe. One of the biggest breaches was at credit bureau Equifax in 2017, where hackers stole personal data—including credit card details and social security numbers—of over 140 million U.S. citizens by taking advantage of a security vulnerability in the company's IT infrastructure. This vulnerability had been discovered two months earlier, but Equifax had not installed the required patch that had been issued to close this vulnerability. Equifax paid the price for its negligence, racking up a $700-million fine from the Federal Trade Commission.
On October 12, 2020, a grid failure in Mumbai resulted in a massive power outage, stopping trains on tracks, hampering those working from home amidst the Covid-19 pandemic, and hitting economic activity hard. Later, news reports referred to some unknown Chinese entities which had mounted a cyberattack on India's electricity infrastructure, leading to the large-scale power failure in Mumbai.
Building a cyber defence for CI
To build an adequate defence infrastructure, one must assume that a cyberattack is imminent. Therefore it is a must to build a unified, integrated cyber defence that best protects all relevant critical infrastructure assets. Security risks for CIs are evolving day by day along new technology pathways where IoT devices and applications are finding their way into CI systems.
Policymakers and industry stakeholders may consider the following principles, based on recommendations of the World Economic Forum, as a guide to shape a responsible course of action:
1. Establish a comprehensive cybersecurity governance model.
2. Promote a culture of security and resilience by design.
3. Increase the visibility of third parties risk posture and consider broader ecosystem impact.
4. Implement holistic risk management and defence mechanisms for critical infrastructure with effective preventive, monitoring, response, and recovery capabilities.
5. Prepare and test a resilience plan based on a list of pre-defined scenarios to mitigate the impact of an attack.
6. Strengthen international, domestic, and public-private collaboration between all stakeholders to manage critical infrastructure efficiently.
7. Ensure cross-sector coordination to coordinate the most important issues, initiatives, and interdependencies.
It is a time for every nation to consider embedding cybersecurity practices into the corporate or organisational culture and digital products lifecycle, as the world is likely to see more frequent attacks on such critical infrastructure like oil and gas pipelines, healthcare, banking and finance, power plants, or water treatment plants.
Views are personal. The author is Chief Risk Officer for APAC, Middle East & Africa, FIS.