Strengthening National Security by improving Critical Infrastructure Resilience

Critical infrastructure of a country is the backbone for the communication, commercial operations and smooth running of day to day lives of citizen of the country. These critical infrastructures are very vulnerable for various cyber-attacks which has become a biggest challenge for national security of global countries these days. Considering the level of damages that could happen to critical infrastructure due to cyber-attacks, cyber war has become the new strategy of modern battle ground globally. Such attacks are called state sponsored cyber-attacks. Global countries are having really tough times due to increase[i] in such state sponsored cyber-attacks. Center for strategic & international studies have recently released a report on the significant state sponsored cyber-attacks happened in 2023[ii].

Worldwide the following 16 critical infrastructure sectors[iii] have been identified as critical for national security the exploitation of which could have adverse impact on economy, public health and safety.

·???????? Chemical Sector

·???????? Commercial Facilities Sector

·???????? Communications Sector

·???????? Critical Manufacturing Sector

·???????? Dams Sector

·???????? Defense Industrial Base Sector

·???????? Emergency Services Sector

·???????? Energy Sector

·???????? Financial Services Sector

·???????? Food and Agriculture Sector

·???????? Government Facilities Sector

·???????? Healthcare and Public Health Sector

·???????? Information Technology Sector

·???????? Nuclear Power Reactors, Material and Waste Management Sector

·???????? Transportation Sector

·???????? Water and Wastewater Management Sector

?Cyber attacks targeted on nationwide critical infrastructure can have a very damaging effect which can be bring the day to life of people into a standstill mode with significant impact to the economy of the country.

Recent research report reveals that the impact of cyber-attacks targeting the US power-grid infrastructure is estimated to be around $240 Billion which could go further up to $1 Trillion[1].

After every significant cyber-attack, global nations have invested significant amount of efforts and money in strengthening their cyber defense capabilities[2] which will help in securing the nationwide critical infrastructure.

The following are considered as critical vulnerabilities present in the nationwide critical infrastructure which can be exploited in adverse manner by cyber-attacks that might cause serious impact into National Security and its resilience:

·???????? Use of Legacy systems & software

·???????? Lack of effective hardening

·???????? Vulnerabilities present in complex ICT supply chain

·???????? Network vulnerabilities

·???????? Web application vulnerabilities

·???????? IoT vulnerabilities

·???????? Lack of policies & procedures

·???????? Insider threats

·???????? Lack of Audit & Assurance Mechanism

·???????? Lack of compliance oversight

?

Use of Legacy systems & software

Considering the growing number of cyber attacks targeting nationwide critical infrastructure legacy systems & software are considered as potential "digital time bombs” which should get diffused in a diligent and timely manner. The larger number of vulnerabilities present in the legacy systems & software used by industrial sector is really a matter of concern. Periodic vulnerability analysis should be carried out and vulnerabilities identified should be patched with immediate effect. Out of support systems & software should be replaced with newer versions or new solutions in a timely manner.

?

?

Lack of effective hardening

Complex IT systems & software used in nationwide critical infrastructures should have its security configurations bolstered based on Minimum Security Baselines[3] (MSBs) which should get verified in periodic basis for doing any course corrections. There are automated solutions available in the industry which help organizations in implementing and verifying MSB compliance.

?

Vulnerabilities present in complex ICT supply chain

Government agencies and departments have a very complex network of supply chain partners from whom variety of ICT elements such as hardware, software, network equipments are procured. These ICT elements also come up with their own vulnerabilities. Counterfeit software and hardware products procured from black markets can be used as vehicles for Trojan malware such as the SUNBURST malware identified in the SolarWinds Orion upgrade and can compromise the entire IT Infrastructure of the nationwide critical infrastructure. When ICT elements are bought from a source other than the original equipment manufacturer (OEM) partners or other authorized sources, the source should be closely reviewed. Counterfeit Parts Standards such as AS5553, AS6081, AS6171, AS6496, and DFARS: 252.246.7007 need to be considered appropriately in the procurement life cycle of counterfeit products.

Implementation of the following controls will help prevent organizations from the risks[4] of buying and using counterfeit ICT elements in their organizations:

??????? Visual inspections of the products

??????? Destructive and nondestructive tests conducted for the products

??????? Product safety and security assurance review by third party auditors

??????? On-site supplier audits

??????? Implementation of a well-defined vendor management process framework

??????? Implementation of periodic vendor risk assessment

?

Network Vulnerabilities

Network elements of critical infrastructure generally will have the following vulnerabilities which need to be addressed with appropriate and timely remediation measures:

??????? Outdated or Unpatched Software

??????? Lack of implementation of MSBs for devices such as Firewalls

??????? Lack of Multi Factor Authentication

??????? Lack of Network Segmentation

??????? Lack of Network Intrusion Detection System

??????? Lack of Network Monitoring

??????? Lack of periodic penetration testing

?

Web Application Vulnerabilities

Significant amount of web applications is being used in the day to day operations of nationwide critical infrastructure owned by global nations. Any system flaw or weakness present in web-based applications can become vulnerable for cyber-attacks targeting critical infrastructure. So OWASP guidelines kind of best practices[5],[6] should be considered in addressing the web application vulnerabilities.

?

IoT Vulnerabilities

Due to the industrial revolution 4.0 in progress, worldwide the usage of IoT is being proliferated significantly into various sectors that have been identified as critical for national security. The IoT eco system and the Operational Technology (OT) elements that are implemented in the critical infrastructure will generally have the following vulnerabilities which might get exploited by cyber-attacks, which need to be addressed with appropriate and timely remediation measures:

??????? Insecure network services and interfaces

??????? Usage of vulnerable ICT elements

??????? Implementation of inadequate data protection controls

??????? Lack of hardening of various ICT elements used in IoT eco system

??????? Lack of training and security awareness

??????? Lack of adequate threat intelligence and weak incident management capabilities

?

Other vulnerabilities

The following are some of the other vulnerabilities related to nationwide critical infrastructure which need attention from the stakeholders:

??????? Lack of policies & procedures

??????? Insider threats

??????? Lack of Audit & Assurance Mechanisms

??????? Lack of compliance oversight

?

Security standards supporting the protection of Nationwide Critical Infrastructure

Global Nations and their various industry sectors should carefully review the following security standards & guidelines that advocate on the security and resilience of the critical infrastructure maintained by them

??????? ISO 27001

??????? ISO 22301

??????? ISO/CD 22372

??????? NERC CIP Standard (North American Electric Reliability Corporation Critical Infrastructure Protection)

??????? ISA/IEC-62443

??????? NIST CSF Guidelines

??????? Common Criteria (ISO/IEC 15408)

??????? FIPS 140

??????? ETSI EN 303 645

??????? NIPP 2013

?

Conclusion

It is very critical for security leaders to have a thorough understanding of critical infrastructure security and resilience (CISR) to safeguard the Critical Infrastructures maintained by their nations. They should focus on integrating cyber and physical security and resilience efforts of their respective sectors into an enterprise wide cyber resilience management strategy supported by various partners such as Information Sharing and Analysis Centers (ISACs). Also having a thorough understanding and knowledge of cross-sector interdependencies will help them in improving the security and resilience of the critical infrastructures maintained by their respective sectors. Also, the most critical thing to remember here is security and resilience of critical infrastructure systems should be considered start from the design of the systems, rather of looking in a later stage which will not be effective which could increase the cyber risks faced by the critical infrastructure. Nationwide established Critical Infrastructure Protection Strategy & plans should serve as a starting point for planning of critical infrastructure cybersecurity and resilience at individual critical sectors. This approach can only strengthen the security and resilience of critical infrastructures which in turn will bolster the national security to withstand the emerging state sponsored cyber-attacks and future cyber wars.

End Note

1. State-sponsored cyber-attacks against India increased by 278%

https://thewire.in/tech/state-sponsored-cyber-attacks-against-india-went-up-by-278-between-2021-and-september-2023-report

2. Significant Cyber Incidents of 2023

https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

3. Critical Infrastructure Sectors

https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors

4.The $1trn business blackout

https://commercial.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html

5. Iran's Growing Cyber Capabilities in a Post-Stuxnet Era

https://www.atlanticcouncil.org/blogs/new-atlanticist/iran-s-growing-cyber-capabilities-in-a-post-stuxnet-era/

6. what is a minimum-security baseline?

https://www.nstec.com/network-security/cybersecurity/what-is-a-baseline-in-cybersecurity/

7.The Anatomy of ICT and Services Supply Chain Risk Management

https://www.isaca.org/resources/isaca-journal/issues/2021/volume-6/the-anatomy-of-ict-and-services-supply-chain-risk-management#:~:text=To%20have%20a%20risk%2Dcontrolled,product%20safety%2C%20security%20and%20reliability .

8. 41 Common Web Application Vulnerabilities Explained

https://securityscorecard.com/blog/common-web-application-vulnerabilities-explained/

9. OWASP Top 10 Vulnerabilities

https://owasp.org/www-project-top-ten/

?

要查看或添加评论,请登录

社区洞察