In early May 2021, one of the largest pipelines in the United States experienced a ransomware attack. Colonial Pipeline immediately took certain systems offline as a precautionary measure, halting pipeline operations and causing widespread fuel shortages.
The attack once again highlighted growing concerns about the vulnerability of America's critical infrastructure.
In April, the US government initiated a new plan to beef up the nation's energy grid.
The United States is not alone. The fourth industrial revolution is driving a move towards more intelligent and smarter operational networks − think energy, water, traffic management, air traffic control, defence systems, etc.
Smarter systems deliver efficiencies and savings, but they also create massive new vulnerabilities. A vast and well-resourced criminal underworld specialising in cyber attacks has sprung up, and, even more daunting, cyber attacks are becoming a favoured technique for proxy wars between nations.
In 2020, Australian home affairs minister Peter Dutton warned that the country needed to be prepared to deal with cyber attacks that could disrupt industries. The outgoing director of the United Kingdom's National Cyber Security Centre cautioned that an attack on the national infrastructure that could lead to a loss of life or severe economic damage had become more probable.
Of course, the vulnerabilities created by our increasing reliance on smart and networked technologies are not limited to critical national infrastructure. Private sector entities are also squarely in the crosshairs of cyber criminals.
As in the Colonial Pipeline incident, ransomware attacks are becoming more prevalent. Ransomware essentially encrypts data and/or systems, thus halting operations until an encryption key is released on payment of a ransom, with crypto-currencies like Bitcoin often used for payment.
Smarter systems deliver efficiencies and savings, but they also create massive new vulnerabilities.
The EKANS ransomware strain has become popular because it attacks an organisation's industrial control system. With the organisation thus effectively crippled, boards may decide that paying up is preferable to staying offline for an extended period, with all the reputational and financial damage that would entail.
In addition, it seems as though ransomware continues to be a growing threat and risks becoming yet another of those "costs of doing business" that companies build into their strategies.
In 2020, a survey showed that the quantum of ransom demanded increased by a staggering 60% to an average of $178 000. At the same time, though, the number of attacks seemed to decline, perhaps indicating cyber criminals were becoming more sophisticated.
In 2021, it's expected that the move to open up corporate network architectures to enable working from home will create new opportunities for cyber criminal syndicates. One estimate puts the total damage caused by malware to reach $6 trillion by 2021.
One thing is certain: no institution, be it in the public or private sectors, is immune from attack. Another key point is that the more critical an industry is to the economy and society at large, the more likely it will be targeted − for example, network providers, energy and water utilities and the like seem to be highly probable targets because of their impact on keeping the economy functioning. The more the potential impact, the more likely it is that paying the ransom will seem like the best option.
Minimising downtime
So how should chief information security officers and boards be preparing for the near inevitability of cyber attack and the potential for the organisation to lose the capability to function for an extended time?
The first line of defence is to have a plan, and the increasingly sophisticated approach taken by business continuity professionals is becoming the gold standard.
It's not feasible to protect and recover every system and application equally, so it is, therefore, vital that organisations undertake an in-depth analysis of their systems and their impact on their operations − often called a business impact analysis − to be able to prioritise correctly.
The organisation needs to know exactly which systems and applications can be recovered first (recovery time objective) and how far back the system must be recoverable (recovery point objective). The business impact analysis will guide the recovery teams and reduce the time that the organisation is unable to continue operating.
For many critical-sector organisations, the potential loss of data may not be as immediate a threat as the loss of operational capacity. Nonetheless, data loss remains a significant, long-term threat. Data loss will impede the operational recovery process, and, of course, increasingly strict data-protection legislation has to be complied with.
South Africa's Protection of Personal Information Act, which comes into full force on 1 July 2021, imposes stiff penalties on organisations that do not have effective data-protection initiatives in place.
The King Report on Corporate Governance, South Africa's respected governance framework, also makes the mitigation and management of cyber risk a board responsibility. Principle 12 of King IV says: The governing body should govern technology and information to support the organisation setting and achieving its strategic objectives.
King IV's decision to separate "technology" and "information" is significant and reflects the fact that IT risk is multifaceted and interconnected. There is no doubt that the ability to implement cyber security protocols with data protection offers a much smoother recovery process and will help reduce the time between attack detection and the beginning of a recovery process. Such a two-pronged approach limits the overall impact on critical systems and applications.
Getting it right
Once organisations understand their most critical systems and applications, they are better positioned to develop a realistic and cost-effective plan for mitigating risk and implementing a recovery if a threat materialises. This is particularly important given the impact of COVID-19 on budgets.
On a practical level, the Mitre attack index provides excellent guidelines for IT teams working with critical infrastructures, providing a framework for understanding what steps are needed to recover systems.
Frequent and stringent testing − always essential in any business recovery scenario − will ensure the plans are robust and current and will identify significant weaknesses.
The COVID-19 pandemic has demonstrated just how vulnerable and fragile our societies are and also created a much larger attack landscape for cyber criminals, including those targeting critical sectors. Our reliance on IT and telecommunication networks have now been greatly accelerated, which in turn means that successful attacks on certain critical sectors can cause massive damage to economies, how we live our lives and even cause loss of life.
More than ever, IT and security professionals working in these critical sectors must ensure they have the best training, information and tools at their disposal to ensure they are well-positioned to understand the shifting risk landscape, develop effective plans of action − and keep them up to date.
In my next article, I will reveal initiatives you can take to protect data against disaster in the cloud.
Share