The potential of a digitally interconnected world is immense. Internet-based technologies are becoming an integral part of all critical infrastructure, from water and waste management systems to electric grid and air traffic control. Traditionally, these systems have operated in isolation mainly using legacy proprietary software. The benefits from the use of internet technology in critical infrastructure, however, brings a host of vulnerabilities and risks.
This blog seeks to provide insight within an African context; the cyber threats targeted at critical infrastructure, the magnitude of the risks, the consequences of security breaches, and why the adoption of International Society of Automation/International Electrotechnical Commission's (ISA/IEC) standards could complement Africa’s initiatives to ensure the resilience of critical information systems.
What is Critical Infrastructure?
The United States Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as: Assets, systems, and networks, physical or virtual, that are deemed to be vital to nation states that their compromise would have an enervating effect on security, public health, or safety.
Examples of critical infrastructure include:
- Electricity generation and distribution systems
- Water and waste management systems
- Defense industries and transport
- Traffic control systems
Adversaries with ever-increasing sophistication, determination, and zeal see a lot of potential for exploiting the vulnerabilities associated with the use of internet-based technology in critical infrastructure control systems. Combating these threats and ensuring the resilience of internet-enabled systems will require a systematic approach and use of robust cybersecurity standards. The ISA/IEC standards can assist in achieving a coherent and common baseline-level approach to cybersecurity in Africa.
There are a multitude of threats persistently targeting nation states’ critical infrastructure by adversaries with resources and motivation to inflict damage.
According to the International Society of Automation (ISA), the impact of these threats include:
- Compromised national security
- Health, safety, and environmental damage, including the loss of life
- Unavailability of critical services
- Negative publicity
- Loss of public trust
- Theft of data
A recent Government Technology article highlighted a trend towards these attacks becoming more and more oriented towards the destruction of assets rather than criminal activities to make money. Several recent cyberattacks illustrate the gravity of the threats and the magnitude of the impact such compromises can have. The following are some of the attacks that made headlines globally.
Ransomware Attack at Norsk Hydro
On March 19, 2019, Hydro was hit by an extensive cyberattack. While the attack affected all business operations, the extent differed across various operations. The cost of the attack was estimated at around $46 to $52 million.
Stuxnet
Stuxnet is a malware first discovered in January 2010 at the Iranian Nantaz nuclear facility. It is believed to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is thought to be responsible for damaging centrifuges used in uranium enrichment. Stuxnet has been dubbed the world’s first digital weapon.
Shamoon
Shamoon is a virus first discovered in 2012, famous for its destructive nature and the cost involved in restoring systems. It can spread from an infected machine to others on the network and has the capability to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. It can also overwrite the boot records of the infected machine, thus making it unusable. This virus was used by adversaries to wipe data from 30,000 computer workstations at Saudi Aramco, and a different version of Shamoon was believed to have been used against Qatar’s Ras Gas.
Key Benefits of Adopting ISA/IEC Standards
Given the significance of these threats, it is imperative that African countries strengthen their ability to prevent, detect, and respond to incidents. Such capabilities can only be developed through a consistent, credible, and coherent set of standards, implemented holistically. Although some governments across the continent have started developing legislative frameworks related to cybercrime and cyber threats, most African countries do not have their own national cybersecurity standards to guide their efforts in securing nationally significant information on networks and systems.
The ISA/IEC standards provide a framework that is flexible and can be used in a wide range of industrial control system (ICS) environments. The standards can be applied regardless of the technology implementation and offers flexibility by helping address current and future information security vulnerabilities.
The development of standards is often a long process, spanning in some cases to more than two years or so. The process requires significant investment in terms of financial commitment, time, and expertise. In most African countries, governments and regulators do not have sufficient financial or other resources to develop comprehensive information security standards. Therefore, the adoption of ISA/IEC standards can help governments and private sector institutions provide security baselines and reference frameworks at a much-reduced cost.
Africa has undergone significant brain drain as skilled professionals, including information security personnel, have migrated in search of better working conditions overseas. A 2016 research study by the Department of Electrical and Computer Engineering at Carnegie Mellon University (Kigali) highlighted that only around 7,000 qualified information security professionals are available for a population of 1.3 billion in Africa. Countries in Africa can leverage ISA standards to bridge the skills gap, as the guidelines are developed upon the consensus and expertise of practitioners from all over the world.
ISA standards strive to provide a common taxonomy and language for product suppliers. The continent has witnessed a proliferation of various ICS devices from vendors in China, Europe, and the US. Considering the global reach of supply chains and differences in technology provider’s standards, African countries stand to benefit by embracing the likes of ISA 62443-4-1 (Secure Product Development Life Cycle), as many countries have not yet set stringent guidelines on the specifications of devices that are used in their critical infrastructure.
Conclusion
The risk of cyberattacks on critical infrastructure is increasing exponentially with the advance in operation technologies (OT). The intensity of the threats and the consequences of security breaches have far-reaching ramifications. The adoption of ISA/IEC standards can help institutions in Africa build resiliency within their critical information systems.