Firstly can you imagine what would happen if you could no longer use some. Or all of the technological infrastructure and systems that we rely on daily? We are not talking about your smartphone or laptop but critical systems that we rely on but rarely think about. Think about not being able to power your home and equipment in there. Failure to access your bank account, or inability to receive safe drinking water.
Meanwhile, Critical infrastructure refers to the assets, facilities, networks, processes, technologies, services, and systems essential to the health, economic, safety, and security of the public and the effective functioning of government. A majority of critical infrastructure is dependent on technology, making them a target for malicious actors. Any disruption of critical infrastructure by cyberattacks can have devastating effects.
Increasing Reports of Attacks
At the same time, A string of significant cyberattacks on different types of critical infrastructure has raised concern. The fragility and vulnerability of critical infrastructure to cyberattacks are now attracting lots of attention. In March 2021, the CNA Financial Corporation, one of the largest insurance companies in the U.S., suffered an attack that disrupted its networks and system. A ransomware attack followed in May on the Colonial Pipeline that stopped operations for six days, causing a fuel crisis and a hike in fuel prices across the eastern U.S.
In June 2021, less than a month later, JBS USA Holdings Inc, one of the largest meat producers in the world, was hit by a ransomware attack. The attack caused a disruption of supply chains in Australia, Canada, and the U.S. A second ransomware attack was reported in June on Martha’s Vineyard and Nantucket Steamship Authority that caused service delays and even disruption of ferry services.
Fragile Critical Infrastructure
In October 2021, the U.S. Cybersecurity and Infrastructure Security Agency prepared an Alert AA21-287 following the string of cyberattacks on the financial, food, gas, and transportation sectors. The alert drew the attention of various stakeholders to the fragilities that exist in the critical infrastructure sector. The sector was warned about the rising number of malicious cyber incidents targeting everything, including the water and wastewater infrastructure. Such incidences would severely affect the ability of water and wastewater facilities to provide clean drinking water and to manage wastewater effectively. The malicious actors exploit vulnerabilities such as outdated operating systems, internet-connected services, and rarely updated software. Recent cyberattacks have also seen the rise of ransomware and spear-phishing attacks.
Therefore, the need to prevent and combat cyberattacks on critical infrastructure has never been greater. As it currently stands, critical infrastructure is far from being secure. There are always more interrelated factors that make critical infrastructure exposed and vulnerable.
- Many critical systems are often highly complex, and the complexity increases as the number of devices and connections increase rapidly.
- A majority of critical systems include a mix of insecure, outdated legacy systems combined with new technologies. The addition of automation and advanced analytics to legacy systems creates a perfect storm of exposures.
The above combination of factors makes the critical systems too complex to be understood by computer models, persons, or teams of people. It becomes challenging to identify weak spots that could be exploited intentionally or accidentally, leading to catastrophic system failures.
The Analysis of Real-World Complexities
A team at the Cyber Security Evaluation and Assurance (CyberSEA) Research Lab at Carleton University in the U.S.A. Is developing solutions that will address the vulnerabilities within critical infrastructure. The team intends to improve the security and resilience of critical systems. Implicit interactions are a significant problem arising from the complexity of critical infrastructure. The implicit interactions refer to unplanned or unexpected interactions between system components. Therefore, the exploitation of implicit interactions has the potential to severely impact the security, safety. And reliability of a critical system and its operations. Many implicit interactions can make system components interact in undesirable and unintended ways, making a critical system experience unpredictable behaviors. Attackers will take advantage of unexpected system behaviors to disrupt and damage the system or its operations.
Meanwhile, CyberSEA has conducted a set of cybersecurity analyses on real-world critical systems. The team has worked on a municipal wastewater treatment system to identify and measure the characteristics of implicit interactions within this vital system. The ongoing research and analysis are being carry out in partnership with the Critical Infrastructure Resilience Institute at the University of Illinois at Urbana-Champaign. Meanwhile, in the analysis, the team found a large number of implicit interactions existing in the system. About 28 percent of the identified implicit interactions and vulnerabilities indicated signs of being ripe for exploitation by attackers, leading to wanton damage and disruption in the system.
What Does the Future Hold?
Finally, Just like the CyberSEA study showed, implicit interactions exist in real-world critical infrastructure systems. The feedback obtained from the wastewater system operators stated that the tools and approaches used helped identify potential vulnerabilities. The combination of tools and techniques can be use to guide mitigation efforts when designing critical systems. Therefore, it’s evident that a glimmer of hope exists in the fight against cyber threats to critical infrastructure. There should be continuous development of both rigorous and practical approaches that will address mounting essential issues of the design, implementation, evaluation, and assurance of critical infrastructure’s safe, secure, and reliable operation.
Creating more robust infrastructure will minimize threats to essential services, our security, improve people’s wellbeing, and overall increase the effective functioning of government and society.