The Perfect Storm: Critical Infrastructure Attacked More Often, But Lacks Layered Defenses
Any former grade-schooler has heard the phrase, “Pick on someone your own size.” Bullies have never played nice, and they frequently aim at smaller and more defenseless targets. Perhaps no sector in cybersecurity is bullied more than small critical infrastructure organizations.
60% of Sector-Specific Attacks Target Critical Infrastructure
Blackberry recently put out a report highlighting the four most vulnerable critical infrastructure (CI) sectors. Of all the industry-specific threats encountered in the research, 60% targeted critical infrastructure sectors, particularly noting Finance, Healthcare, Government, and Utilities.
“The increasing digitization of these sectors means their assets are more vulnerable to cybercriminals,” explained the report. “Threat actors actively exploit critical systems via vulnerabilities such as system misconfigurations and social engineering campaigns against employees.”
The Most Vulnerable Within These Vulnerable Sectors
The majority of our customers are considered “critical infrastructure”, and each of these sectors is composed of big guys and little guys. As you might expect, the larger organizations have more resources dedicated to cybersecurity; they have sophisticated layers of security and might even have their own SOC. On the other hand, smaller organizations struggle to fund the resources required for anything beyond the bare minimum (i.e., a firewall and an endpoint agent).
This creates a perfect storm where a juicy target (critical infrastructure) is most likely the weakest link and the least prepared to handle an attack.
Smaller Critical Infrastructure Orgs Are Attack Magnets
For every Colonial Pipeline, there are myriad other attacks on the water, power, and data supplies of smaller, lesser-known companies. In fact, back in 2021, 46% of all data breaches impacted organizations with fewer than 1,000 employees, and that number is only rising.
Let’s dig into utilities. A small water treatment facility in Oldsmar, Florida, was poisoned back in 2021 when attackers remotely infiltrated their systems and “took control of the mouse,” as Sheriff Bob Gualtieri stated, using their pilfered capabilities to increase chemicals in the water supply to dangerous levels. Thankfully, the mistake was corrected before the water had time to hit the public water supply system. As the EPA calls out, “Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation-states have impacted water systems of all sizes, including many small systems.”
An article in The Lancet, a peer-reviewed journal, notes similar difficulties in healthcare. It states that “there is a dearth of systematically analyzed data to measure the specific risks and vulnerabilities at a local level, making it much harder to quantify the direct harm on patients and lost data. The health sector lags far behind most essential infrastructure sectors…[on] plans to protect, respond, and recover from cyberattacks.”
And in 2023, cyberattacks on state and local governments increased significantly, according to research by the Center for Internet Security (CIS). Malware attacks rose by 148%, ransomware increased by 51%, and endpoint security services incidents – like data breaches, unauthorized access, and insider threats – increased by an unbelievable 313%.
These sectors are under attack, and the smaller organizations within them face chronically higher risk due to a lack of resources. Consequently, this is where threat actors are tempted to strike first. As the Social Policy Institute of Washington University in St. Louis states, “SMBs are known to be not less likely than large enterprises to be attacked by hackers. But with their fewer resources and a general lack of cybersecurity knowledge, they can be more vulnerable.”
The Good News: Small Organizations Do Have Options
Our literal mission is to support these smaller organizations that are at the most risk, so we feel like we have something to say in how these organizations should protect themselves. So, what are they to do, when they don’t have the luxury to afford a comprehensive SIEM or XDR tool?
We suggest getting back to the basics of a defense-in-depth approach, and hunting down affordable solutions that provide effective layers of security. Let’s assume you have a firewall, and at least something akin to EDR running on each of the endpoints. Where do you go from there?
A New Layer of Defense
In our experience, a smaller organization’s edge solution could be anything from an outdated legacy system to a state-of-the-art “next-gen” firewall – depending on budgets and priorities, of course. In any case, they can all benefit from a unique layer of defense that augments the firewall and effectively hides the public attack surface.
Our Outpost solution sits beyond the firewall and can reduce firewall load by 70%. In addition to traditional deep packet inspection, we tap into our global CINS threat intelligence network and a host of other community threat feeds to make your system “go dark” (Network Cloaking) and all-but-invisible at the first sign of trouble. By simply lowering the ratio of outside attacks you’ll have to deal with (again, by up to 70%), the Outpost puts SMBs way ahead of the game when it comes to eliminating useless alerts and cutting out the noise.
Adding a Layer for East/West Visibility
As we mentioned before, most smaller organizations’ “layered security” approach consists of a firewall and an endpoint solution, and if they’ve looked into a managed visibility solution to add a layer of defense – like, XDR or a SIEM, for example – they more than likely have been priced out. Again, the good news is there are options.
For example, Network Detection and Response (NDR) tools can provide a viable alternative to pricey managed MDR, XDR, or SIEM solutions, if you know what to look for. Traditionally, NDR solutions utilize ML/AI algorithms built on top of network flows to alert you when an anomaly is detected. Some XDR solutions lean on this type of technology, too, but in most cases, they discard the network flow data.
We actually think this flow data archive is incredibly valuable, and when it’s coupled with anomaly detection, this complete visibility into network traffic can provide a viable and affordable alternative to XDR or a SIEM. (Our Insight solution provides this type of functionality, along with a managed support team.)
It’s not that enterprise tools don’t have their place. It’s just that they are simply unattainable for the vast majority of at-risk SMBs in these targeted critical infrastructure categories. We hope to spread the word about effective solutions that can add layers of defense for our critical infrastructure within the budget constraints these organizations must face.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.