Valencia, ES, August 16, 2023 – Soaring cybercrime rates, an increasingly tumultuous geopolitical climate, and a declining global economy have created the most dangerous environment for critical infrastructure in decades, and organizations must act accordingly.Â
When we think of critical infrastructure cyber incidents, we typically think of attacks targeting industrial control systems, such as the infamous Colonial Pipeline ransomware attack. However, critical infrastructure organizations possess vast quantities of sensitive data of enormous value to specific individuals, and thus data breaches pose a significant threat.
What is critical infrastructure?
The Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as “those assets, systems, and networks that provide functions necessary for our way of life” and lists sixteen sectors that fall under that definition:
- Chemical
- Commercial facilities
- Communications
- Critical manufacturing
- Dams
- Defense industrial base
- Emergency services
- Energy
- Financial services
- Food and Agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, material, and waste
- Transportation systems
- Waste and wastewater
Critical infrastructure and data loss
While we typically associate critical infrastructure with cyber-attacks targeting industrial control systems, data theft is an equally serious issue. As with all organizations, critical or otherwise, critical infrastructure data breaches can result in significant reputational, financial, and legal damage.
However, it’s essential to remember that critical infrastructure data is generally far more sensitive than that of non-critical organizations; criminals could use the information stolen from a non-critical organization to steal someone’s identity, but critical infrastructure data could facilitate a terrorist attack. While both are serious crimes, the potential impacts are incomparable.
And critical infrastructure data theft isn’t merely hypothetical. In 2014, US courts charged Chinese cybercriminals with stealing data related to US fighter jets from Lockheed Martin and Boeing. In 2019, unknown threat actors stole information from India’s Kundankulam nuclear power plant. This year, researchers confirmed that the Chinese hacking group “Volt Typhoon” had compromised critical infrastructure in Guam and the mainland United States.
Critical infrastructure data breaches, even in peacetime, can turn the tide of war. In their attack on Lockheed Martin and Boeing, for example, hackers are thought to have stolen information on US fighter planes and sold it to the Chinese military, who then built a fighter jet based on that data. The implications of the theft, should the US and China go to war, are both evident and disquieting.
It’s essential to remember that while non-critical organizations have a legal and ethical responsibility to protect private information, a successful breach of a critical infrastructure organization could have significant national security implications, potentially tipping the geopolitical balance of power.
Protecting critical infrastructure
Cybersecurity best practice is essentially the same for critical and non-critical infrastructure. Still, the potential consequences for critical infrastructure organizations are much more severe, and their cybersecurity programs must reflect that fact.
Data encryption is the essential security protocol for mitigating critical infrastructure data loss. The complex Hybrid IT and OT networks used by modern critical infrastructure organizations are vulnerable to intrusions, and attacks on critical infrastructure are at an all-time high. The reality is that critical infrastructure organizations will most likely suffer an intrusion at some point. By encrypting their data, those organizations prevent cybercriminals from stealing anything of any real value.
It’s also imperative that critical infrastructure organizations harmonize their approaches to cybersecurity. Cyber-attacks can have cross-sectoral effects, particularly for critical infrastructure organizations. Earlier this year, the Voice over IP (VoIP) provider 3CX suffered a cyber-attack that has already spread to other critical infrastructure organizations. If organizations fail to standardize their cybersecurity practices, incident response, and upcoming regulations could do more harm than good.
Regulation plays a huge role in mitigating data loss risk for critical infrastructure organizations. Regulatory standards for critical infrastructure are some of the most stringent in the world and are only getting tougher. For example, many experts have lauded the UK’s Telecoms Security Act, which went into effect in October last year, as a harbinger of further incoming regulation, particularly for critical infrastructure.
Finally, critical infrastructure organizations must keep up to date with evolving threats. Publicly available artificial intelligence tools like ChatGPT have emerged as a new data loss risk to critical infrastructure. Critical infrastructure is a highly competitive market, and organizations are always looking for ways to gain an advantage over their competitors. Staff must refrain from inputting sensitive data into machine learning tools as they could expose that information to other users. If it can happen to Microsoft and Samsung, it can happen to anyone.
Data loss is an oft-overlooked yet grave threat to organizations. Not only could a data breach result in significant financial and reputational damages, but it could also even threaten national security. Critical infrastructure organizations must harmonize their approaches to cybersecurity, encrypt their data, adhere to regulations, and stay vigilant for evolving threats to protect themselves from data loss.
About the Author: Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
Contact:
Company Name: Bora Design SL
Company Person: Marie Pettit
Email: marie@welcometobora.com
Website: https://www.welcometobora.com/
Address: Avenida Santo Domingo Xaló, Valencia 03727, ES
