Impeccable infrastructure cybersecurity is essential for national security, public welfare, and the functioning of modern society in an interconnected world. In 2018 I was invited to brief the European Parliament on the risks of cyber terrorism on infrastructure.
Considering the unfathomable amount of barn-door-sized attack vectors EVERY SINGLE! the nation “maintains”, I wanted to answer a few questions similar to those I received after the microphones had been silenced at said event.
At the end of this article, I will outline a solution approach to protecting a nation’s infrastructure from cyber attacks through a multi-phase approach, starting with the development of an individualized national threat landscape.
So, what are the cyberwarfare/cyberterrorism risks on a nation’s infrastructure?
When I say cyberwarfare most of you will immediately think of the complex attack on the Iranian uranium enrichment plant in Natanz in 2010. And while this ticks almost all boxes of an act of cyberwarfare, the attack was insanely complex.
The payload delivery in and of itself was a matter of luck, not to mention the complexity of programming such a specific weapon in the first place, and then having it lay dormant until that one specific target with a very specifically configured setup was finally “infected”.
The cyber weapons, which should truly worry you are much less complex to deliver, yet significantly more impactful, and destructive.
In a 2014 paper, I outlined this simplicity by gaming a scenario where ISIS would invade Israel (request the paper with a corporate email address).
Militarily the Islamic State wouldn’t stand a chance against the IDF, yet what if they could cause disruption, and chaos in the population by deploying cyber weapons? When communication infrastructure is disrupted, it’s not long until public/civil unrest erupts. This chaos would then – amongst many other things – hinder military personnel from manning their posts, which could then be taken advantage of by an adversary.
A risk, that may appear abstract, yet is far from fantasy. Let me tell you why…
In May 2010 the German domain authority Denic produced an incident where their DNS servers weren’t replicated, which rendered a high quantity of German top-level-domains inaccessible for a few hours.
Among those unavailable domains/websites were those of banks, and major news outlets.
Adding to the situation was that this happened on a Wednesday when a large majority of German banks are closed.
It’s not too difficult to imagine what happens when the population has no access to news outlets, and their online banking applications are down, right?
A bank I worked with shortly thereafter informed me about unusually high cash withdrawals from their ATM machines on a given day, yet couldn’t align both incidents.
The withdrawals were a result of the internet outage, and the population feared something was wrong, yet couldn’t inform themselves “what”, and as a result started withdrawing funds from their bank accounts… naturally, and just in case.
The result of this mishap, which only lasted a few hours, can be purposely brought about with relative ease, as I outline in the above paper, and lead to a “full zombie apocalypse” in a matter of hours in any nation.
So, you see… it doesn’t have to be as elaborate an attack as the one in Natanz to force your nation to its knees… and this is just one of countless examples!
If it’s all so bad, how come nothing bad has happened?
Well, I wouldn’t call the insanely elaborate $1 billion dollar heist of the Bangladesh Bank, or the near-death-experience of Maersk, and the crippling of the global shipping/supply-chain “nothing bad”.
The above events are pars pro toto, and the comparatively small fallout is not the work of genius cyber-professionals, but nothing more than dumb luck.
We dodged a bullet. That’s all.
In 2019 I gave a keynote at the DSSITSEC conference in Riga, Latvia called “Glücksmomente” (German for “lucky breaks”), in which I outlined how shit-out-of-luck we would’ve been, had those attacks materialized full-force.
It’s just a matter of time until something dire happens as a result of a cyberattack; be it directed/intentional like the one on Bangladesh Bank, or collateral damage like the incident involving Maersk.
Approaching A Cyber-Risk-Free Nation
Military, and crisis reaction forces first
A standing military is the backbone of every nation. Yet it also serves the population in cases where disaster relief is required.
It is therefore impertinent that not only police, emergency medical, and fire services remain “online” at any cost, and receive the highest priority, but also the military must be empowered to remain ready under any! circumstances.
Infrastructure segmentation and prioritization
Critical infrastructure like power, transportation, finance, and communications face exorbitantly growing risks from sophisticated cyberattacks, which can cause major outages and damage.
However, not every industry is to be equally prioritized in every nation. For instance, if a particular nation has a cash-heavy society, the finance sector can easily be set lower on a prioritization scale as one in which the population almost exclusively uses cashless payments.
Therefore, a thorough segmentation is necessary to then create a situation from which a qualified, and individualized prioritization can ensue.
A comprehensive national approach is needed combining standards, education, threat sharing, and a cyber-readiness culture. These standards need to be sought across the globe for best practices, and their integration into a nation’s critical infrastructure is heavily reliant on the aforementioned prioritization model.
Minimum cybersecurity standards should be legally required for all infrastructure operators in areas like access controls, encryption, and redundancy particularly considering that even today we see elements of critical infrastructure being controlled remotely by means of unencrypted text-message/SMS systems.
Infrastructure owners from sectors like power, finance, transport, and most importantly communications must go beyond compliance through active threat monitoring, timely patching, and organization-wide risk awareness, for instance through the ACRAC model I created. A majority of the existing/available standards focus on a reactive approach and therefore offer no protection from impending attacks.
AI-driven early warning systems can enhance threat visibility across networks. The government can provide guidance, expert response teams, and attack authorities only if the Government is knowledgeable enough to get involved, which unfortunately is often not the case, and makes regular threat briefings of Government bodies insanely important. AI is here to stay, so why not take advantage of it to protect your nation from cyber-attacks?
Planning for interdependencies and cascading failures across sectors is crucial. In a lot of these scenarios international cooperation is beneficial to deter state-sponsored attacks, yet also required to make cyber crisis responses swift, and efficient.
Keep in mind that no single solution is sufficient, and combining regulation from the Government side, vigilance throughout the intertwined commercial sectors, advanced technology from the military and private sector, as well as public-private collaboration builds resilience.
Infrastructure cybersecurity is essential for national security, public welfare, and the functioning of modern society in an interconnected world. And the interconnectedness has just begun!
I’m happy to help you create the foundation for an impeccable infrastructure cybersecurity by creating a dynamic threat landscape and help you even beyond that.
Email me now. Let’s talk.
Lars Hilse
(lars.hilse@gmail.com > PGP Key ID: 17FFC660)
Author: Lars G. A. Hilse (*1979) is a political/corporate advisor, and expert/witness in information security with a focus on the risks of cyber terrorism, and cyber warfare, and their impact on the security of critical, national/global infrastructure. He maintains close cooperations with law enforcement, and the intelligence community, and actively contributes to the most difficult, and notable cybercrime investigations. He acts as a cyber-crisis-manager, and through his vast network is able to deploy highly specialized cyber-incident-response teams globally within hours.
Lars Hilse
Lars G. A. Hilse is an independent political/corporate advisor, and expert/witness in information security with a focus on the risks of cyber terrorism, and cyber warfare, and their impact on the security of critical, national/global infrastructurewith degrees in electrical engineering, and finance.
He maintains close cooperations withmilitary, law enforcement, and the intelligence community, and actively contributes to some of the most difficult, and notable cybercrime investigations.
He acts as a cyber-crisis-manager, and through his vast network is able to deploy highly specialised cyber-incident-response teams globally at breathtaking speeds.
In his capacity as an information security consultant he performs state-of-the-art risk assessments & mitigation directives, crisis response protocols, and establishes cyber security maturity models.
Among his other talents are intelligence gathering, accessing fortified infrastructure/networks, forensics, all with a focus on social engineering and other unorthodox access methods.
Since his first exposure to the internet at age 13, Hilse has constantly broadened his skillset in cybersecurity, focussing on cyber crime, cyber terrorism, and cyber defence.
Due to his precise foresight of all developments in the digital realm for over 25 years, he is repeatedly referred to as a global thought leader in cyber security, and digital strategy.
Hilse has privately funded research in cybersecurity worth over USD $1.000.000 since 2011. Some of the results hereof were the Advanced Cybersecurity Risk Assessment Checklist (ACRAC), and the advancement of several information security maturity models, and numerous papers and books (see below).
He acts as a political advisor among others to the European Parliament, proposing highly individualised, complex, multi-phase approaches in which a threat-landscape is established, risks identified thereien are mitigated, after which a (legislative) framework will reduce the potential fallout of cyberattacks.
