The Coronacris also recently uncovered weaknesses in the cybersecurity of critical infrastructures such as hospitals and health care facilities, which play a critical role in fighting the current pandemic. How secure are they?
On March 15, a major attack on the coronavirus, the United States Department of Health was hit by a cyber attack. The Bloomberg news agency reported the following day, based on anonymous sources, that the attack was likely part of a disruption and disinformation campaign aimed at undermining the response to the coronavirus pandemic. Experts conclude that hospitals and healthcare facilities around the world could be particularly vulnerable to cybersecurity because many are flooded with outbreaks.
U.S. hospitals have increasingly become targets of ransomware attacks over the past year – with hackers holding files or systems hostage and only releasing the decryption key after paying the ransom. In addition, other infrastructures such as water and energy supplies, transport systems and energy installations are also increasingly at risk of cyberattacks. That is why our research editorial Newsweek Vantage, in collaboration with Siemens, Nozomi Networks and Yubico, led a worldwide study of the state of critical infrastructure security in particular.
Internal threat
Based on an analysis of the survey results of more than 415 executives from 16 different industries around the world and interviews with experts, it appears that companies do focus on better security but often find it difficult to balance security and operational performance. Striking: the biggest cybersecurity threat comes from their own employees. While nearly half (47 percent) of executives say cybercriminals are the greatest risk, the majority view former and current employees as an even greater threat.
“Most organizations focus on the technical aspects of building a digital perimeter around a facility,” said Steven Mustard, an expert at the International Society of Automation, “but what I’m most concerned about is the disgruntled employee or someone who can come in, because even if the system is completely isolated, an insider can enter the network. Cybersecurity technology is important, but actually the people, process and awareness are the things organizations need to work on. ”
Despite the finding that terrorists and states are significantly less threatening than criminals or workers, some attacks on critical infrastructure have led to a disproportionate sense of threat in the public consciousness. Take, for example, the cyber attack on the Ukrainian power grid in 2015, where hackers endangered three energy distribution companies and severely disrupted the electricity supply. That attack was later attributed to the Russian security services, and therefore continued to reverberate with many companies and government agencies.
“Government actors tend not to carry out extensive attacks, but have more specific objectives in place to steal from a specific target or destroy parts of it,” said Daniel Henriksen, Head of Legal & Security Management at technology platform Intility. “Criminals will focus on getting money.” The easiest way for a company to avoid becoming the target of criminals, Henriksen says, is to have a better cybersecurity level than their neighbors. “If a hacker knocks on the door and sees that everything is properly secured, they will go to the next.”
The pros and cons of IT integration
Another important finding is that the integration between digital and physical systems varies widely in the area of critical infrastructure. Typically, electronic systems are integrated into consumables or devices with the aim of providing them with some form of intelligent behavior and increasing productivity. Only one in 10 of the managers surveyed say they do not have integrated systems. However, the great majority (68 percent) choose the golden mean and isolate only a few physical systems from IT.
The 88 percent of respondents whose organizations have integrated some or all of their systems say they have identified significant benefits as a result. Higher responsiveness leading to better performance is the most common. Other improvements include tighter operational control, greater automation, and a better customer experience.
“Organizations know that the risk of cybersecurity increases with integration and that it only happens if it leads to productivity improvements,” said Hannes Barth, General Manager of Siemens Ruggedcom. “Our customers only accept these risks because there are great benefits to integration if they allow them to use, for example, artificial intelligence and predictive maintenance technologies.”
However, the vulnerability of integrated systems has also become painfully clear in the health sector. For example, Eric Cosman, president of the International Society of Automation, heard several reports of primary care systems sharing a network with the lighting system and elevators in a hospital, theoretically allowing an intruder to hack the elevator and then find their way to the intensive care unit . “Isolated systems are no longer an option,” says Cosman, “but if you connect two things together, you need to make sure you understand the potential consequences.”
Need for a change in mentality
Nearly all executives surveyed say their organization has experienced at least one security incident in the past 12 months, and half have experienced two or more. The numbers clearly demonstrate the need for better and high-quality security strategies.
But in the context of risk management, a crisis is often needed to change the mentality within a company. This is no different in the field of cybersecurity. About 36 percent of executives surveyed readily admitted that an actual cyber-attack on their systems only prompted them to take better security measures.
“Without a crisis, it’s hard to change a corporate culture,” said Steven Mustard, who cites the example of a security breach at Maroochy Water Services in Queensland, Australia in 2000. A hacker who was angry because he hadn’t been hired by the local government, used a laptop and a radio transmitter to take control of 150 pumping stations for three months, bringing wastewater into a rainwater well. The perpetrator was eventually caught and the responsible government agency took a series of measures to improve cybersecurity. According to Mustard, such incidents demonstrate the need for preventive, rather than reactive, cybersecurity measures.
For many organizations, good leadership is a crucial factor in this. “A good culture from a cybersecurity point of view starts at the top when senior management is actually involved,” says Daniel Henriksen. “Most organizations don’t do that until they are hit by a cyber attack.”
Comments are closed.