How to build a security strategy for critical infrastructures

End-to-end protection of a critical infrastructure must be based on three pillars: people, processes, and technology

By Rafael Cividanes

Critical infrastructures have become one of the favorite targets for cybercriminals. This argument can be corroborated by the increase in the volume of attacks, especially since 2019/2020, on companies that provide essential services such as electricity, telecommunications, water and supply, gas, ports, airports, and even nuclear energy.

Disruptions in these types of systems can have devastating consequences. That’s why they are called critical infrastructure.

In the last 18 months, for example, five electric utilities in Brazil were victims of a series of cyberattacks that affected the operation of their information technology systems. Although they did not paralyze power supplies, those incidents are proof of these infrastructures’ vulnerabilities.

But anyone who thinks that this fragility is exclusive to energy companies is wrong. Even sectors with a high level of cybersecurity maturity are still susceptible to attacks and need to constantly update their protections. The financial sector, for example, is the industry that invests the most invests in technology and security in the country.

So imagine the risks that companies in the energy sector are exposed to, which, despite having made substantial investments in cybersecurity in recent years, are still quite vulnerable when compared to organizations in more advanced sectors.

What happens is that when a company in a specific sector is attacked, as was the energy utility sector, it is very common that other companies in the same segment are also attacked. This is because the technologies, including the protection mechanisms they use, tend to be similar.

Therefore, if the hacker succeeds in finding security flaws in one company, there is a high probability of having success in attacking other companies of the same sector.  

The fact is, regardless of the degree of maturity of each company, it is necessary to keep in mind that cyber threats to critical infrastructures involve many interrelated factors. First, it must be recognized that many of the most critical systems are extremely complex.

This complexity is rapidly increasing as the number of devices and connections to those systems continues to grow as a result of digital transformation initiatives. Next,  it should be taken into account that many of these systems involve a combination of outdated and insecure legacy systems and new technologies.

These new technologies integrate features such as advanced analytics and automation. However, they are sometimes connected and used insecurely. 

In addition to these issues, there is an additional challenge for critical infrastructure security caused by the convergence of operational technology (OT) networks— composed of systems that control operational or manufacturing processes—and IT networks.

While this integration enables new, more agile business models, it also brings new risks, as OT environments are inherently more insecure than IT infrastructures, due to the very technologies they use. IT networks have the advantage of having been secured at least a decade earlier.

Therefore, they are more resilient. Another factor is that today it is increasingly difficult to segregate OT networks. That is, the more interconnected the OT and IT networks, the larger the so-called attack surface.

In these scenarios, it is essential for any company that operates a critical infrastructure to execute a very well-structured security policy, based on three complementary pillars: people, processes, and technologies.

As they are always the weakest link in the protection structure, employees need to be guided to correctly follow the security policy, while the processes must be very well defined and oriented towards the best information security practices.

Last, but not least, is technology. Multi-factor authentication, for example, is one of the security controls that critical infrastructure organizations can implement to improve their cybersecurity situation. Another would be to continually monitor the attack surface for vulnerabilities.

There are tools designed to do this in a non-invasively way to help identify vulnerabilities proactively that an attacker could exploit. Just as essential as these features are encryption. Many critical installations have adopted a Hardware Security Module (HSM) to create a maximum isolation layer for the servers of the critical main system. Thus, the HSM performs dedicated processing of encryption functions and provides physical and logical protection.

In short, protecting critical information systems and networks is a worldwide challenge. To face it, in addition to adopting effective processes and solutions, the company must have reliable technological partners. When technology has a well-structured base, cybersecurity becomes more consistent.

Source: Kryptus

Kryptus e ITI: Parceria arrojada na inovação da ICP-Brasil

ITI adota nova plataforma da Kryptus para a rede de Carimbo do Tempo

Carimbo do Tempo: documento eletrônico com validade jurídica