The critical infrastructure market is shaping up to be the next big frontier for cyber security, with new analysis suggesting that close to a third of critical infrastructure organisations will experience an operations-halting security breach by 2025.
According to analyst firm Gartner, critical infrastructure security has become a primary concern for governments around the world, which includes segments of the market such as communications, transport, energy, water, healthcare and public facilities.
In some countries, critical infrastructure is state-owned, while in others, like the US, private industry owns and operates a much larger portion of it, Gartner noted, suggesting that the risks of such infrastructure have been overlooked for years.
But things are changing, and fast.
“Governments in many countries are now realising their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, research director at Gartner. “They are now making moves to mandate more security controls for the systems that underpin these assets.”
A Gartner survey capturing hundreds of respondents from industries in Asia Pacific, North America and Western Europe showed that 38 per cent of those surveyed expected to increase spending on operational technology (OT) security by between 5 per cent and 10 per cent in 2021, with another 8 per cent of respondents predicting an increase of above 10 per cent.
This is likely to come as good news to cyber security players that service the respective critical infrastructure markets across the region.
However, this may not be enough to counter underinvestment in this area over many years, according to Gartner.
Indeed, regardless of the investment increases expected, the firm reckons that by 2025, 30 per cent of critical infrastructure organisations will experience a security breach that will result in the halting of an operations- or mission-critical cyber-physical system.
“Besides the need to catch up, there is a growing number of increasingly sophisticated threats,” Contu said. “Owners and operators of critical infrastructure are also struggling to prepare for the coming increased oversight.”
A big part of the ongoing security issues faced by critical infrastructure operators comes as a result of the fact that the technologies underpinning such infrastructure have become more digitised and connected over time, creating cyber-physical systems security risks.
The result has been a substantial increase in the attack surface for hackers and bad actors of all kinds, the analyst firm noted.
As such, Gartner recommended that security and risk management (SRM) leaders in critical infrastructure sectors develop a holistic approach to security, so that IT, OT and Internet of Things (IoT) security are managed in a coordinated effort.
“SRM leaders should accelerate efforts to discover, map and assess the security posture of all cyber-physical systems in their environment,” said Contu. “Invest in threat intelligence and join industry groups to stay apprised of security best practices, upcoming mandates and requests for inputs from government entities.”
Gartner's latest analysis sees the firm doubling down on its prediction earlier this year that by 2025 cyber attackers will have weaponised OT environments to successfully harm or kill humans.
On the face of it, Gartner’s prediction seems somewhat unnecessarily alarmist, but there have been plenty of examples over the past few years that have demonstrated the control cyber criminals can wield over internet-connected industrial equipment, in particular critical infrastructure.
In May, a pipeline system carrying almost half the fuel used on the east coast of the United States was crippled by a major cyber attack.
The five-day shutdown of the Colonial Pipeline resulted in widespread fuel shortages and panic-buying as Virginia, North Carolina and Florida declared a state of emergency.
As noted by sister publication CSO US, a lack of visibility into the security status of its operational technology systems is likely what caused Colonial to shut down its operations.
Not shying away from Gartner’s seemingly dramatic claim, Rob McMillan, managing vice president at the analyst firm, suggests that the OT landscape is something akin to what might be found in the fictional wasteland of the Mad Max film franchise.
“This realm, which can have (and has had) real life or death implications, is the very definition of the Badlands,” said McMillan. “There’s no standardisation or tradition of consistent security controls in OT environments, melded with an archaic design discipline and naïve views of connected technology.”