The world has been witnessing a slew of advanced persistent threats on their critical national infrastructure (CNI) as digital transformation initiatives are accelerated to keep up with the nations’ growing demand for energy, power, transportation, food, and healthcare.
India recently grabbed headlines with the government-run Nuclear Power Corporation’s admission of the presence of malware in one of the systems deployed at Tamil Nadu’s Kudankulam Nuclear Power Plant. While such scenarios may have seemed like the stuff of disaster films, today they are a reality.
Traditionally, security concerns related to industrial control systems (ICS) have been perceived as overly exaggerated because breaches in these were assumed to have a bigger impact on the production of goods than have serious security implications on national infrastructure. In reality, breaching a manufacturing factory could also equally impact multiple lives, through manipulation of machines, or by piling financial burden on the manufacturer, thereby affecting the employees and communities they live in. The Stuxnet attack on the ICS of the Iranian nuclear facility is a case in point.
Malware attacks on ICS, inspired by attackers seeking financial gain, hacktivism, espionage, as well as a political upper hand are a serious threat to a country’s national security. ICS malware is critical because they infect industrial devices and automation. However, regular malware such as WannaCry and NotPetya can also be equally catastrophic, forcing several companies from medical to automobile industries, nuclear power plants, power grids, and healthcare systems to malfunction.
In most cases, everyone from financially motivated criminal gangs to state-sponsored espionage groups relies on the fundamental five P’s as their weapon of choice: Phishing, Passwords, People, Patching, and Privileges.
Critical facilities such as nuclear plants present unique safety and security challenges due to the inherently hazardous nature of the facility. If the recent threat to India’s Kudankulam power plant is anything to go by, the need to improve the security of industrial networks cannot be overstated.
The India scenario
As India rapidly advances its digitisation drive, assets related to energy, communication, defense, transportation systems, chemical plants, nuclear reactors, materials, and wastes will eventually in some form or the other integrate with external networks, thereby increasing the possibility of a cyber attack.
Most industrial systems across the globe and in India have been designed using legacy devices, for high reliability and performance. While physical security of the setup has always been a concern, information security had typically taken a back seat, considering the proliferation of internet connectivity, web-based applications, and real-time business information systems was at a nascent stage.
However, as organisations began integrating ICS applications and business operations for real-time information sharing, they have become soft targets of a new threat profile that utilises more sophisticated and targeted attacks than ever before. That lack of attention to security in the past has become a big problem today, and over the past two decades, efforts are being made to secure a now critical system that was not built to be secure, as cyber adversaries continue to target high priority installations, potentially leading to harm and destruction.
While securing an industrial network and its connected ecosystem is like standard enterprise information security, it presents many unique challenges. A typical integrated ICS system like the one used in nuclear plants are expected to run at high-performance levels for months or even years, with an overall life expectancy measured in decades. Cybersecurity solutions need to complement these performance levels, and not cause any downtime, by maintaining resiliency, and availability, with a secure, always-on, scalable, multi-technology network across business units and locations.
Modern tools and services that are light-weight, high performance-driven and at the same time effective in a resilient networked architecture are key requirements for CNIs of today.
They hover behind the clouds
Public and private sector organisations are rapidly switching to cloud computing. While years ago, software applications were running on on-premise servers or dedicated data centres, today they are outsourced to large cloud service providers, running in remote data centres. Cloud computing is also being adopted in critical sectors such as finance, energy, transport, and government services. The concentration of IT resources makes cloud computing services critical and relevant to look at from a security perspective.
While the overall risk of system failures may be limited when compared to traditional IT deployments, cloud computing services are not foolproof to system failures. Additionally, if a system breach occurs, then there may be a large impact, amplified by a lot of media glare. This makes cloud computing services critical by itself. As organisations in India continue to harness the power of the cloud to accelerate business, one question we should be asking is how will widespread cloud adoption for critical infrastructure evolve, and what would be the security implications of this shift?
Together is power
Industrial networks are both essential and at the same time, potentially vulnerable. The consequence of a successful cyber incident can be devastating and the progressive growth in the severity of real cyber incidents overtime only goes on to establish the magnitude of threats looming over industrial systems. Intelligent, adaptable and highly persistent threats that are difficult to detect, are becoming the norm, owing to nation-state attacks and a highly organised criminal underground network.
The intentions of bad players have also evolved, from information theft to industrial sabotage and the actual disruption of critical infrastructures. Fuelled by the rise in anonymous cybercriminal services that are becoming increasingly accessible, paid for with digital currencies, the trend is worrisome and should send a clear message to owners and operators of critical infrastructures.
National governments are genuinely interested in securing critical infrastructure, and it has been outlined in India’s new cybersecurity chief’s Vision 2020.
The government should allow the industry to continue innovating voluntarily in critical infrastructure protection. Regulations and imposition of technology mandates will only result in achieving mere compliance rather than true security. In a tricky area such as cybersecurity, they may lead to unintended consequences, outweighing the benefits of the regulation itself. Fortunately the drafts of the intended policies seem to have taken a number of inputs from the industry and the government has been trying hard to balance the security, data protection, and privacy needs, all of which are critical.
Given the national interest in protecting critical infrastructure systems it makes sense for policymakers to implement additional incentives for cybersecurity players in tax, insurance reforms, and security clearances for declassification of more threat data. Policymakers should incentivise security by design for any new CI installations, building it into infrastructure from the ground up.
No individual, product, or enterprise can fight cyber adversaries alone, particularly critical infrastructure organisations that are under constant threat from nation-states and global criminal syndicates. For a different perspective on solving one of the biggest challenges of our era, there is a need to work together, present a unified, coordinated defense and assemble a winning partnership. Because this job is too big, too important to fly solo.
We welcome your comments at ideas.india@qz.com.