Devastating cyberattacks causing widespread damage to critical infrastructure and disrupting citizens’ lives are no longer the stuff of Hollywood movies.
In September 2020, amid the pandemic, Thailand’s Saraburi Hospital was hit by ransomware. With computer systems stalled, patients were told to bring their own medical records and old medicine packaging when visiting.
A year later, cyber attackers targeted American meatpacking company JBS, forcing its plants in Australia, Canada and the United States to be shut down, disrupting the supply of foodstuff to these countries.
These recent examples have been a stark reminder of the potency of cyberattacks, as well as a warning of the much larger attack surface that malicious actors can target.
In response, many governments in Asia-Pacific have taken steps of late to harden the digital systems used by critical infrastructure.
Australia, for example, has expanded the coverage of critical infrastructure from four sectors – electricity, gas, water and ports – to 11. The new areas include communications, financial services, food and grocery, healthcare, and transport.
Owners and operators of critical infrastructure have new security obligations. They must identify any material risks that may affect the availability, integrity, reliability, and confidentiality of their assets and have appropriate risk mitigations in place to manage those risks.
In Singapore, critical information infrastructure (CII) already includes 11 sectors, such as aviation, banking and finance, and energy. The government is set to redefine what CII is in 2023, possibly including virtual assets such as systems hosted on the cloud. A risk-based approach to protect the infrastructure and services is on the cards.
Singapore’s Cyber Security Agency (CSA) in July also announced a CII Supply Chain Programme to help critical infrastructure operations mitigate supply chain attacks. Through instruments like a toolkit, a certification program, and a learning repository, the programme helps critical infrastructure operators improve the visibility of the cyber supply chain, identify vulnerabilities, exchange knowledge, and shorten incident response time.
Meanwhile, in Japan, there are currently 14 critical infrastructure sectors, which include finance, aviation and water. The government is also set to review its cybersecurity plan this year.
Legislation may be passed to order companies to deal with supply-chain risks, such as data leaks via telecom equipment and cloud computing systems. Businesses could be asked to strengthen risk management, including at affiliates and suppliers.
Bolstering security while digitalising
Across Asia-Pacific, the common theme is a tougher cybersecurity stance for critical infrastructure. Organisations will need to assess their ability to identify, respond to and prevent cyberattacks to meet new regulatory requirements.
If they are lacking in one or more areas, they will need to develop a plan to improve their cyber defence capabilities over time.
The challenge, of course, is that many are also rapidly transforming their operations, by adding more digital features and connections. A connected enterprise is always-on, with users linked up wherever they are. This means the attack surface is constantly growing. This is not helped by the convergence of IT and OT (operational technology) infrastructure.
The fallout from a hack
Unfortunately, being hit by a cyberattack is often just the start of one’s troubles. Despite paying the ransom to unlock one’s files or closing known loopholes, the exposed data from an attack can make the victim more susceptible to further attacks.
Attackers can create an accurate picture of the target’s culture, plans, and operations and craft more attacks. Leaked documentation, such as network and engineering diagrams, and images of operator panels, could let malicious hackers identify paths of least resistance and even engineer cyber-physical hybrid attacks.
The biggest challenges today are the breadth of different assets that need to be protected, and the range of strategies and tactics that bad actors can use to compromise these assets. To counter this, a defence-in-depth strategy is vital.
Steps to critical infrastructure security
Here are actions governments and operators of critical infrastructure can take for protection:
- Compromised data: The perimeter and endpoint security of the past is insufficient to prevent data from being exfiltrated, as supply chain attacks have demonstrated. Security teams also need to scan their data stores regularly for vulnerabilities or misconfigurations, while database activity monitoring and cloud data security are essential tools for visibility into the access of sensitive data and potential security incidents in real time.
- Malware/ransomware: Malware can be used for a range of objectives, from stealing information to defacing or altering web content, to damaging a computing system permanently. Organisations need to invest in the application and data security for multi-layered protection.
- DDoS attacks: With high-volume attacks now the norm, organisations should ensure they have robust DDoS protection in place. This means working with vendors dedicated to ongoing security research and round-the-clock monitoring of new attack vectors.
- Supply chain and zero-day attacks: Recent attacks have demonstrated how bad actors can stealthily access a target by exploiting vulnerabilities in suppliers’ software connections. Organisations need a threat model that covers all parts of the supply chain, including Nth-party code. Using tools such as client-side protection (CSP) to identify JavaScript vulnerabilities, security teams can better discover and mitigate security risks.
- Digital transformation: The pace of innovation is happening so quickly that many DevOps and security teams struggle to embed good security practices without slowing down delivery considerably. To overcome this, security teams must make development teams partners in the creation and execution of their security strategy.
Only with such a multi-prong approach can critical infrastructure operators hope to thwart increasingly sophisticated threat actors and safeguard the lives and livelihoods of their citizens.
