Protecting critical infrastructure from a cyber pandemic

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jeremy Kaye, Head, Executive Briefing Center, Check Point Software Technologies, Mitch Muro, IoT Security Product Marketing Manager, Check Point Software Technologies & Katerina Megas, Program Manager for Cyber Security for IoT, National Institute of Standards and Technology (NIST)

  • Cyber-attacks on infrastructure services are on the rise, most recently the Colonial Pipeline hack in the US and the public health service attack in Ireland.
  • Hackers are exploiting the use of Internet of Things (IoT) which creates millions of new vulnerability points in critical infrastructure.
  • We need the public and private sectors to build greater consensus on IoT security standards and build trust in security across critical infrastructure.

We are in the midst of a “cyber pandemic”. In 2020, COVID-19 accelerated a transition towards remote working and the software being used for these attacks has become easier to execute, ransomware attacks have risen rapidly and continue to accelerate in 2021:

  • Attacks in the US alone have increased 300% in the past nine months.
  • More than 60% of ransomware attacks target industries with critical infrastructure, led by healthcare, utilities, and manufacturing.
  • US utilities have been attacked 300 times every week with an increase of 50% in just two months.

A prime target for cybercriminals has been the Operational Technology (OT) networks which interconnect the Industrial Control Systems (ICS) that manage our critical infrastructure. As services like power grids, water treatment facilities, transport and healthcare systems increasingly integrate their operational technology systems with the internet of things – for example through remote sensors and monitoring – this creates a new frontier of risks where millions more vulnerability points and new vectors can be exploited by hackers.

These attacks have huge implications not only on businesses but also on communities, cities, states, and entire countries. The consequences can be dire. In April 2020, hackers targeted Israel’s water treatment facilities through their IoT system, which gave attackers the ability to change the water pressure, temperature, and chlorine levels of the water. If the attack had fully succeeded, this could have led to whole communities becoming sick from the water supply or triggering a failsafe which would have left thousands of people without water entirely.

How are hackers exploiting IoT systems?

IoT devices and connected systems can be a large security risk for critical infrastructure services when security best practices are not implemented, as they come with a few intrinsic flaws:

  • Lack of standardization in cybersecurity practices across the supply chain leads to greater exposure.
  • Vulnerable security protocols and designs, including weak passwords and patching practices.
  • Obsolete and unsupported architecture, firmware and software.
  • Attack surface that increases with the number of connected devices.

As a result, there are a number of ways for hackers to exploit these devices and either perpetrate attacks on bigger targets or move laterally to harm mission-critical systems and steal information of customers and employees, intellectual property, or other sensitive assets.

A new “botnet” attack called Mozi has been extremely active in the past 18 months, accounting for 90% of total IoT attacks in 2020 and controlling nearly 500,000 connected devices. Each compromised device is instructed to find more devices to infect, which enables cyber criminals to gain control over entire networks and its data and hold it for ransom. Cybersecurity

What is the Forum doing to avert a cyber pandemic?

Next-generation technologies such as AI, ubiquitous connectivity and quantum computing have the potential to generate new risks for the world, and at this stage, their full impact is not well understood.

There is an urgent need for collective action, policy intervention and improved accountability for government and business in order to avert a potential cyber pandemic.

The Forum’s Centre for Cybersecurity launched the Future Series: Cybercrime 2025 initiative to identify what approaches are required to manage cyber risks in the face of the major technology trends taking place in the near future.

Find out more on how the Forum is leading over 150 global experts from business, government and research institutions, and how to get involved, in our impact story.

In March 2021, Silicon Valley start-up Verkada suffered a massive IoT cyber-attack. The hackers were able to obtain administrative privileges to a large number of security surveillance cameras, meaning they could execute their own malicious code on the devices.

Once a hacker can breach a networked device, they can then use the device as a launching point for attacks laterally, exposing systems that are critical to operations. As industries further integrate IT and OT networks to gain new insights, these devices pose an even greater danger for operations that rely on industrial control systems. Without a greater push for security that addresses these connected devices, we are likely to continue seeing more attacks that target critical infrastructure industries.

What is being done at a national and global scale?

Critical infrastructure remains largely private-owned and will require a coordinated effort between the public and private sectors to deter ransomware and IoT threats. To address gaps in security protocols and standards within critical industries, governments are taking it upon themselves to introduce and expand on existing cyber security policies for IoT devices.

The European Union Agency for Cybersecurity (ENISA) published guidelines on security IoT supply chains in 2020 and is now developing specific security measures for IoT operators and critical infrastructure industries. Meanwhile, the IoT Cyber Security Improvement Act was enacted in late 2020, which requires US public sector users of IoT, including those used in critical infrastructure, to extend robust cyber defenses to their IoT deployments.

The standard for this has been developed by the National Institute for Standards in Technology (NIST), who has been central in developing approaches for improving cyber security across the US for several years. NIST has developed a number of guidance documents in consultation with stakeholders in government, industry and the private sector, and in coordination with other nations’ international standardization efforts. Given the size of the US government as a customer, the NIST standards adopted for the public sector could also act as a broader de-facto industry standard for all types of IoT devices in the US and beyond.

Looking beyond the IoT Cybersecurity Improvement Act which focuses on the US Federal Government market, Public Law 116-283 which passed at the end of 2020 called for an IoT Steering Committee made up of private sector stakeholders to advise a US Federal government-wide interagency group. The Steering Committee and Federal Working Group are tasked to identify the benefits of IoT, improve IoT regulation and remove barriers to adoption. In a parallel effort, the President’s May 2021 Executive Order on cybersecurity calls for the piloting of a labelling programme for consumer IoT products that identifies how they meet cybersecurity criteria, which will be operational by February 2022.

These efforts to establish security requirements for IoT devices goes beyond federal agencies and contractors to address the need for security in critical infrastructure. Industries that are most exposed to these attacks seek uniformity and efficiency, and thus look to these laws and policies as guidelines to adopt baseline security requirements.

What can the public and private sector do?

As cyberattacks rise in critical industries, governments and the private sectors have a shared responsibility to protect these systems. Adopters of IoT devices can work alongside policy-makers and cybersecurity suppliers to build greater consensus on IoT security standards while also developing trust in security across critical infrastructure.

1) Establish a consistent approach on IoT security globally by:

  • Agreeing on a common global baseline standard on IoT security (differentiating consumer and industrial devices).
  • Promoting shared security principles from industry alliances such as the Cyber Tech Accord, Charter of Trust or Paris Call for Trust and Security.
  • Aligning regulations and baseline device security certification mechanisms.
  • Developing common principles for digital security and international norms.
  • Focus not only on the suppliers but also the consumers of IoT technology.

2) Building trust through better transparency and international cooperation:

  • Clarifying the responsibility model across the supply and value chain.
  • Fostering cross-sector and international collaboration.
  • Promoting the use of international information-sharing frameworks and assurance best practices.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

African cooperation on peace ‘increasingly strong’, Security Council told

4 ways Africa can prepare its youth for the digital economy

Mobile technology saving lives: Changing healthcare systems with simple technology solutions

A Sting Exclusive: “Technology for all, development for all: the role of ITU”, written by the Secretary General of the United Nations Agency

The historical performance of women in human health

Mental health in times of a pandemic: what can each individual do to lessen the burden?

Why the way of loving closes doors of health?

MEPs agree on future regional and cohesion funding

Sakharov Prize 2021: Parliament to announce candidates

‘More time’ agreed for buffer zone, to spare three million Syrian civilians in Idlib

Lockdown is the world’s biggest psychological experiment – and we will pay the price

5 ways cities can use emerging technologies to fight climate change

COVID-19: Commission steps up research funding and selects 17 projects in vaccine development, treatment and diagnostics

Coronavirus: new procedure to facilitate and speed up approval of adapted vaccines against COVID-19 variants

These are the most innovative cities in the world

How COVID-19 revealed 3 critical AI procurement blindspots that could put lives at risk

Indonesian tsunami death toll climbs over 400 as Government-led relief efforts are stepped up

Coronavirus: Macro-financial assistance agreement provides for €80 million disbursement to North Macedonia

Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses

Should trade continue to be global after the pandemic?

UN chief applauds Bangladesh for ‘opening borders’ to Rohingya refugees in need

The European Commission and Austria secure COVID-19 vaccines for the Western Balkans

Violent disorder is on the rise. Is inequality to blame?

Storms and snow in Lebanon worsen plight for Syrian refugees

Ditching plastic straws isn’t enough. Here’s how to achieve zero waste.

A call for a new crop of innovators

Planet’s Health is Our Health and the Reverse is True

NextGenerationEU: European Commission disburses €24.9 billion in pre-financing to Italy

EU Digital COVID Certificate enters into application in the EU

EU to pay a dear price if the next crisis catches Eurozone stagnant and deflationary; dire statistics from Eurostat

The results of Finland’s basic income experiment are in. Is it working?

Growing a new coral reef in a fraction of the time with a fragment of the coral

EU elections update: Can the EU voters vote unaffected from fake news and online disinformation?

This plastic-free bag dissolves in water

Canada has high levels of well-being and solid growth but trade tensions and housing market pose risks while inclusiveness could be improved

Global leaders adopt agenda to overcome COVID-19 crisis and avoid future pandemics

Safer roads: More life-saving technology to be mandatory in vehicles

The cuts on 2014 Budget will divide deeply the EU

FROM THE FIELD: Weather reports come to aid of Uganda’s farmers

EU leaders let tax-evaders untouched

What does reimagining our energy system look like?

Unprecedented humanitarian crisis in Mali revealed in new report

UN Envoy urges Burundi leaders to ‘seize opportunities for national unity and peace’

Tuesday’s Daily Brief: funding for Palestine refugees, families today, tech surveillance

Meeting the crypto regulatory challenge

Business models inspired by nature are the future

Business is a crucial partner in solving the mental health challenge

3 important lessons from 20 years of working with social entrepreneurs

3 ways to ensure the internet’s future is creative, collaborative and fair

UN must bring more women police officers into the fold to be effective – UN peacekeeping official

Getting vaccinated should just be considered a human right?

It’s time for the circular economy to go global – and you can help

Prospect of lasting peace ‘fading by the day’ in Gaza and West Bank, senior UN envoy warns

Does the “climate change” require ombudsman services for environment?

Not a single child spared the ‘mind-boggling violence’ of Yemen’s war

Stakeholder capitalism is urgently needed – and the COVID-19 crisis shows us why

Here’s how we get businesses to harmonize on climate change

Climate change and health: a much needed multidisciplinary approach

Desires for national independence in Europe bound by economic realities

Brazil must immediately end threats to independence and capacity of law enforcement to fight corruption

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: