Technology Record - Issue 25: Summer 2022

60 V I EWPO I NT To protect themselves against common cybersecurity threats, organisations managing criticial services and assets need to make meaningful improvements M I A L AVADA : C ENT E R FOR I NT E RNE T S E CUR I T Y Cloud security for critical infrastructure organisations According to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Manufacturing Profile report, critical infrastructure consists of “essential services and related assets that underpin American society and serve as the backbone of the nation's economy, security, and health.” These services and assets fall under 16 sectors identified by the US Cybersecurity & Infrastructure Security Agency (CISA), which include healthcare, energy, and transportation. A disruption involving any critical infrastructure could undermine national security, economic security, and public safety. Critical infrastructure organisations can reap the same types of benefits from migrating to the cloud as those operating in other sectors. For instance, they can use the cloud to flex their IT resources based on their changing needs. They can also manage IT infrastructure costs more effectively by paying only for what they need. That said, some benefits of cloud migration are unique to critical infrastructure organisations. These advantages include applying remote diagnostics and other types of analysis to the data sent from their operational technology (OT) systems to the cloud. This can help strengthen supply chains against emerging threats and perform preventative maintenance in a way that maximises uptime. However, it can introduce risks for owners of critical infrastructure systems in the process. Cybersecurity provider Fortinet identifies three risks as particularly relevant. First, the cloud creates new attack vectors by which digital attackers can target critical organisations' OT assets with ransomware and other IT security threats. Second, threat actors can use a misconfigured cloud-based asset to move laterally within a targeted organisation's networks, exfiltrate data, or engage in other malicious activity. Finally, many OT assets and industrial control systems (ICS) are decades old and lack the ability to receive updates remotely. According to Fortinet, these resources make it easier for attackers to perform a network intrusion than their more resilient IT counterparts when migrated to the cloud. These three challenges increase critical infrastructure organisations' risk of exposure to the common cybersecurity threats identified by the US Department of Homeland Security. They also introduce complexity that creates an opportunity for more sophisticated offensives against OT and ICS systems. In April 2022, CISA announced in a joint Cybersecurity Advisory alert that advanced persistent threat actors had developed custom-made tools “ Four in five critical infrastructure organisations suffered a ransomware attack over the course of 2021”

RkJQdWJsaXNoZXIy NzQ1NTk=