Critical infrastructure cyber security threats and how to defend against them

Critical infrastructure systems, critical to electricity production, water treatment, power generation, transportation, telecommunications and public services have all become increasingly complex and interconnected.

Innovation across critical infrastructure has helped ensure reliable, stable services for the billions of people who rely on them.

However, critical infrastructure is also a primary target of hacktivists, state-sponsored hacking groups and organised criminals. In the past year alone, 56% of U.S. energy utility facilities reported at least one cyberattack that caused data loss or operations to shutdown.

It goes without saying that disruption to critical infrastructure can have devastating impacts on whole cities, states, countries and industries. The recent SolarWinds attack, which saw 18,000 private and government clients’ data exposed is expected to cost an estimated $100 billion to recover from.

The cybersecurity threats for critical infrastructure

Solar Winds, Colonial Pipeline, Saudi petrochemical plant, Ukraine’s Power Grid outage (which left half the population without power in the sub zero temperatures of mid-December), a US Water Authority, and Israeli water systems attack all occurred in recent years and all had significant and damaging impacts on all involved, from the breached companies and its employees, to suppliers, shareholders, customers and wider society. All of the mentioned breaches were the result of credential theft, phishing or spear phishing.

For all bad actors, regardless of motive, weak authentication is the easy target. For the mid-2020 Israeli water systems breach it was an outdated legacy system and passwords which enabled a takeover of their industrial control systems (ICS). The attackers then attempted to spike chlorine and other chemicals to render the water supply harmful to drink and disrupt supplies to Israelis during a heatwave and Covid-19 pandemic.

Similarly for the unnamed US Water Authority, it was a weak factory-installed password on the facility’s Sixnet BT routers, together with outdated firmware which enabled bad actors to artificially hike bills by 15,000% over a two-month period.

In the case of Colonial Pipeline we know it was a phishing attack which led to a disabled user’s password, available on the Dark Web, falling into the hands of a Russian criminal group who made a $5m ransomware demand, which Colonial Pipeline controversially paid to regain control of their infrastructure.

Universal multi-factor authentication is paramount

There is one common thread running across all critical infrastructure: it is paramount that the password is killed across the whole organisation and its connected devices.

Last year in the US username/password breaches increased by +450%, according to ForgeRock’s Identity Breach Report 2021. To mitigate the threat of phishing, social engineering, brute force and password spraying attacks, organisations need to evolve their authentication processes. This requires a holistic solution across all employees, connected devices, and the supply chain.

With credential management systems such as MyID enabling organisations large and small to deploy universal strong authentication across their workforce, complexity, usability, and manageability no longer need to be barriers to adoption for critical infrastructure organisations. With mobile devices, security keys and virtual smart card enabled technology, IT leaders have the flexibility to deploy the right mix of devices that their users to access corporate systems and networks using passwordless MFA.

No matter how many words, characters and numbers a password contains, it is not secure. Now is the time for organisations to bin the password and secure their systems and networks with more secure and user-friendly methods of authentication.

If you are interested in discovering more about how to deploy universal passwordless authentication across your workforce, contact us today using the form below.