Defending SA's critical infrastructure against cyber attacks

Cyber warfare and cyber terrorism have become a major concern for many nations and are considered a significantly higher threat to national security than conventional kinetic warfare.

Warfare today is hybrid, with cyber weapon deployments accompanying missile launches and rolling tanks.

Adversaries or potential adversaries can target a nation's electrical grids, telecommunications, financial services, transportation, healthcare systems and other forms of critical infrastructure (CI).

According to a global survey in Microsoft's 2022 Digital Defence Report, cyber attacks targeting CI comprised 40% of all nation-state attacks.

While a substantial portion of this share was made up of Russian state-sponsored cyber attacks targeting Ukrainian infrastructure in the ongoing Russian-Ukrainian war, some commentators argue that any cyber attack aimed at destroying CI systems is tantamount to a declaration of war.

The impact of these attacks often extends beyond the targeted CI, potentially causing significant collateral damage. Cyber attacks pose a major threat to a country's electrical grid, telecommunications, financial services, transportation and healthcare systems.

Even a minor cyber attack in South Africa could be the final straw to break the back of an already crippled and collapsing power grid.

These acts expose citizens to risks of public health, safety, security and economic development.

There is a crucial need for research and new management frameworks and practices that can aid in understanding the major types of CI threats and by what method they might occur.

Identifying cyber vulnerabilities and threats can help nations to improve their CI defence strategies. Many countries are now identifying threats and mitigation strategies that will enable them to better protect their CI from the attacks of adversaries, or potential adversaries in cyberspace.

President Joe Biden recently enacted the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022), reinforcing the need to improve US-based organisations' and European Union allies' threat modelling and intelligence capability.

Given the increasing volume and diversity of threats targeting CI, spotting trends and quickly sharing intelligence are crucial for hardening and defending South Africa's CI.

Improving the nation's threat modelling and intelligence capability can enhance the safeguarding of CI by developing and strengthening our cyber capabilities and tactics.

Threat modelling is a systematic process for identifying, evaluating and developing countermeasures to protect critical assets from threats and threat actors.

Cyber threat intelligence is a crucial extension of threat modelling. It refers to the process of “acquiring, processing, analysing and disseminating information that identifies, tracks and predicts threats, risks and opportunities inside the cyber domain to offer courses of action that enhance decision-making”.

Many threat models exist − such as STRIDE, DREAD, PASTA, Trike, VAST, Attack Tree, Common Vulnerability Scoring System, T-MAP and OCTAVE − to assist in identifying vulnerabilities and mitigating potential threats facing networks, computers, software products and data. However, these models, for the most part, focus on an organisational level.

More recently, the cyber-physical systems approach has been proposed for threat modelling and analysis of specific CI domains.

However, these approaches tend to emphasise computational and physical components without explicitly integrating the human component into their models, which may be too narrow for the holistic analysis of cyber warfare and cyber terrorism attacks targeting national CI domains.

Our recent research at the University of Pretoria's School of IT at the Department of Informatics finds that a popular way to think about CI cyber security is to view it as a cyber-physical system (CPS).

While CPS is sometimes conflated with the term cyber security, CPS is more encompassing, as it entails all interactions between the cyber and physical environment.

CPS architecture includes digital, analogue and physical components. From an intellectual standpoint, the dominant approach to study CPS is multidisciplinary, but tends to be limited to the computer science and engineering disciplines.

CPS has been valuable to the study of the cyber security of CIs as it considers the dynamic interaction among computers, networking and physical systems domains.

Recent advances in CPS studies now explicitly feature humans and human systems in the so-called human-cyber-physical systems (HCPS).

We propose an HCPS-based approach to frame threat modelling and intelligence of cyber warfare and cyber terrorism attacks that target a nation's CI.

To cater for the CI environment, we employ the term threat intelligence more broadly as the use of sensitising concepts to aid in thinking, learning and disseminating information about cyber security threats in HCPS.

Our recent survey of the literature identifies the different types of cyber warfare and cyber terrorism attacks on CI observed in recent years and classifies each of these attacks according to factors, including method, weapons used, vulnerabilities and targets of each of the attacks.

CI systems most vulnerable to cyber attacks include banking and financial services, transportation systems, water treatment and distribution systems, nuclear power plants, industrial control systems, smart power grids, supervisory control and data acquisition systems, electrical power supply, and hospitals and healthcare.

The major types of cyber war attack weapons or methods of attack are malware, denial of service and distributed denial of service attacks, man-in-the-middle attacks, false data injections and advanced persistent threats.

Two of the CI components that our study identifies as having the highest risk of being targeted by attacks were the electrical power supply infrastructure and related supervisory control and data acquisition system components.

Even a minor cyber attack in South Africa could be the final straw to break the back of an already crippled and collapsing power grid.

Popular attack prevention and damage control tactics that have proven their value include advances in threat intelligence, attack detection mechanisms, anomaly detection, data encryption and cryptographic keys.

Other tactics to address CI threats include creating training environments to address cyber security knowledge gaps, implementing proper security configuration and intrusion detection methods, and using machine learning and artificial intelligence techniques to identify potential cyber attacks.

We believe that developing threat intelligence frameworks drawing from key features of a human-cyber-physical-system is at the frontier of finding new ways to harden a nation's critical infrastructure against acts of cyber warfare and cyber terrorism.

Threat mitigation also requires a high degree of coordination and orchestration between the military, intelligence agencies, government departments, multinational allies, regulators and commercial entities.

We hope this contribution instils a sense of urgency among our readers in these domains to work to strengthen the nation's cyber resilience. 

(Based on research with graduate student and co-author Carla Jacobs.)