Editor's Choice


Cybersecurity for operational technology: Part 5: Cybersecurity threats to critical information infrastructure.

January 2022 Editor's Choice

People, or nations, with bad intent no longer need to launch attacks in the physical world. Cyberspace has become weaponised: cyberwarfare is an extension of policy by actions taken in cyberspace by state actors (or by non-state actors with significant state direction or support) that constitute a serious threat to another state's security (1) or critical information infrastructure (CII).

CII describes infrastructure that is essential to the functioning of a country’s society and economy(2). Local examples include energy (Eskom), government (SARS, judiciary), police and defence (SAPS, SANDF, NPA, SSA), transportation (Prasa, Transnet), water and sanitation, critical manufacturing, financial services, emergency services, health services and communications.

Dependency on IT and OT

CII is heavily dependent on IT and OT systems to run and manage real world physical processes. These include electrical, mechanical, hydraulic, pneumatic, robotic, and autonomous systems. Equipment can be vulnerable to inertial attacks that accelerate moving parts beyond their safe limits, or resonance attacks that create damaging standing waves. Control valves can be manipulated to funnel fluids to a vulnerable point, resulting in a hydraulic shock known as a water hammer.

Recent research indicates that 83% of organisations that provide CII suffered breaches in the last three years. This is a result of challenges that are involved to secure OT due to network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors know this and can take advantage of these vulnerabilities which can put public health, safety, and economies at risk(3).

The Biden Administration issued an executive order in May 2021 to address cybersecurity concerns related to the USA’s C.\II. It refers to OT as ‘the vital machinery that ensures our safety’(4).

Recent events have highlighted the vulnerabilities in South Africa’s CII. We have seen successful attacks on Transnet and the judiciary with devastating effects on a national scale(5).

The weapon of choice in both these cases was ransomware. What is concerning is how easily it happened. Basic Internet scans easily reveal insecure websites. As per Andy Jenkinson: a non-secure website means the site cannot be authenticated, lacks data integrity and all data in flight is unencrypted, i.e., plain text. Such situations are cannon fodder for cybercriminals to gain unbridled access to plain text data. Further insight is available in Andy’s book: Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare(6).

A cyber breach is highly probable, if basic defences are not in place and threat actors with the right resources decide to target an organisation. The same amount of effort (if not more) that is put into physical security, needs to be expended for cybersecurity defences.

The problem is exacerbated by a global skills shortage. A recent article from ISO.ORG indicated that there are 3,5 million vacant cybersecurity jobs globally. This shortage of skills has a significant impact on public and private organisations and their ability to protect themselves(7).

A sea change is needed if we want to meet the rising tide of cyber risks and adequately secure South Africa’s CII.

The finance sector is well ahead of the game and setting a great example. According to Wolfpack: “The protection of CII is the shared responsibility of both public and private organisations who develop, own, provide, manage and/or use this critical infrastructure.

South Africa needs to adopt a framework to minimise the likelihood and impact of successful cyber-attacks against our country. Increased resilience should be ensured through a specific, structured sequence of procedures, to aid recovery to its CII.

Threat management

Wolfpack have developed a high-level threat management approach. This is based on threat intelligence and incident management activities, it defines four continuous functions – prevent, detect, respond, and recover. In effect, it describes the continuous cycle of business processes that constitute effective cybersecurity management(8).

This approach would include educating stakeholders about the risks and what needs to be done. Local capacity needs to be developed. Independent assessments of all Internet facing CII infrastructure can be conducted using non-invasive digital certificate scans. Excellent guidance is available from the cybersecurity and infrastructure security agency(9).

References:

1 Wikipedia, Cyberwarfare, https://en.wikipedia.org/wiki/Cyberwarfare

2 Wikipedia, Critical infrastructure, https://en.wikipedia.org/wiki/Critical_infrastructure

3 Skybox Security, 2021, https://www.skyboxsecurity.com/news/operational-technology-cybersecurity-research-2021/

4 The White House, Executive Order on Improving the Nation’s Cybersecurity, 2021 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

5Business Day, Justice department IT system targeted in ransomware attack, 2021 https://www.businesslive.co.za/bd/national/2021-09-09-justice-department-it-system-targeted-in-ransomware-attack

6 https://www.amazon.com/Stuxnet-Sunburst-Digital-Exploitation-Warfare-ebook/dp/B09DT8YVFF

7 ISO.ORG, 2021, THE CYBERSECURITY SKILLS GAP https://www.iso.org/news/ref2655.html

8 Wolfpack, 2016, Critical Information Infrastructure Protection Report Wolfpack 2016, https://store.alertafrica.com/ciip_full_report_final.pdf

9 https://www.cisa.gov/critical-infrastructure-sectors


About Bryan Baxter


Bryan Baxter.

Bryan Baxter has been in the IT Industry since 1992 in various roles before recently joining Wolfpack Information Risk. He has helped customers successfully manage and deliver IT infrastructures to around 7000 users in several countries, where, of course, the recurring theme has been keeping customers secure from cybersecurity threats. For more information contact Bryan Baxter, Wolfpack Information Risk, +27 82 568 7291, [email protected], www.wolfpackrisk.com




Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

STEMulator – a gift to the youth of the nation
Editor's Choice News
STEMulator is a groundbreaking virtual platform designed to ignite the spark of curiosity in young minds and stimulate their interest in STEM subjects.

Read more...
Innovate, accelerate, dominate
Festo South Africa Editor's Choice Pneumatics & Hydraulics
Festo’s latest innovations, revealed through the Ramp Up Campaign, offer a blueprint for performance excellence, using the anatomy of a race car as an analogy to simplify and powerfully communicate how their technologies address industry challenges.

Read more...
Case History 198: Cascade control overcomes valve problems.
Editor's Choice Flow Measurement & Control
There are many processes where it is undesirable for the load to suddenly change quickly, for example in the paper industry. Examples of level control have involved reasonably fast tuning. An example of a level loop tuned this way and responding to a step change in setpoint is given.

Read more...
Advanced telemetry solutions
Editor's Choice Industrial Wireless
Namibia is one of the driest countries in sub-Saharan Africa, with an average annual rainfall below 250 mm. To address this challenge, the Namibia Water Corporation has employed one of southern Africa’s most powerful and well-proven telemetry solutions, designed and manufactured by SSE/Interlynx-SA.

Read more...
Navigating the future of intralogistics
LAPP Southern Africa Editor's Choice
In the rapidly evolving landscape of global markets, the demand for agility, efficiency and scalability in intralogistics has never been more critical. At LAPP Southern Africa, we stand at the forefront of this transformation, offering cutting-edge connection solutions tailored to the dynamic needs of intralogistics.

Read more...
Cutting-edge robotics and smart manufacturing solutions
Yaskawa Southern Africa Editor's Choice
Yaskawa Southern Africa made a compelling impact at this year’s Africa Automation and Technology Fair.

Read more...
A cure for measurement headaches in contract manufacturing
VEGA Controls SA Editor's Choice
A contract manufacturing organisation provides support to pharmaceutical and biotechnology companies in the manufacturing of medications, formulations and substances. VEGA’s measurement solutions offer accuracy and reliability for monitoring levels and pressures during the manufacturing process.

Read more...
PC-based control for a food capsule and pod packaging machine
Beckhoff Automation Editor's Choice
For TME, a machine builder specialising in the packaging of powdered foods, Beckhoff’s PC-based control technology offers unlimited opportunities when it comes to performance and innovative capacity in terms of flexibility, scalability and openness.

Read more...
Simple and efficient level measurement in the mining, minerals and metals industries
Endress+Hauser South Africa Editor's Choice Level Measurement & Control
Measuring devices in the mining, minerals and metals industries face the challenge of varying material states and long distances in measurement height. Endress+Hauser’s answer to these challenges is the new Micropilot family.

Read more...
PC-based control for fertiliser
Beckhoff Automation Editor's Choice Fieldbus & Industrial Networking
On a farm in the USA, valuable ammonia is extracted from slurry and processed into ammonium sulphate. NSI Byosis has transformed this complex process into a flexible modular system. This modular approach requires an automation solution with flexible scalability in both hardware and software, which this Dutch company has found in PC-based control from Beckhoff.

Read more...









While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd | All Rights Reserved