Critical infrastructure defence from cyber threat “a mess”

The infrastructure that helps deliver electricity to homes, powers financial systems and keeps hospitals running is under growing threat from cyberattacks that will only become more complex and numerous in the very near future, warns the founder and chief executive officer (CEO) of security firm Kapersky Lab.

Eugene Kaspersky warns that governments, law enforcement agencies and the facilities and people operating critical infrastructure are not properly prepared for these attacks.

“Traditional crime has recognised the power of cyber,” says Kaspersky, whose firm recently held a panel event on the topic in London. “And the criminals are becoming more professional and more creative.”

Writing in a joint statement, a panel of speakers at the event warns that the world needs to “wake up” to the reality of the risk and respond before similar attacks paralyse more infrastructure.

The group, which includes Kapersky, Leon Brain, land transport security policy advisor at the European Commission (EC) and Jose Palazon, chief technical officer (CTO) of ElevenPaths (Telefonica) recommends industry-wide collaboration, dedicated government regulation, education and tailored protections.

Blurring of offline and online attacks

Historically cyber criminals have focused on digital targets, but the growing number of attacks on infrastructure points to a blurring of online and offline targets with potentially devastating consequences.

From a power station in Ukraine and a steel mill in Germany to banks and broadcasters, a spate of recent cyberattacks  have highlighted how vulnerable critical infrastructure is to online criminals. The panel points out that while known targets include oil refineries, power grids, seaports and financial infrastructure, there are likely many more that have either not admitted an attack has happened or – worse – not noticed.

While in a different category of threat, the late-2013 attack on US supermarket chain Target, seen as the biggest in retail history, went unnoticed for months and enabled millions of customer credit card details and addresses to be stolen.

While there’s growing awareness of the issue, Cevn Vibert, Industrial Control Systems Security Evangelist at Solutions PT says organisations “can’t just change overnight”. The complexity of the systems they are trying to insulate, combined with the complexity of the attacks makes this a huge challenge.

Meanwhile Kapersky warns that there is a gap between the standards required of the infrastructure itself and the cyber systems wrapped around them. While there are likely to be regulatory fines if a building doesn’t meet requirements, the same system does not exist for the security software that’s supposed to be protecting it.

“Buildings are built with strict standards, regulations and penalties. Cyber-systems can be set up in whatever way they want,” he says, highlighting the recent discovery that a Paris airport is runs partly on Microsoft software from 1992.

“It’s a mess,” said Kaspersky.  “And it’s a mess that criminals can easily exploit.”

Governments need to take the lead in controlling the situation, according to the panel, though education, training and collaboration also need to be features of risk management in these cases.

“Critical infrastructure is about national security, about global security and the global economy,” says Kaspersky. “So governments should play the leading role.  They need to introduce regulation for the cyber-systems that manage critical infrastructures.  Any regulation will do, as today it’s zero.

“All nations depend on infrastructure, and infrastructure depends on the cyber-systems.  These systems are vulnerable so we need to redesign them to make them immune.  We are all facing the same enemy and we have a lot of work to do.”

Comments are closed.