Why Critical Infrastructure is a Massive Target for Nation-State Attackers

Why Critical Infrastructure is a Massive Target for Nation-State Attackers

Many cybersecurity attacks go after critical national infrastructure like pipelines, communications, transportation, and utilities.  And many of these cyberattacks come from other nation-states, such as Russia, North Korea, China, or Iran.

According to the 2019 Data Breach Investigations Report , 23 percent of attacks have come from nation-states.  However, in the last three years, nation-state attacks have also increased by a whopping 100 percent.  Clearly, this trend continues to be on the upswing.  And Russia itself accounts for fully 58 percent of cyberattacks against the U.S., according to data from Microsoft, followed by North Korea.

Why Attack Infrastructure?

Nation-state attackers, whether directly employed by a hostile government or supported by that government, go after national infrastructure targets primarily for two reasons.  First, critical infrastructure tends to be complex, making it relatively easy to corrupt.  There are multiple attack vectors, including IT systems, SCADA and PLC industrial control devices, power transmission lines, air traffic control systems, and telecommunications systems.  Disrupting any one of these vectors can have the effect of harming the entire infrastructure.

Second, attacks on critical infrastructure have the clear potential to cause more damage and disruption than those of government agencies or commercial enterprises.  In addition to snarling traffic, communications, and power generation, these attacks can cause physical harm to citizens as the lack of control puts people at great risk.  The potential for massive disruption and confusion for weeks or even months is not out of the question.

In short, infrastructure cyberattacks can support the national interest, business advantage, and military goals of a hostile country, at a lower cost and risk than a direct physical attack.

Other Types of Infrastructure

It’s impossible to talk about critical infrastructure without talking about dams, water utilities, 9-1-1 emergency services, and other smaller yet still highly important services.  These organizations tend to have small service areas and as a result are smaller in size.  This means that it can be difficult to devote the money and personnel to an appropriate level of detection and remediation.  Many of these types of infrastructure are stuck when it comes to extensive cybersecurity protections.

Nation-state attackers have also increasingly gone after supply chains, which have become highly complex in terms of manufacturing, shipping, rail, trucking, and integration systems coordinating with one another.  In fact, in recognition of the fragility of certain aspects of the supply chain, many industries have decided to move away from so-called just-in-time manufacturing to leaving more flexibility to adapt to unexpected problems.

IP Theft is a Growing Problem

Last but certainly not least, intellectual property (IP) theft continues to be a large and growing problem.  While we normally think of IP in primarily the private sector, there is critical IP, such as aerospace and energy R&D, that remains primarily the role of relevant government agencies.  And there are many public-private partnerships, such as in pharmaceuticals, that have to be considered to be a part of our critical infrastructure.  In fact, as this article notes, there have been attempts by unnamed nation-states to steal the IP behind Covid-19 supply chains and the vaccinations.

Public-private partnerships can be especially problematic from a security standpoint, as data is flowing between different organizations, and can often be accessed by many more people.  There are more attack vectors to be concerned about, and more potentially bad actors involved.

Amplifying the Impact of a Cyberattack

Sometimes nation-state attacks are combined with carefully selected physical attacks to maximize harm and psychological impact.  For example, the 9/11 attack on the World Trade Center in Manhattan also had the effect of knocking out a major telecommunications node in the Northeast U.S. and disrupting phone and Internet connectivity between Washington DC and New England for several days.

Air traffic control failures, for example, can cause dangerous and sometimes fatal air disasters.  The loss of traffic signals in a large city can cause massive traffic accidents.  And water systems without appropriate cyber safeguards can conceivably deliver physical harm to entire cities or regions.  The danger of a combined cyberattack with a physical attack is probably one of the most psychologically difficult things for a nation to face.

How Can Critical Infrastructure and Services Fight Back?

Much of the critical infrastructure in the U.S. is held by private companies rather than government entities, making it difficult to pay for and coordinate a unified response.  And many of these private companies are too small to be able to afford comprehensive cybersecurity programs.  Even large regional utilities find themselves dependent upon power suppliers and other utilities in their supply chain.

One way out of this dilemma is for infrastructure companies in the same industries or supply chains to band together to work on cybersecurity together, sharing information and strategies.  That will enable the development and dissemination of best practices for each industry.

Also, infrastructure enterprises should think twice about outsourcing their cybersecurity.  They understand their industry better than an outsourcer, and are in a better position to recognize and respond to nation-state attackers.  But only by joining together will many infrastructure enterprises be able to effectively fight back against attacks against their operations.