Critical infrastructure and critical entities – the industries and organizations essential to economic and social functioning – are an obvious target for cybercriminals. It’s vital that the technologies they use for security and operational efficiency don’t themselves create cybersecurity vulnerabilities. Here we look at the issues and how to build resilience.
Examples of the increasing number and severity of cyberattacks against critical infrastructure are, unfortunately, easier than ever to find. The Center for Strategic and International Studies maintains a list of significant cyber incidents and attacks against government bodies and other organizations – a list which has more than 50 examples in 2024 alone. And these are just those that find their way into the public domain.
While not all of these specifically relate to attacks against what would be regarded as critical infrastructure, it’s clear that for those wishing to create maximum disruption, services essential to a country’s economic and social wellbeing are a key target.
For example, relatively recently a hacker managed to access the systems of a water treatment center in the town of Oldsmar, Florida. During the attack, the hacker managed to briefly increase the levels of sodium hydroxide to dangerously high levels, from 100 parts per million to 11,100 parts per million.
In May of 2023, the energy sector in Denmark came under the biggest coordinated cyberattack in its history, when 22 energy companies were targeted. Multiple vulnerabilities in firewalls were targeted for initial network access, while subsequent execution of code gave the hackers complete control over the impacted systems.
While the vulnerabilities were quickly patched and the affected networks secured, it’s another example of the potential risks and impact of key sectors being disrupted. It’s also an illustration of how cybercriminals are constantly looking for weaknesses in network security and potential vulnerabilities to exploit. In our ever more connected world, every and any network endpoint can provide an opportunity for attack.
It's no surprise, therefore, that cyberattacks continue to grow in frequency. Research has found that cyberattacks against critical infrastructure have increased 30% since 2022, with more than 420 million attacks taking place between January 2023 and January 2024, equating to an astonishing 13 attacks each second.
A connected world means a hackable world
The world is more connected than ever before. The Internet of Things (IoT) represents billions of devices and sensors connected to each other - from smart speakers to surveillance cameras - delivering valuable services and creating huge efficiencies to consumers and businesses. Perimeters around corporate networks have become more permeable by design, facilitating external connections from employees, suppliers, customers, and millions of devices.
Networks within critical infrastructure are no different. Though the need to secure any network is important, the risks associated with breaches of critical infrastructure networks are so significant, a robust approach to cybersecurity in the sector is even more imperative.
In addition, regulations have evolved and been created to include critical entities, which include any organization involved in the critical infrastructure supply chain, and to focus on the resilience of these organizations in the face of cyberthreats. The breadth of factors that now need to be taken into account is highlighted by the EU’s definition of resilience: “A critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident”.
Regulations such as the Critical Entities Resilience (CER) Directive and the NIS 2 Directive have defined far more stringent requirements across the entire critical infrastructure supply chain, along with severe penalties for breaches.
Unfortunately, however, all networked devices and systems can be vulnerable. Any device, if not protected in line with the vendor’s guidance, can be a weak link that gives a hacker access to the system and result in a potentially catastrophic cyberattack.
While networked surveillance cameras play a central role in the physical security of critical infrastructure, the ultimate irony would be if these same devices provided the entry point for a critical infrastructure network breach.
Best practice is to trust no one until verified
No network can be 100% cybersecure. Unencumbered by regulation and as well-financed as any start-up, cybercriminals are constantly looking to innovate their methods of attack. It’s therefore essential that operators of critical infrastructure work equally hard to understand the evolving threat landscape and stay one step ahead.
As more devices connect to the networks used by critical infrastructure, there is a greater need to go beyond a central single firewall solution to boost network security. A new approach is to have layers of security in the form of zero trust networks.
Put simply, as the name suggests, zero trust networks are based on the assumption that no entity connecting to and within the network – whether apparently human or machine – can be trusted. Whatever they appear to be, wherever they are connecting from, and however they are connecting isn’t trusted until they have been verified.
This verification can happen in a number of ways and multiple times, and often also involves only granting access to the specific part of the network needed to undertake a task. Verification also applies to devices – including cameras – as much as individuals. The ability of any connected device to irrefutably verify its identity is essential in a zero trust network architecture.
Additional steps should be taken to ensure that every aspect of the surveillance solution is as secure in its own right as possible, and many resources are available to address cybersecurity.
System health monitoring and management
Just as monitoring our own health is essential for spotting minor problems and weaknesses that could become more significant issues in the future, effective health monitoring of surveillance solutions plays the same role in discovering issues, such as offline devices and faulty connections.
Complete visibility into all surveillance devices connected to the network and their status provides a comprehensive understanding of the system. This supports identification, resolution and limiting of potential issues.
In addition to health monitoring, software tools can facilitate updates of device software. This is essential in patching newly discovered vulnerabilities and in keeping surveillance solutions secure, particularly as organizations add more IoT devices to their networks
Cybersecurity through the value chain
Effective modern surveillance solutions are the sum of many parts. As surveillance cameras themselves have become more powerful computing devices – and with that have the ability to host AI analytics within the device itself – a key aspect of cybersecurity is a holistic view of resilience across the entire value chain.
It’s obvious to say that critical infrastructure has always had a focus on physically securing those sites, plants, and buildings upon which millions of people around the globe rely for the fundamental services of everyday life. With today’s threats being as much digital as physical – probably even more so – it’s essential that the same attention is placed on cybersecurity. It’s a focus that will remain a priority for Axis and our partners.
