Critical infrastructure vulnerabilities—both in the physical and cyber realm—have certainly come to light in 2024, with many leaving irreparable damage in their wake. As we’ve continued to see repeatedly, when threat actors exploit such weaknesses, the consequences are far-reaching for nations and their citizens, impacting global supply chains, limiting access to food and water, and/or causing widespread blackouts.
As a result, many organizations have been forced to pay expensive ransoms to avoid such disasters and disruptions, leading to an uptick in cyberattacks against these systems. It’s a cycle that doesn’t seem to be slowing down.
Understanding Threats to Critical Infrastructure
Chaos and mass disruption are not always on the agenda for cybercriminal groups. While some outfits, such as state-sponsored actors, see destruction as a means of cyber warfare, other motivations exist. More amateur hacking groups may be looking for notoriety and use cyberattacks against critical infrastructure to put their name on the map—so to speak. Other, more mature outfits have begun to recognize that critical infrastructure houses a great deal of sensitive information that is valuable on several levels—this is where nation-states tend to focus their efforts to gain access to military secrets, technological advancements, or other matters related to national security. These systems also collect personally identifiable information (PII) and sensitive customer information that can be used for identity theft, fraud, financial gains via dark web marketplace listings, or as ammo for future attacks.
Regardless of the “who” behind these attacks, data security and privacy are often overlooked when considering critical infrastructure security. This article looks at how we can safeguard these systems and the valuable data they hold.
The Ongoing Reminders of Our Fragile Ecosystem
Cyberattacks continue to target and breach critical infrastructure, reminding us of both the fragility of the systems we have in place and the consequences security incidents can have. Some of the most recent, yet notable incidents include:
- Kyivstar - Ukraine’s largest mobile telecom operator. The attack took out cell service for over half of the Ukrainian population, disabled internet connectivity for millions of residents, and took the capital’s emergency air-raid system offline.
- Attacks at U.S. water plants - There wasn’t one large attack at a singular plant, but rather a series of attacks on regional facilities across the United States, including Pennsylvania and Texas. Attackers sometimes breach systems that manage water pressure and use it to spread political propaganda on system screens.
- Danish energy grid - Russian-sponsored hacker group, Sandworm, leveraged vulnerabilities in Zyxel firewall devices to compromise almost two dozen Danish energy companies.
The United States FBI has also issued a series of stark warnings alluding to the fact that Chinese hackers are gaining footholds in American critical infrastructure, planting malware to disrupt America’s foundational systems—such as power and water utilities and communications and transportation systems—to use the information gathered during future conflicts and gain intel into how American systems operate. Reported victims include a water utility, a major port, and an oil and gas pipeline. More activity has also been targeting Hawaii, which has an extremely large military personnel and equipment population.
How Hackers are Infiltrating Right Under Our Noses
For threat actors, it's not always about exploiting zero-day vulnerabilities, DDoS attacks, or intense hacking campaigns. While we often hear about these in the news, sometimes it's much simpler than that. Cybercriminal gangs know how critical infrastructure works and how they conduct business, often looking for ways to blend seamlessly into day-to-day operations.
Water plants, waste management, natural gas supply, energy providers, and telecom operators are all massive systems that operate both B2B and B2C. You likely have contracts with these companies already to enable trash collection, electricity, clean water, and cell phone service, to name a few. However, the businesses you work for likely also have contracts with these companies. This contributes to a high volume of customer data collected, stored, and sometimes shared, including payment card details, email accounts, addresses, employee social security numbers, etc.
As evidence, an intense amount of data flow occurs daily—across the grid and between critical infrastructure providers and the populations that depend on them. Managing high-volume data while still ensuring a smooth user experience means that many of these institutions have upload portals and file transfer systems in place. Additionally, to store the data they generate, providers have storage environments in public cloud ecosystems, robust data lakes, and other digital channels to collect, move, and hold it all. While this is great for efficiency, it’s bad for cyber threat prevention.
Throughout my career in cybersecurity, I have seen cybercriminals conduct spear phishing attacks, hijack data transfer channels, upload weaponized content into S3 buckets that enable them to compromise accounts and systems, move laterally throughout a network undetected, access and exfiltrate sensitive data and launch the ransomware. As I see it, this is only a drop in the bucket, and the threats we’ll see rise tomorrow will require more sophisticated solutions to counteract, especially as generative AI and large language models (LLM) continue to grow in popularity.
Comprehensive Protection, Because One Solution is Not Enough
The damage is already done once a cybercriminal has access to a network or system. They essentially have keys to the kingdom and can exploit other weaknesses as they play within your environment. For starters, they can understand your organizational structure and technologies to determine where you keep your crown jewels or what “buttons” they can push to cause mass disruption. That’s just the start. If incursions go undetected long enough, the damage can become irreversible monetarily and to your reputation. So, how do you put a stop to this?
Make sure all channels are secure—and not just at the endpoint. It’s not enough to have a firewall in place or invest in threat intelligence for after-the-fact investigation; these are great tools to have, but they cannot do it all alone. This is why you should be extending the cyber protections that critical infrastructure has in place to encompass email workflows, operational technology environments, digital collaboration software, and even internal communication platforms to bolster your cyber defenses and protect the data that often flows through these systems yet gets overlooked by traditional security defenses.
You must also know where your data moves. Determine where data, content, and files are ingested, where they travel, and where they are stored so you can place protections at every point they are accessed. This often requires security solutions that work in real-time to ensure you’re simultaneously protecting structured and unstructured data.