People, or nations, with bad intent no longer need to launch attacks in the physical world. Cyberspace has become weaponised: cyberwarfare is an extension of policy by actions taken in cyberspace by state actors (or by non-state actors with significant state direction or support) that constitute a serious threat to another state's security (1) or critical information infrastructure (CII).
CII describes infrastructure that is essential to the functioning of a country’s society and economy(2). Local examples include energy (Eskom), government (SARS, judiciary), police and defence (SAPS, SANDF, NPA, SSA), transportation (Prasa, Transnet), water and sanitation, critical manufacturing, financial services, emergency services, health services and communications.
Dependency on IT and OT
CII is heavily dependent on IT and OT systems to run and manage real world physical processes. These include electrical, mechanical, hydraulic, pneumatic, robotic, and autonomous systems. Equipment can be vulnerable to inertial attacks that accelerate moving parts beyond their safe limits, or resonance attacks that create damaging standing waves. Control valves can be manipulated to funnel fluids to a vulnerable point, resulting in a hydraulic shock known as a water hammer.
Recent research indicates that 83% of organisations that provide CII suffered breaches in the last three years. This is a result of challenges that are involved to secure OT due to network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors know this and can take advantage of these vulnerabilities which can put public health, safety, and economies at risk(3).
The Biden Administration issued an executive order in May 2021 to address cybersecurity concerns related to the USA’s C.\II. It refers to OT as ‘the vital machinery that ensures our safety’(4).
Recent events have highlighted the vulnerabilities in South Africa’s CII. We have seen successful attacks on Transnet and the judiciary with devastating effects on a national scale(5).
The weapon of choice in both these cases was ransomware. What is concerning is how easily it happened. Basic Internet scans easily reveal insecure websites. As per Andy Jenkinson: a non-secure website means the site cannot be authenticated, lacks data integrity and all data in flight is unencrypted, i.e., plain text. Such situations are cannon fodder for cybercriminals to gain unbridled access to plain text data. Further insight is available in Andy’s book: Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare(6).
A cyber breach is highly probable, if basic defences are not in place and threat actors with the right resources decide to target an organisation. The same amount of effort (if not more) that is put into physical security, needs to be expended for cybersecurity defences.
The problem is exacerbated by a global skills shortage. A recent article from ISO.ORG indicated that there are 3,5 million vacant cybersecurity jobs globally. This shortage of skills has a significant impact on public and private organisations and their ability to protect themselves(7).
A sea change is needed if we want to meet the rising tide of cyber risks and adequately secure South Africa’s CII.
The finance sector is well ahead of the game and setting a great example. According to Wolfpack: “The protection of CII is the shared responsibility of both public and private organisations who develop, own, provide, manage and/or use this critical infrastructure.
South Africa needs to adopt a framework to minimise the likelihood and impact of successful cyber-attacks against our country. Increased resilience should be ensured through a specific, structured sequence of procedures, to aid recovery to its CII.
Threat management
Wolfpack have developed a high-level threat management approach. This is based on threat intelligence and incident management activities, it defines four continuous functions – prevent, detect, respond, and recover. In effect, it describes the continuous cycle of business processes that constitute effective cybersecurity management(8).
This approach would include educating stakeholders about the risks and what needs to be done. Local capacity needs to be developed. Independent assessments of all Internet facing CII infrastructure can be conducted using non-invasive digital certificate scans. Excellent guidance is available from the cybersecurity and infrastructure security agency(9).
References:
1 Wikipedia, Cyberwarfare, https://en.wikipedia.org/wiki/Cyberwarfare
2 Wikipedia, Critical infrastructure, https://en.wikipedia.org/wiki/Critical_infrastructure
3 Skybox Security, 2021, https://www.skyboxsecurity.com/news/operational-technology-cybersecurity-research-2021/
4 The White House, Executive Order on Improving the Nation’s Cybersecurity, 2021 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
5Business Day, Justice department IT system targeted in ransomware attack, 2021 https://www.businesslive.co.za/bd/national/2021-09-09-justice-department-it-system-targeted-in-ransomware-attack
6 https://www.amazon.com/Stuxnet-Sunburst-Digital-Exploitation-Warfare-ebook/dp/B09DT8YVFF
7 ISO.ORG, 2021, THE CYBERSECURITY SKILLS GAP https://www.iso.org/news/ref2655.html
8 Wolfpack, 2016, Critical Information Infrastructure Protection Report Wolfpack 2016, https://store.alertafrica.com/ciip_full_report_final.pdf
9 https://www.cisa.gov/critical-infrastructure-sectors
About Bryan Baxter
Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk,
© Technews Publishing (Pty) Ltd | All Rights Reserved