Why Smart Security and Resiliency Matter for Critical Infrastructure

The fragility of our infrastructure has been on full display. Recently, a cyber incident at the Port of Seattle and Seattle-Tacoma International Airport highlighted the ongoing vulnerabilities we face and how critical infrastructure disruptions or outages can impact crucial avenues for travel, logistics and even power.  

This incident is just one example of the growing nature of cyber threats to our digital infrastructure. A recent KnowBe4 report found critical infrastructure faced a 30% increase in cyberattacks in just one year, showing how outdated frameworks -- that support vital sectors -- can affect the essential sectors we rely on, such as energy, water, transportation, healthcare and finance. Moreover, according to a recent report, 44% of critical IT infrastructure is approaching end-of-life -- meaning almost half of the world’s most critical infrastructure is more vulnerable to cyberattacks and at higher risk for prolonged outages. 

We face this reality because technology vendors routinely retire legacy systems as new ones are developed, and they eventually stop providing necessary updates and security patches for those aging offerings. This ongoing erosion of support leaves those systems vulnerable to every manner of attack. For example, Microsoft ended support for Windows Server 2008 in 2020. At that time, they estimated that 60% of their user base was still using the unsupported software. And since then, Microsoft has reported hundreds of new vulnerabilities every year. 

Related:The Importance of Empowering CFOs Against Cyber Threats

Many public- and private-sector organizations continue to rely on legacy technologies, having made the difficult decision to leave outdated systems in place as other initiatives compete for capital. But running essential services on legacy systems constitutes a major risk, as these systems lack the modern encryption standards needed to defend against increasingly complex cyberattacks. These problems will only get worse when quantum computing makes code-cracking almost trivially easy. 

Compounding these risks is the challenge of finding staff with the expertise and skills to manage legacy systems. The only thing harder than hiring someone who knows a dying programming language or system is convincing an employee to invest the time to learn it. 

When organizations do step up to the challenge of replacing outdated systems, they tend to focus on the IT assets -- the systems and technologies responsible for data storage, processing and transmission. But operational technology (OT) typically does not receive the same level of attention or investment. These are the systems and devices that oversee and regulate physical operations such as manufacturing, refining and distribution processes. As a result of being commonly overlooked, these critical OT systems typically are antiquated, non-standardized, complex, and unsecured. The fact that these legacy OT systems have become increasingly interconnected with IT networks and connected to the Internet significantly raises the exposure of all systems to cyber threats. An attack on any one of these OT systems could jeopardize product safety, inflict physical harm, or massively disrupt supply chains. 

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

The problem of vulnerable legacy systems does not stop at the software level. In many ways, the underlying hardware on which these systems run presents even greater risk. Hardware flaws expose all an organization’s electronics to attack, since they affect systems at a base level and vastly increase the number of available targets. And while organizations can address software flaws with a patch or update, hardware vulnerabilities are harder to find and cannot be overwritten as simply. Given the potential of these types of attacks to wreak havoc, we expect them to increase over time. 

Related:Facing the Specter of Cyber Threats During the Holidays

In addition, the growing power and presence of AI is a double-edge sword. On one hand, AI will empower bad actors to create even more sophisticated attack strategies. But AI also can significantly help businesses and governments protect their vital systems. Enterprise AI can deliver a variety of capabilities, from automating processes to providing sophisticated data analytics and actionable insights. For instance, AI systems can scan IT and OT systems for weaknesses to pinpoint vulnerabilities and recommend remedial actions. They also can conduct cyber risk assessments by sifting through historical and contemporary data on cyber incidents to forecast the likelihood and outcomes of future events. 

But even the vast power of AI will not address the fundamental issue of our widespread dependance on outdated, unsecured IT and OT systems. Achieving a more secure posture will require a more determined and holistic approach. This must include a concerted effort by governments and businesses to establish security standards for digital infrastructure and the reporting of cyber incidents; a systematic review of the legacy systems that underpin crucial functions; a strict policy of managing the lifecycle of hardware assets; and a longer-term roadmap for modernizing aging systems. 

Organizations also must embrace a new mindset as they go about the task of better securing critical digital assets. The current tendency is to focus on securing, defending and protecting systems against threats. But given the rapidly increasing sophistication and number of attacks, along with the widening attack surface of digital infrastructure, a security-only mindset is insufficient. We must intensify our focus on assuring organizational resilience -- the capacity to recover from the inevitable disruptions. As we embark on the essential work of updating our physical and digital systems, we also must build our ability to get back on our feet and keep moving forward.