Why Critical Infrastructure Attacks Are Everyone's Problem — Especially Now

February 21, 2022

Contributor: Laurence Gosaduff

Russia’s recent cyberattacks on Ukrainian government websites and Ukraine’s allies’ increasing concerns for industrial control systems prove the magnitude and chaos these attacks can reach.

Attackers are increasingly choosing to deploy cyber-physical attacks that target critical infrastructure systems, which can cause outages and be fatal. Unfortunately, no business is immune. Gartner estimates that by 2025, attackers will have weaponized a critical infrastructure cyber-physical system (CPS) to successfully harm or kill humans. 

Download now: 3 Must-Haves in Your Cybersecurity Incident Response Plan

Prompted by the situation in Ukraine, we spoke with Katell Thielemann, VP Analyst at Gartner, to better understand why every business is a target and what chief information security officers (CISOs) should do to establish resilient business operations in a high-risk environment.

Why are critical infrastructure attacks every citizen’s — not to mention business leaders’ — problem?

Every executive and every business in every country relies on critical infrastructure throughout daily life. Critical infrastructure sectors include energy production and transmission, water and wastewater, healthcare, and food and agriculture. Not only are each of these sectors critical to the appropriate functioning of modern societies, but they are also interdependent, and an attack on one can have a direct impact on others. For example, in the event that drinking water production or wastewater treatments are impacted as a result of the ongoing threats on U.S. water and wastewater systems, citizens would be deprived of safe drinking water and sanitation. In addition, hospitals would not be able to operate, fire hoses would not work, and schools, offices and government facilities would be impacted. Similar domino effects would occur in the event that any other critical infrastructure sector is targeted.

Learn more: Your Ultimate Guide to Cybersecurity

What specifically are the risks in Ukraine right now?

Unfortunately, the risks in Ukraine have already turned to reality as websites of banks and the Ministry of Defense have been attacked in recent weeks, and the country will likely remain a target in the near term. It is also not the first time that Ukraine has been the main target of cyberattacks due to geopolitical conflicts. In 2014, its Central Election Commission was targeted. In December 2015, an attack on the power grid plunged parts of the country into darkness. In June 2017, an attack dubbed “NotPetya” impacted many organizations including banks, ministries, newspapers and even radiation monitoring systems at Chernobyl.

Download now: The Top 3 Strategic Priorities for Security and Risk Management Leaders

Have CISOs and security leaders learned any lessons from these attacks?

Speaking specifically to NotPetya, it attacked Ukrainian tax preparation software, halting operations across the globe and costing many organizations, including banks and ministries, billions of dollars. After the attack, CISOs and security and risk management leaders learned to establish a governance process that includes the CEO, the board and key operational staff. On the security controls front, they learned to define their high-value assets so they could perform triage and pre-plan decisions on what to bring back up first. On the leadership and business management front, they learned to update personnel reporting and internal emergency communications trees both in IT and operations. 

Looking forward, CISOs and security and risk management leaders should define what their high-value assets are, so that triage and decision making about what to bring back up first doesn’t occur on the fly, and secure mission-critical backups offline or in cloud environments. They need to review with urgency their network segmentation both in enterprise IT systems and for high-value cyber-physical systems in operational or mission-critical environments. 

Another best practice is to update personnel reporting and internal emergency communications trees both in IT and operations, and maintain a copy offline. Several NotPetya victims had to revert to social media to get in contact with their own personnel; adequate preparation can help avoid this kind of disruption.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Drive stronger performance on your mission-critical priorities.