How can cyberattacks affect critical infrastructure organisations?

24 May 2024

Image: © Артур Ничипоренко/Stock.adobe.com

We spoke to Red Hat’s Christopher Jenkins about the importance of cybersecurity in critical national infrastructure organisations.

Click here for more Cybersecurity Week stories.

When it comes to the cyberthreat landscape, some considerable trends can be seen gaining traction. Cyberattacks are becoming increasingly prevalent across every sector and are continuously growing in sophistication, sometimes aided by contemporary disruptive tech such as generative AI and quantum computing.

While everyone should be somewhat cybersecurity conscious nowadays regardless of whether your online activity is professional or personal, these considerations are ever vital for organisations in the critical national infrastructure (CNI) space.

CNI refers to systems and facilities that are considered important or necessary for the functioning of a society, such as water, energy and gas suppliers. According to Christopher Jenkins, principal chief architect at Red Hat, cyberattacks can inflict considerable damage on these organisations.

“In today’s interconnected and digital world, attacks on a single CNI organisation have the potential to affect their partners and potentially end users,” says Jenkins. He provides the example of how a vulnerability in a widely used software supply chain could increase the attack surface of possible exploitability through “compounded use of the same software”.

“Some CNI organisations such as gas and electricity providers provide their customers with IoT or small-form devices, which they can use to monitor their energy consumption,” he explains. “Introducing a vulnerable component into one of these devices could open up access to the devices to malicious actors.

“As well as the potential technical damage to these devices, the organisation could suffer damage to their brand and regulatory fines where these apply.”

Malicious tactics

According to Jenkins, a number of factors can affect the security posture of CNI organisations, such as a lack of awareness of the potential security risks they might face, or an underestimation of the importance of maintaining a strong security mindset. “As technology evolves, so do security threats,” he says.

“Keeping up with the latest security trends and implementing appropriate measures can be challenging, especially for CNI organisations with complex technology infrastructure.”

He says there are a number of tactics used by cybercriminals when targeting CNI organisations, such as the acquisition of sensitive CNI data, which could be used to disrupt services. Threat actors may use attack methods like malware, phishing or social media exploits to access such data.

“Once they have exfiltrated the data, they could then run a ransomware operation to extort money from the CNI organisation to return the data and/or sell it on to another third party for malicious purposes.”

When it comes to rising threat trends, he says that the increasing interconnectivity of operational technology (OT) and IoT devices, as well as the introduction of AI, machine learning and 5G tech, can increase the threat landscape for CNI organisations, leading to more avenues for service disruption.

“A lot of CNI organisations are starting to adopt AI in some way or another,” he says. “At the same time, bad actors are also starting to use AI techniques and are looking for technological vulnerabilities and the potential for AI to be hacked or manipulated.”

According to Jenkins, some of the fronts from which bad actors can attack AI systems include searching public sources, including cloud storage, public-facing services and software or data repositories, to identify “machine learning artefacts”.

“Once they have access to this data, they can start to run attacks such as data poisoning, prompt injection and taking advantage of AI hallucinations.”

These CNI cyberthreats are not exclusive to independent cybercriminals either, as Jenkins notes a rise in nation-state cyberwarfare tactics that target critical infrastructure.

CNI defences

Pitfalls and threats aside, how can a CNI organisation improve its security posture? Jenkins says that along with establishing good “cyber hygiene” in the workforce, some effective strategies include internal security awareness training, the implementation of threat detection and proactive risk management, as well as taking security considerations into account when integrating new technologies.

“At the onset of any new technological journey, organisations should engage with their vendors and partners to ensure that security is at the forefront of any potential solution,” he says. “Providing vendors with documentation and clarification around security controls and requirements should help ensure a solid and secure architectural design on which to build, run and monitor their environments.”

Referring specifically to AI and machine learning integration, he says that CNI organisations should “take into account controls such as secure API access, authentication and authorisation, secure data management and network segmentation”.

A common practice of CNI organisations is the use of hardware on customer premises, such as smart metering for energy companies. Jenkins says these devices could potentially be used to create a distributed denial-of-service (DDoS) attack on the provider, which could result in incorrect billing data, system delays or, “at the severest level”, the potential for large-scale power outages.

“To ensure that the devices are as secure as possible, companies should have additional physical controls in place to ensure that the device can’t be used for nefarious or malicious purposes,” he advises. “Using tamper evident seals and removing any external connectors (USB etc) is a good start to ensure that people are not able to access the physical device but additional software controls can also be used.

“All communications should be encrypted in transit using modern encryption techniques and also any data at rest within the device should also be encrypted.”

Future challenges and opportunities

As for the future, Jenkins has some predictions for the CNI threat landscape, including AI’s impact as a potential security challenge, but also its potential benefit.

“For CNI organisations in the transportation industry, AI could enhance public transportation operations by dynamically adjusting service frequencies based on demand and to rapidly identify any accidents or incidents,” says Jenkins.

“For nuclear communications and other sectors which can operate in a hostile environment, having AI at the edge could benefit operations through the use of localised compute and storage without the need for expensive communications backhaul of large amounts of data.”

Something to watch out for, says Jenkins, is the increasing complexity of global supply chains, which can open up vulnerabilities and flaws in software.

“Disruptions in the supply chain can have cascading effects on critical infrastructure, so management of the software development life cycle is imperative to ensure the secure running of CNI OT and IT.”

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Colin Ryan is a copywriter/copyeditor at Silicon Republic

editorial@siliconrepublic.com