Editor's Choice

Cybersecurity for operational technology: Part 5: Cybersecurity threats to critical information infrastructure.

January 2022 Editor's Choice

People, or nations, with bad intent no longer need to launch attacks in the physical world. Cyberspace has become weaponised: cyberwarfare is an extension of policy by actions taken in cyberspace by state actors (or by non-state actors with significant state direction or support) that constitute a serious threat to another state's security (1) or critical information infrastructure (CII).

CII describes infrastructure that is essential to the functioning of a country’s society and economy(2). Local examples include energy (Eskom), government (SARS, judiciary), police and defence (SAPS, SANDF, NPA, SSA), transportation (Prasa, Transnet), water and sanitation, critical manufacturing, financial services, emergency services, health services and communications.

Dependency on IT and OT

CII is heavily dependent on IT and OT systems to run and manage real world physical processes. These include electrical, mechanical, hydraulic, pneumatic, robotic, and autonomous systems. Equipment can be vulnerable to inertial attacks that accelerate moving parts beyond their safe limits, or resonance attacks that create damaging standing waves. Control valves can be manipulated to funnel fluids to a vulnerable point, resulting in a hydraulic shock known as a water hammer.

Recent research indicates that 83% of organisations that provide CII suffered breaches in the last three years. This is a result of challenges that are involved to secure OT due to network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors know this and can take advantage of these vulnerabilities which can put public health, safety, and economies at risk(3).

The Biden Administration issued an executive order in May 2021 to address cybersecurity concerns related to the USA’s C.\II. It refers to OT as ‘the vital machinery that ensures our safety’(4).

Recent events have highlighted the vulnerabilities in South Africa’s CII. We have seen successful attacks on Transnet and the judiciary with devastating effects on a national scale(5).

The weapon of choice in both these cases was ransomware. What is concerning is how easily it happened. Basic Internet scans easily reveal insecure websites. As per Andy Jenkinson: a non-secure website means the site cannot be authenticated, lacks data integrity and all data in flight is unencrypted, i.e., plain text. Such situations are cannon fodder for cybercriminals to gain unbridled access to plain text data. Further insight is available in Andy’s book: Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare(6).

A cyber breach is highly probable, if basic defences are not in place and threat actors with the right resources decide to target an organisation. The same amount of effort (if not more) that is put into physical security, needs to be expended for cybersecurity defences.

The problem is exacerbated by a global skills shortage. A recent article from ISO.ORG indicated that there are 3,5 million vacant cybersecurity jobs globally. This shortage of skills has a significant impact on public and private organisations and their ability to protect themselves(7).

A sea change is needed if we want to meet the rising tide of cyber risks and adequately secure South Africa’s CII.

The finance sector is well ahead of the game and setting a great example. According to Wolfpack: “The protection of CII is the shared responsibility of both public and private organisations who develop, own, provide, manage and/or use this critical infrastructure.

South Africa needs to adopt a framework to minimise the likelihood and impact of successful cyber-attacks against our country. Increased resilience should be ensured through a specific, structured sequence of procedures, to aid recovery to its CII.

Threat management

Wolfpack have developed a high-level threat management approach. This is based on threat intelligence and incident management activities, it defines four continuous functions – prevent, detect, respond, and recover. In effect, it describes the continuous cycle of business processes that constitute effective cybersecurity management(8).

This approach would include educating stakeholders about the risks and what needs to be done. Local capacity needs to be developed. Independent assessments of all Internet facing CII infrastructure can be conducted using non-invasive digital certificate scans. Excellent guidance is available from the cybersecurity and infrastructure security agency(9).


1 Wikipedia, Cyberwarfare, https://en.wikipedia.org/wiki/Cyberwarfare

2 Wikipedia, Critical infrastructure, https://en.wikipedia.org/wiki/Critical_infrastructure

3 Skybox Security, 2021, https://www.skyboxsecurity.com/news/operational-technology-cybersecurity-research-2021/

4 The White House, Executive Order on Improving the Nation’s Cybersecurity, 2021 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

5Business Day, Justice department IT system targeted in ransomware attack, 2021 https://www.businesslive.co.za/bd/national/2021-09-09-justice-department-it-system-targeted-in-ransomware-attack

6 https://www.amazon.com/Stuxnet-Sunburst-Digital-Exploitation-Warfare-ebook/dp/B09DT8YVFF

7 ISO.ORG, 2021, THE CYBERSECURITY SKILLS GAP https://www.iso.org/news/ref2655.html

8 Wolfpack, 2016, Critical Information Infrastructure Protection Report Wolfpack 2016, https://store.alertafrica.com/ciip_full_report_final.pdf

9 https://www.cisa.gov/critical-infrastructure-sectors

About Bryan Baxter

Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, bryan@wolfpackrisk.com, www.wolfpackrisk.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Is your manufacturing plant ready for IoT?
Editor's Choice Fieldbus & Industrial Networking IT in Manufacturing
Pockets of IoT exist in manufacturing plants today; the challenge is to fully digitalise the entire plant.

Control loop: Case History 182 - A temperature cascade control loop that didn’t work
Michael Brown Control Engineering Editor's Choice System Integration & Control Systems Design
The problems encountered in a heater outlet temperature control in a petrochemical refinery were causing considerable difficulties for the operators. Here is another wonderful example of the power of cascade control, even with a really bad control element.

Five reasons for force measurement
WIKA Instruments Editor's Choice Maintenance, Test & Measurement, Calibration
Wika takes a closer look at the measured variable of force and gives five reasons to show why force measurement is of particular importance.

100 years of Anton Paar
Editor's Choice News
The company's success story began in1922, when Anton Paar founded his machine shop. For 100 years Anton Paar has combined high precision technology with scientific curiosity and a thirst for research. This has made the company a world market leader in the fields of density and concentration measurement, rheometry and CO2 measurement.

Compact drive technology mobilises high-tech CT scanner
Beckhoff Automation Editor's Choice Motion Control & Drives
PC- and EtherCAT-based technology from Beckhoff delivers the desired viewing angles and mm-precise alignment of the X-ray source to the patient.

Water and wastewater treatment in the digital age
Endress+Hauser South Africa Editor's Choice Analytical Instrumentation & Environmental Monitoring
In these testing times of declining water security, IoT technology has been proven to boost operational efficiency and inform smart investment decisions.

Grist for the mill
Turck Banner Editor's Choice Sensors & Transducers
To meet the requirements of Swiss company Bühler with regard to its MHSA grain huller, Turck certified its contactless Li linear position sensor for use in the Ex area. Thanks to its contactless operating principle, the robust sensors are both maintenance-free and wear-free. They offer an impressive performance due to their optimum reproducibility, resolution and linearity over a large temperature range.

Impact of innovative technologies on the mining industry
Parker Hannifin - Sales Company South Africa Editor's Choice IT in Manufacturing
Mining operations must identify creative ways to handle the increased demand for minerals and resources as global economies become even more reliant on mineral sales. As a result, mine operators must ...

Loop Signatures 11: Digital controllers – Part 3: The P term.
Michael Brown Control Engineering Editor's Choice
In the real world of industrial process control, P-only control should be used only on processes that are tuned with a large P gain value.

Proper TCP/IP networking is a fight you can’t afford to lose
Editor's Choice
The modern-day TCP/IP network can and should be viewed as the nervous system of an industrial or utility application and should be treated with the same importance and respect.