Protecting critical infrastructure from a cyber pandemic 

We are in the midst of a “cyber pandemic”. In 2020, COVID-19 accelerated a transition towards remote working and the software being used for these attacks has become easier to execute, ransomware attacks have risen rapidly and continue to accelerate in 2021:

A prime target for cybercriminals has been the Operational Technology (OT) networks which interconnect the Industrial Control Systems (ICS) that manage our critical infrastructure. As services like power grids, water treatment facilities, transport and healthcare systems increasingly integrate their operational technology systems with the internet of things – for example through remote sensors and monitoring – this creates a new frontier of risks where millions more vulnerability points and new vectors can be exploited by hackers.

These attacks have huge implications not only on businesses but also on communities, cities, states, and entire countries. The consequences can be dire. In April 2020, hackers targeted Israel’s water treatment facilities through their IoT system, which gave attackers the ability to change the water pressure, temperature, and chlorine levels of the water. If the attack had fully succeeded, this could have led to whole communities becoming sick from the water supply or triggering a failsafe which would have left thousands of people without water entirely.

IoT devices and connected systems can be a large security risk for critical infrastructure services when security best practices are not implemented, as they come with a few intrinsic flaws:

As a result, there are a number of ways for hackers to exploit these devices and either perpetrate attacks on bigger targets or move laterally to harm mission-critical systems and steal information of customers and employees, intellectual property, or other sensitive assets.

A new “botnet” attack called Mozi has been extremely active in the past 18 months, accounting for 90% of total IoT attacks in 2020 and controlling nearly 500,000 connected devices. Each compromised device is instructed to find more devices to infect, which enables cyber criminals to gain control over entire networks and its data and hold it for ransom.

In March 2021, Silicon Valley start-up Verkada suffered a massive IoT cyber-attack. The hackers were able to obtain administrative privileges to a large number of security surveillance cameras, meaning they could execute their own malicious code on the devices.

Once a hacker can breach a networked device, they can then use the device as a launching point for attacks laterally, exposing systems that are critical to operations. As industries further integrate IT and OT networks to gain new insights, these devices pose an even greater danger for operations that rely on industrial control systems. Without a greater push for security that addresses these connected devices, we are likely to continue seeing more attacks that target critical infrastructure industries.

Critical infrastructure remains largely private-owned and will require a coordinated effort between the public and private sectors to deter ransomware and IoT threats. To address gaps in security protocols and standards within critical industries, governments are taking it upon themselves to introduce and expand on existing cyber security policies for IoT devices.

The European Union Agency for Cybersecurity (ENISA) published guidelines on security IoT supply chains in 2020 and is now developing specific security measures for IoT operators and critical infrastructure industries. Meanwhile, the IoT Cyber Security Improvement Act was enacted in late 2020, which requires US public sector users of IoT, including those used in critical infrastructure, to extend robust cyber defenses to their IoT deployments.

The standard for this has been developed by the National Institute for Standards in Technology (NIST), who has been central in developing approaches for improving cyber security across the US for several years. NIST has developed a number of guidance documents in consultation with stakeholders in government, industry and the private sector, and in coordination with other nations’ international standardization efforts. Given the size of the US government as a customer, the NIST standards adopted for the public sector could also act as a broader de-facto industry standard for all types of IoT devices in the US and beyond.

Looking beyond the IoT Cybersecurity Improvement Act which focuses on the US Federal Government market, Public Law 116-283 which passed at the end of 2020 called for an IoT Steering Committee made up of private sector stakeholders to advise a US Federal government-wide interagency group. The Steering Committee and Federal Working Group are tasked to identify the benefits of IoT, improve IoT regulation and remove barriers to adoption. In a parallel effort, the President’s May 2021 Executive Order on cybersecurity calls for the piloting of a labelling programme for consumer IoT products that identifies how they meet cybersecurity criteria, which will be operational by February 2022.

These efforts to establish security requirements for IoT devices goes beyond federal agencies and contractors to address the need for security in critical infrastructure. Industries that are most exposed to these attacks seek uniformity and efficiency, and thus look to these laws and policies as guidelines to adopt baseline security requirements.

As cyberattacks rise in critical industries, governments and the private sectors have a shared responsibility to protect these systems. Adopters of IoT devices can work alongside policy-makers and cybersecurity suppliers to build greater consensus on IoT security standards while also developing trust in security across critical infrastructure.