Critical infrastructure cyberattacks: what are the implications of their increasing prevalence 

Most recently, Estonia was subjected to its most extensive cyberattack since 2007, apparently in retaliation to the country removing Soviet-era monuments from public places. Earlier this year, Costa Rica had to declare a state of emergency after a Russian-speaking ransomware gang threatened to overthrow the government in the wake of two cyberattacks. In July 2021, South Africa’s ports were almost totally shut down after a ransomware attack.

While these attacks are of varying severity – Estonia experienced minimal disruptions to critical websites while Costa Rican health officials were unable to access critical healthcare records and tax systems were frozen for weeks – they show that cybercrime is no longer just about obtaining data. Instead, cybercrime is being used against real-world infrastructure and with very real consequences.

The UK is not immune to this increase in attacks on critical infrastructure either. In fact, more than 70% of cybersecurity decision makers at sites of Critical National Infrastructure (CNI) have reported an increase in cyberattacks since the start of the Russia-Ukraine war.

Within this environment, it’s critical that organisations take the required preventative steps and that they have the right plans in place in case of an attack.

Costa Rica’s cyber-attack took place shortly after the inauguration of its new president Rodrigo Chaves. Subsequent investigations revealed that it happened because the previous administration had underplayed the situation, playing it off as a simple technical issue. That it was able to do so exposed glaring shortcomings in the enforcement of Costa Rica’s cybersecurity incident reporting regulations.

Governments must not only ensure that they have strict regulations in place when it comes to incident reporting but that they enforce those regulations on everyone equally. They must also transparently demonstrate that they adhere to those regulations themselves.

In the UK, organisations are bound by GDPR, with affected parties required to contact the Information Commissioner's Office (ICO) in the event of any incident that has a substantial impact on the provision of their services. They are required to do so no later than 72 hours of becoming aware of any incident and are also advised to contact the National Cyber Security Centre at the same time.

It’s heartening that the ICO is unafraid to tackle the government’s own cybersecurity practices too. In July, it urged ministers to review the use of WhatsApp and other private channels for official communication after chastising the Department of Health and Social Care for doing so.

Of course, policy and its enforcement can only take you so far. Organisations also need to ensure that they have the right defensive tools in place. That starts with being able to identify and address known vulnerabilities. Cybercriminals are always looking for new avenues of attack, but failing to address known issues is just leaving the door open for them.

Organisations should, therefore, implement patches immediately after they’re released. After all, as many as 87% of enterprises have experienced an attempted exploit of an existing or known vulnerability. That makes things like vulnerability management systems critical. These solutions can help organisations identify missing patches, hidden assets, misconfigurations, and authorization issues within their IT ecosystem. These are the things threat actors are always on the lookout for, so closing down any such openings will only make their life more difficult.

Even with the most comprehensive defences in place, however, cybercriminals only have to succeed once in breaching an organisation’s defences. It’s critical, therefore, that government and private organisations alike have detailed response plans in place.

These response plans should focus on responses that specifically deal with attacks against business-critical applications. This starts with ensuring that they have a full overview of the IT landscape and that they have a complete record of all applications, users, and data that exist within to ensure they are all well-protected. They should also play out “what if” scenarios that prepare IT teams for any kind of attack. This will mean that the organisation is in a position to quickly recover from an attack and resume business as usual.

Attacks like the one on Costa Rica can serve as a reminder to all defenders that preparedness for a worst-case scenario and anticipating ransomware is vital to any security program. It’s therefore imperative that the organisations in charge of critical infrastructure in countries around the globe learn from these events and put every effort into improving their cybersecurity efforts. That should be true regardless of how sophisticated or well-enforced their government’s cybersecurity policies are.