The recent cyber-attack on the HSE Group, the largest Slovenian organization in the field of electricity, has caused significant disruptions in the functioning of the organization and some connected companies, highlighting how susceptible critical infrastructure is to cyber-attacks. The incident raises the question of how strong cybersecurity is in critical infrastructure, especially in power plants and the distribution of electrical energy, and how resilient such organizations are. It also highlights the importance of cybersecurity awareness and readiness among employees. In this blog post, we will delve deeper into the broader social context of cyber-attacks on critical infrastructure, highlighting the role of upper management in the promotion of cybersecurity, the role of employees as (often) the first line of defence, and the importance of supply-chain security, and providing suggestions to increase cyber resilience.
Challenges of cybersecurity in critical infrastructure
Due to the high impact on public services, critical infrastructure is one of the primary targets for cyber-attacks. The technology that runs these facilities is essential to keep society running. Managing power grids, water supplies, communication networks, transportation systems, financial services, and other services requires continuous IT and OT systems monitoring to provide their full operability. Since cyber threats are becoming increasingly prevalent and sophisticated, effectively keeping up with an organization’s security measures can often be challenging. As opposed to decades ago, when OT systems were air-gapped environments with no outward connectivity, they are now IP-connected just like any other system, yet often running legacy operation systems with no security patching available.
Furthermore, supply chain (in)security is an issue that needs to be addressed and managed urgently. Sharing VPNs and cloud services with other companies extends the attack surface. It causes significant consequences for the organization under attack and other companies in the supply chain.
Successful cyber-attacks are not only accompanied by a loss of valuable data but also by a ruined reputation, usually enormous cost for recovery, and in critical infrastructure, also by potential life-threatening situations for citizens. Therefore, bringing cybersecurity into focus, sharing information about cyber threats, and raising awareness among users should be a part of every business strategy for 2024.
The role of social engineering in cyber-attacks
No matter how advanced and profound security devices are, social engineering is still the attack vector that beats them all. One cannot be careful enough when responding to calls to action in email messages, social networks, or instant messaging applications. The increase in online shopping has opened a new dimension of smishing (i.e. phishing via SMS), often linked to breaches into delivery service databases. When a user’s action in an online shop or any other application (e.g. e-banking) coincides with a message sent over SMS or some instant messaging platform asking you to do something potentially related to the previously mentioned actions, the odds for a successful cyber-attack are incredibly high.
A couple of weeks ago, there was a smishing campaign urging users to pay a small amount of customs costs for the delivery from outside the EU. Imagine you are expecting a parcel from abroad. The “customs costs” sound reasonable; you pay the amount, and the following message you get is a request for e-payment confirmation for 300 €. I bet your heart rate jumps like crazy. Luckily, the e-banking solutions mostly require payment confirmations, and you can decline further payments. However, hackers can earn millions of euros just by sending a request to pay 1,98 EUR of customs costs to large databases.
CISOs can never prevent mistakes the employees make in their free time. However, making the corporate environment resistant to social engineering should be one of their top priorities. At Carbonsec, we believe the best way is to train users with regular phishing simulations, present the results of these campaigns to employees, and run workshops where you show them the most common mistakes.
Social engineering is not just phishing
Although we tend to link social engineering to phishing attacks and their variations, it is much more than that. Cyber-attacks begins with information gathering, and no one knows how long they have been observed before the first attack was initiated.
Information that we share on the internet is a treasure box for hackers. They might even start building a relationship with you in a way that you do not even notice it is malicious. An innocent chat can be a valuable source of information for someone who knows exactly how to ask without being suspicious.
Another common type of social engineering is tailgating – letting people on your premises without checking their identity. They might pretend to be outsourced service providers, e.g., mending your printers or a coffee machine. And there is another issue that should not be overlooked: do not discuss sensitive topics in public places like bars or restaurants. You cannot tell who is sitting at the table next to you.
Regular security testing prevents from successful cyber-attacks
On the system level, regular security testing should be a part of organizational processes, just like a fire drill. Security tests show the efficiency of cybersecurity measures and protocols and offer a roadmap of activities for the next period. Based on the results of a security test, you can update your risk analysis, implement additional security controls in the business environment, and improve the services you offer to your customers.
In line with strategic cybersecurity management, it is a reasonable approach to plan different types of cybersecurity testing throughout the year and plan verification according to your internal procedures. The scope of the entire internal network can be tested once per year, and additional partial tests can be conducted at other times of the year (e.g., one application or just one segment of the network, specific vulnerability, etc.).
Defining the timeline of security testing helps you prioritize security activities throughout the year and avoid bottlenecks when trying to reach specific deadlines (e.g. external audits, yearly targets, etc.).
Gaining support from top management
The cybersecurity strategy goes hand in hand with business and development planning. Usually, at the end of Q3, when plans are being made for the next year, top management gathers and sets goals. It is of utmost importance that the CISO participates in these strategic meetings and incorporates information and cybersecurity into other business goals.
For example, if you are a software developer and plan to launch a new application in October, remember that you must plan a penetration test for June to give your development team some time to remediate vulnerabilities and run a verification test at the beginning of September at the latest.
Your cybersecurity strategy should include regular audits according to one of the acknowledged frameworks (e. g., CIS) and response and recovery plans in case of a cyber incident. Clear actions, including responsible personnel, should be defined to let everyone know who is in charge of each task or segment of infrastructure.
Sometimes, persuading top managers to dedicate more assets to security might be difficult. For CISO, it is essential to keep defending cybersecurity as a top priority. Awareness takes time; it is a long process. We must be patient; sometimes, we simply have to learn from our mistakes. Some organizations understand how to manage cybersecurity from the very start, and on the other hand, some are first faced with an attack and only then consider cybersecurity as one of the main pillars of their business. If the final result is higher security, the goal is reached.
Keep an eye on your supply chain to avoid cyber-attacks
A better cybersecurity posture earns you a higher reputation on the market. As defined in the new EU regulation, monitoring suppliers’ security is a must since intertwined networks of cloud technologies contribute to a broader attack surface.
You are probably already being monitored by some of your customers. Start monitoring your suppliers and help create a secure supply chain. Imagine that everybody started notifying their suppliers of security weaknesses they discovered with supply chain monitoring. The “supply chain intelligence” made this way could help eliminate cyber threats before they escalate and mitigate risks imposed on a chain of organizations.
Contribute to a more secure society
As mentioned before, cybersecurity issues are not limited to business environments; they have also become a significant part of our private lives. Regular home internet users will probably not implement firewalls or other security devices on their home networks. However, every user should have mastered a certain level of security awareness to be resilient in the cyber world and not endanger others linked in their supply chain (e. g., friends on social networks).
I dare say those capable of sharing knowledge in this field should feel responsible for passing it on to those who probably lack cyber-awareness (e.g., children, seniors, less educated users, those who do not use computers as their primary work asset, etc.). Building a cybersecurity-aware society is a task where we all can participate and benefit from it.
Penetration test
A penetration test helps identify vulnerabilities and offers the foundation for ranking vulnerabilities and giving recommendations.
Password security test
Password security test checks the efficiency of your cyber-security and the passwords used in your network.
Ransomware Readiness
Ransomware readiness simulation is a test that shows how resilient is your organization in case of a ransomware attack.