Until the turn of the century, it was unfathomable for most of us to think that critical infrastructure — including ports, dams, power stations, utilities and water plants — could be impacted by cyberattacks.
However, amidst rising geo-political tensions, malicious actors and ransomware attacks, cybersecurity presents a very real and present threat to the safety and security of our communities. This threat has been exacerbated by an increased reliance on digital technologies and more sophisticated AI tools which make it easier for cyberattacks to infiltrate networks and systems.
Cyberattacks are already on the rise. Our new research indicates that more than half of the global critical infrastructure suppliers have experienced attempts to control and shut down their systems, leading to significant safety and cost implications as well as reputational damage. Many of the executives I speak to tell me that is one the top issues that keeps them awake at night.
‘Securing the backbone of our communities: Critical infrastructure cybersecurity’ aims to address a fundamental question that resonates at the heart of our modern civilisation: How do we safeguard the vital systems that underpin the very fabric of our society? Through the lens of this approach, readers will gain invaluable insights into the intricate web of critical infrastructure, the unique challenges it poses and the specialised skillsets and tools essential to its protection. We illuminate the crucial role of effective strategies, collaborative efforts and technological advancements in fortifying our critical infrastructure cybersecurity.
The call to action is clear and urgent. Organisations must be as dynamic and adaptable as the risks they face. This means continuously evolving their defences, fostering a culture of relentless innovation and embracing a proactive stance. Cybersecurity is not just about protection; it’s about ensuring the very heartbeat of our society continues to thrive against the tides of digital adversity.
We hope this
Executive summary 01
As governments and industry increasingly embed digital technology into critical infrastructure, the security of these structures and systems has never been more imperative.
Critical infrastructure underpins the innovation and growth that define our economies in an interconnected world. Critical infrastructure sectors such as water, energy, transportation and communication are vital for society’s functioning and well-being, making them attractive cyberattack targets. Their incapacitation or destruction severely impacts security, economic stability, public health, safety or a combination of these factors.
GHD Digital research indicates that more than half of the global critical infrastructure suppliers have experienced attempts to control and shut down their systems. Additionally, approximately 75 percent of these suppliers believe cyberattacks are becoming increasingly sophisticated.
Source: GHD Digital analysis.
The World Economic Forum’s Global Risk Report 2024 says the use of cyberattacks and cybercrime to gain control over a digital presence and/or cause operational disruption are major risks throughout the next 10 years.
Cyberattacks on critical infrastructure are growing at an average annual rate of 125 percent.1 The total number of attacks increased by 2.5 times in 2023 compared to 2022.2 The prevalence of cyber threats is increasing due to a complex interplay of factors, including the widespread adoption of digital technologies, the growing interconnectivity of critical systems, insufficient cybersecurity awareness, supply chain vulnerabilities and geopolitical tensions. Critical infrastructure systems face a growing wave of sophisticated cyber threats, with threat actors targeting vulnerabilities in ageing operational technology (OT) systems.
About nine in 10 critical infrastructure organisations — such as those involved in energy and electricity grids — experienced cyberattacks in 2023.3 Over 50 percent of these firms could not block the initial attack.4 As technology advances, the attack surface expands, creating a digital battlefield where vigilance, collaboration and innovation are paramount.
Despite the severity of the risks, many organisations lack the necessary cybersecurity maturity, leaving critical infrastructure vulnerable. Securing and managing critical infrastructure requires an in-depth understanding of the OT control systems on which it operates. This demands a targeted approach with specialised skillsets and tools that address the unique challenges. Government agencies, infrastructure operators, regulatory bodies, cybersecurity professionals, and technology and service providers need to prioritise investment in OT security by creating an ongoing strategy that includes vulnerability assessments, managing patches and implementing network segmentation.
To effectively combat cyber threats in critical infrastructure, a transformative shift is needed. Responsibility of tackling today’s threats no longer solely falls on the IT department, rather, requires a three-pronged approach. Combining technology, human expertise, and collaboration, organisations must cultivate a culture of proactive vigilance, making security a fundamental value integrated into all aspects of work. This collective commitment ensures that cybersecurity is not merely a department’s responsibility but a shared commitment, paving the way for a future where unwavering vigilance and unyielding strength meet evolving threats head-on.
The evolving cyber threat landscape 02
Critical infrastructure sectors encompass assets, systems and networks — whether physical or virtual — deemed vital (Figure 1). The convergence of nation-state actors, cybercriminal organisations and insider threats present a formidable trifecta of challenges. Attackers are becoming more sophisticated; their methods increasingly blur the lines between digital and physical harm. The convergence of digital and physical harm is on the rise with digital systems controlling physical infrastructure causing real-world problems, such as power outages or disruptions in transportation networks. This highlights the need for a comprehensive approach that considers both the digital and physical aspects of cybersecurity to safeguard critical systems.
Alongside the increasing threats, there’s a connection between employees and increasing cyber risks. Aon’s 2023 Cyber Resilience Report predicts that over half of cyber incidents by 2025 will be due to human actions. Organisations can significantly mitigate the risk of cyber incidents caused by employee actions by investing in comprehensive cybersecurity awareness and training programs. These programs should emphasise the importance of recognising phishing attempts, safe internet practices and secure handling of sensitive information. Additionally, implementing strong access control measures and regularly updating security policies can help limit opportunities for accidental or intentional breaches, ensuring employees are not only aware of the risks but also equipped to act as the first line of defence against cyber threats.
Growing exploitation of zero-day vulnerabilities
According to Mandiant (part of Google Cloud), since 2012, there has been a notable surge in the utilisation of zero-day vulnerabilities. Zero-day vulnerabilities refers to undiscovered flaws in an application or operating system or gaps in security for which there are no defences or patches because the software maker does not know they exist. Businesses and organisations will likely experience an even greater prevalence of zero-day exploits in the coming years. This can be primarily attributed to both nation-state actors and cybercriminal syndicates. This trend can also be attributed, in part, to the perpetrators’ desire to maintain prolonged access to targeted environments. By leveraging zero-day vulnerabilities, they can extend their foothold within these environments far more effectively than by employing tactics like phishing emails and malware deployment.
Malicious actors are seeking alternative avenues to remain undetected. Traditional tactics such as phishing emails and malware have become increasingly easier to identify and mitigate with the advancement of security teams and solutions. Consequently, threat actors are now focusing on edge devices (hardware units that process data near their source for quicker responses) and virtualisation software, which pose unique challenges for monitoring and detection.
For cybercriminals, the use of zero-day vulnerabilities offers several advantages. Firstly, it expands the pool of potential victims, increasing their reach and impact. Recent incidents of large-scale extortion have demonstrated that a zero-day exploit can coerce more organisations into meeting hefty ransomware or extortion demands, further incentivising this method of attack.
Over the years, many sectors have become more reliant on industrial control systems such as Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC) and Distributed Control Systems for monitoring processes and controlling physical devices, such as pumps, valves, motors and sensors.
Nation-states actors, with their vast resources and geopolitical motives compromise the integrity of critical infrastructure components. Meanwhile, cybercriminal groups seek financial gain through ransomware and extortion schemes, by exploiting vulnerabilities in interconnected systems. Employees, whether malicious or unwitting, pose an ongoing risk, underscoring the need for robust security measures, constant monitoring and a proactive defence stance. In fact, about 30 percent of cybersecurity breaches on critical infrastructure are ransomware or other destructive attacks.5
The 2023 IBM Cost of a Data Breach Report highlights that while 95 percent of studied organisations have experienced more than one breach, impacted organisations were more likely to pass incident costs onto consumers (57 percent) than to increase security investments (51 percent).6 A critical infrastructure data breach costs US$1.5 million more than other data breaches, costing an average of US$5.5 million compared to US$4 million in industries such as consumer goods, retail, pharmaceuticals, hospitality, entertainment and media.7
In May 2021, the Colonial Pipeline, an American oil pipeline system, carrying gasoline and jet fuel to the Southeastern part of the United States, fell victim to a devastating ransomware attack.8 The incident disrupted gasoline and other petroleum products along the East Coast, leading to fuel shortages and price spikes. A cybercriminal group believed to have ties to Russia, was responsible for the attack.9 This high-profile incident was a global wake-up call and pointed to the urgent need for more robust cybersecurity measures and cross-sector collaboration to mitigate such disruptions in the future. It also ignited discussions on the importance of organisations’ cybersecurity policies and the ethical and legal implications of paying ransoms to cybercriminals.
In November 2023, in just a few days, two municipal water facilities serving more than two million residents in parts of Pennsylvania and Texas, reported network security breaches that hindered parts of their business or operational processes.10 These attacks served as a warning at every level of government that critical infrastructure is vulnerable to hacking and will remain that way until they make the necessary investments. Also, in July 2022, in an alarming cyberattack on South Staffordshire Plc, a British water provider, threat actors targeted their systems, temporarily disrupting water treatment processes.11
Figure 1: Major cybersecurity threats to critical infrastructure sectors
Source: GHD Digital analysis.
The interplay between technological complexity and the relentless evolution of digital threats characterises cybersecurity challenges in critical infrastructure. Protecting these systems demands robust defences and continuous adaptation to emerging risks, underscoring the imperative for holistic, proactive strategies.
Evolving geopolitical landscape
Increasing interplay between physical and cyber realms
Rapid adoption of Industrial Internet of Things (IIoT) devices
Cybersecurity challenges in critical infrastructure 03
Convergence of IT and OT
Vulnerabilities in legacy systems
The intricate web of interconnected systems
Resource constraints and budget limitations
The complex landscape of regulatory and compliance requirements
Acute shortage of skilled cybersecurity professionals
Digital adversaries growing more sophisticated
Source: GHD Digital analysis.
Figure 2: Cybersecurity challenges in critical infrastructure
The convergence of IT and OT in critical infrastructure creates a challenging cybersecurity landscape. While efficiency gains are realised, the convergence exposes vulnerabilities that hackers can exploit. Protecting against this threat requires a holistic approach, integrating traditional IT security with specialised OT measures to ensure the seamless operation of essential systems while defending against cyberattacks.
The rapid adoption of Industrial Internet of Things (IloT) devices offers enhanced monitoring and control capabilities but brings forth an array of security concerns. The sheer number of interconnected devices expands potential entry points for attackers. Robust security protocols, device authentication and regular updates are essential to safeguarding critical infrastructure against IIoT-related threats.
The increasing interplay between physical and cyber realms amplifies risks to critical infrastructure. Cyberattacks can disrupt not only digital systems but also cause real-world consequences. Defending against these hybrid threats requires comprehensive strategies that bridge the gap between cyber and physical security, emphasising resilience and rapid response.
In an evolving geopolitical landscape, nation-states are increasingly employing cyberattacks to target critical infrastructure for political, economic or strategic advantage. These attacks pose significant threats to national security. Effective defence demands proactive threat intelligence, international collaboration and robust cyber deterrence policies to deter adversaries and protect critical infrastructure from geopolitical cyber risks.
Vulnerabilities in legacy systems pose a formidable challenge, as many essential components were designed and implemented before the modern era of cyber threats. These ageing systems often lack built-in security features, making them prime targets for malicious actors seeking to exploit weaknesses that can have cascading and potentially catastrophic effects on vital services.
The intricate web of interconnected systems is another challenge, where a vulnerability in one sector can have ripple effects across others. This complexity demands a comprehensive approach that transcends individual sectors and emphasises the need for unified strategies, information sharing and continuous vigilance to defend against ever-evolving cyber threats that can disrupt the very core of modern society and economy.
Resource constraints and budget limitations present a profound paradox. The need for robust protection has never been greater, yet financial constraints often hinder the implementation of comprehensive security measures. Balancing the imperative to defend against sophisticated threats with the reality of limited resources underscores the critical importance of prioritisation, efficiency and innovative, cost-effective solutions to fortify the resilience of our essential infrastructure against cyberattacks.
The complex landscape of regulatory and compliance requirements compounds the challenges. While regulations aim to enhance security, they often need help to keep pace with the rapid evolution of cyber threats and the dynamic nature of critical infrastructure systems. Striking the right balance between compliance-driven approaches and adapting to emerging risks is a formidable challenge, demanding a proactive, risk-based strategy that ensures the robust protection of vital systems while fostering innovation and adaptability in the face of evolving cyber threats.
Acute shortage of skilled cybersecurity professionals capable of addressing the evolving threat landscape is another major challenge. As digital adversaries grow in sophistication, the demand for cybersecurity experts with specialised knowledge in safeguarding essential systems far outpaces the available talent pool. Bridging this skills gap requires comprehensive training programs and creative workforce development strategies to cultivate a specialised workforce capable of defending the backbone of modern society from relentless cyber threats.
Digital adversaries are becoming more sophisticatd and harnessing cutting-edge tecnhologies like artificial intelligence (AI) exacerbates the cybersecurity challenges. These adversaries leverage AI-driven tools to automate attacks, identify vulnerabilities and adapt tactics. They present a formidable and constantly evolving threat landscape that demands a proactive and technologically advanced defence strategy to safeguard our essential systems from disruption and compromise.
The most common types of cyberattacks targeting critical infrastructure
Ransomware attacks: Ransomware attacks involve malicious actors encrypting a target’s systems and demanding a ransom in exchange for the decryption key. Critical infrastructure, such as power grids and water supply systems, are attractive targets for ransomware attackers due to the potential for widespread disruption and the urgency to restore services. Notable incidents like the Colonial Pipeline attack in 2021 highlighted the vulnerability of critical infrastructure to these types of attacks.
Distributed Denial of Service (DDoS) attacks: DDoS attacks overwhelm a network or website with a flood of traffic, rendering it inaccessible to legitimate users. In the context of critical infrastructure, DDoS attacks can disrupt essential services, causing operational downtime and financial losses. Attackers may use botnets to amplify the scale of their attacks, making mitigation more challenging.
Phishing and social engineering: Phishing attacks and social engineering tactics are often the initial entry points for cybercriminals targeting critical infrastructure. By tricking employees or contractors into revealing sensitive information or downloading malicious attachments, attackers gain access to critical systems. Once inside, they can carry out more sophisticated attacks, such as data theft or system manipulation.
Insider threats: Insider threats occur when individuals within an organisation, intentionally or unintentionally, compromise critical infrastructure systems. These threats can be particularly difficult to detect and prevent because they involve trusted personnel who have legitimate access to sensitive systems. Insider threats may result from disgruntled employees, negligent behaviour or external actors who have infiltrated an organisation.
Taking a multifaceted approach to cybersecurity 04
Best practices in cybersecurity for critical infrastructure involve a multi-faceted approach. Each facet plays a crucial role in shaping a comprehensive and robust cybersecurity framework that not only protects an organisation’s vital data and systems but also ensures a resilient security posture in an ever-evolving threat landscape.
04 Government and industry collaboration:
Board and executive ownership:
When boards and executives take ownership of cybersecurity and serve as advocates for a strong security culture, it permeates the organisation. Their commitment ensures resources and attention are devoted to security, creating a top-down approach to protecting sensitive data and systems. 01
02 Aligned cybersecurity strategy:
A well-structured cybersecurity strategy, closely tied to business objectives and risk assessment, is paramount. It ensures that security investments are targeted where they matter most, safeguarding the organisation’s core assets and aligning security efforts with broader business goals.
Source: GHD Digital analysis.
03
Understanding of assets:
Knowing your assets inside out, from the high-level overview to individual systems and processes, is key. It allows for a focused approach to cybersecurity, addressing the most critical areas first and minimising potential vulnerabilities.
Collaboration between government agencies and industry stakeholders is essential. Sharing threat intelligence and best practices helps organisations stay ahead of emerging threats, benefiting from a collective knowledge base to enhance overall cybersecurity resilience.
05
Security by Design:
Incorporating security measures from the outset, akin to Safety in Design principles, ensures that security is not an afterthought but an integral part of systems and processes. This proactive approach minimises vulnerabilities and reduces the likelihood of costly security breaches down the line. Embracing Security by Design as a core principle ensures that cybersecurity becomes an intrinsic part of the infrastructure’s DNA, fortifying critical systems against modern-day cyber adversaries and establishing a proactive defence posture that is more resilient and adaptable to emerging threats.
With businesses requiring an enterprise-wide cybersecurity capability, there is a need for a cybersecurity operating model that creates an integrated view of how security functions are embedded in the enterprise structure — a model that provides a consolidated description of each function and its underlying processes, capturing the interactions between functions, processes and business units during operations or when changes are planned or undertaken.
The role of emerging technology in protecting critical infrastructure 05
Technological advancements represent a double-edged sword in the context of critical infrastructure cybersecurity. On the one hand, they introduce innovative solutions that enhance the efficiency and functionality of essential systems, driving economic growth and societal progress. However, these same advancements also expand the attack surface, providing cyber adversaries with new vectors and tools to exploit vulnerabilities.
Cybersecurity must evolve in tandem as critical infrastructure becomes increasingly interconnected and reliant on cutting-edge technologies like IIoT and cloud computing. Embracing innovations such as AI for threat detection, blockchain for secure transactions and robust encryption techniques becomes paramount to maintaining the delicate balance between technological progress and the resilience of our critical systems. Ultimately, the convergence of technology and cybersecurity will shape the future of critical infrastructure, determining our ability to defend against everevolving digital threats and ensure the continuity of vital services.
AI and machine learning:
– AI helps identify and stop cyber threats as they happen.
– By looking at huge amounts of data, AI could quickly find unusual patterns that could be threats.
– AI keeps getting smarter, in turn learning to help stop new kinds of attacks.
Blockchain technology:
– Keeps data safe and unchanged, which is key for protecting important information.
– Spreads out data storage, making it harder for a single hack to cause a big problem.
– Helps make sure only the right people get access to systems.
– Helps keep the supply chain safe by verifying the parts and systems used are genuine.
The relationship between cyber and AI is complicated. AI is being utilised to pose cyber risks in many ways by manipulating and compromising data and influencing human behaviour. AI can also enhance cyber defences using data analysis, pattern recognition, and data insight-based decisions. Therefore, it is essential to develop and implement ethical, legal, and technical frameworks and standards to ensure the responsible and beneficial use for cybersecurity, while preventing or mitigating its potential harms and abuses.”
– Dr. Nipa Basu, Global Practice Director, Digital Intelligence, GHD Digital
Challenges and considerations in adopting new technologies
Implementing new technologies in critical infrastructure cybersecurity has challenges and considerations. Firstly, the rapid pace of technological advancement often moves faster than the ability to assess and mitigate associated risks. This can lead to vulnerabilities in critical systems that adversaries quickly exploit. Therefore, organisations must balance adopting innovative technologies and thoroughly vetting them for security implications, ensuring robust risk assessments are integral to the implementation process.
Secondly, integrating new technologies may require significant investments in financial and human resources. It’s imperative to allocate adequate budgets for acquiring, maintaining and updating these technologies to keep pace with evolving threats. Moreover, there is a pressing need for a skilled cybersecurity workforce capable of understanding and effectively managing these advanced tools. Ensuring that staff receives proper training and remain vigilant against emerging threats is essential to harnessing the full potential of new technologies while safeguarding critical infrastructure. In essence, while emerging technologies hold great promise, their successful implementation demands a judicious approach that weighs the benefits against the risks and prioritises the development of a skilled and adaptable workforce.
Protection of power grids: A real-life illustration of the role of technology in critical infrastructure cybersecurity
Power grids are a vital component of modern society, and they heavily rely on technology for their operation. Here’s how technology plays a crucial role in securing power grids:
SCADA systems: Used to monitor and control critical infrastructure, including power grids. These systems leverage technology to remotely monitor the grid’s performance, detect anomalies and respond to disruptions in real-time. They provide visibility into the grid’s operation, helping operators identify and address cybersecurity threats promptly.
Intrusion Detection Systems (IDS): Advanced IDS technology is employed to continuously monitor network traffic and detect any suspicious activities. When anomalies or potential cyber threats are detected, these systems can trigger alerts and initiate automated responses, such as isolating compromised devices or blocking unauthorised access.
Firewalls and access control: These technologies are used to restrict unauthorised access to critical infrastructure components. These security measures ensure that only authorised personnel can access and make changes to essential systems, reducing the risk of cyberattacks from external actors.
Incident response tools: These technology-driven tools and playbooks are developed to guide operators and security teams in responding to cybersecurity incidents swiftly and effectively. These tools help in identifying the scope of the breach, isolating affected areas and implementing remediation measures.
Machine learning and AI: AI and machine learning algorithms are used to analyse vast amounts of data collected from the power grid. They can identify patterns and anomalies that may indicate potential cybersecurity threats, allowing for proactive threat detection and mitigation.
Security Information and Event Management (SIEM): SIEM systems centralise the collection and analysis of security data from various sources within the infrastructure. They use technology to correlate events, detect unusual activities, and provide real-time insights into the security posture of critical infrastructure.
Innovation in cybersecurity
As cyber criminals and adversarial actors become more seasoned and savvier, organisations need to match the tone by not only becoming more vigilant but groundbreaking in their approach to be one step ahead of the bad guys.
AI-driven technology and machine learning is playing an important role in advancing cybersecurity defence mechanisms because people are seen as a weak link. Behavioural data and analytics allows an organisation to identify downloaded files and abnormal increases in data transmissions to determine individual risk profiles. AI is playing a role in creating an always-on ‘cybersecurity assistant’, designed to provide continuous monitoring and analysis of network traffic, pinpointing anomalies and makes recommendations instantly.
New ways of blockchain identity verification provides more advanced tracking and traceability than ever before. It is reducing the risks around transactions and offering assurance around authentication of hardware. Cybersecurity innovators are pursuing the highest level of data security and privacy possible, leveraging quantum computing to build unbreakable encryption algorithms. Other pioneering advancements include holographic and digital twin platforms that visualise traffic, platform vulnerabilities and potential threats for deeper learnings and insights around managing risk.
How can leaders access the latest digital innovations to successfully fend off attacks?
Dedicate time and effort towards keeping up-todate with emerging cybersecurity approaches, trends and technologies. Online communities, peer roundtables and conversations, blogs and video platforms are some of the valuable resources to gather the latest and greatest intelligence.
The start-up community is also contributing to this space. Efforts are centring on cloud security with DDoS attacks, misconfigurations, identity management and malware causing leaders considerable grief.
A novel way to test your critical infrastructure’s cybersecurity is to recruit a professional hacker to try their hand at your systems and platforms. Partnering with the innovators will advance your protection and should form part of your cybersecurity ecosystem. Taking a co-creative, multistakeholder approach to cybersecurity is going to yield the best results.
Regulatory frameworks and government initiatives to advance protection 06
Given the evolving landscape of cybersecurity, it’s crucial to be aware of the regulatory frameworks in place. Non-compliance with these regulations can lead to significant penalties. Some countries have established frameworks to protect critical infrastructure sectors at the national level. The NIST Cybersecurity Framework provides guidelines for managing and mitigating cybersecurity risks across critical infrastructure industries, emphasising principles such as identification, protection, detection, response and recovery. Similarly, the European Union’s NIS Directive mandates cybersecurity measures and incident reporting requirements for operators of essential services, aiming to harmonise cybersecurity practices across member states.
On a global scale, organisations like the International Organisation for Standardization (ISO) offer internationally recognised standards such as ISO 27001, which provides a comprehensive framework for information security management systems. Furthermore, sector-specific standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for the energy sector, IEC 62443 for the rail industry or the NIST Special Publication 800-53 for federal agencies in the United States further tailor cybersecurity requirements to specific critical infrastructure sectors’ unique needs. While these regulations and standards offer valuable guidance, the challenge lies in their dynamic nature, as they must continually evolve to address emerging threats and technological advancements.
Collaboration is so important when thinking about cybersecurity. You need to be collaborating with your peers, vendors, government, regulators and authorities. You need to be close to them and learn from them because they are seeing these things on a day-to-day basis. They’ve built task forces around cyber threats and they’re here to help. They’re there to make sure that you are actually protecting the nation at the end of the day, and its citizens.”
– Sunil Sharma, Global Cybersecurity Leader, GHD Digital
Governments worldwide increasingly allocate resources to bolster cybersecurity defences, often establishing dedicated agencies or departments responsible for critical infrastructure protection. Initiatives such as information-sharing programs, public-private partnerships and regulatory frameworks aim to enhance stakeholder collaboration and coordination. Additionally, governments are investing in research and development efforts to stay ahead of evolving threats, and they play a crucial role in setting standards and guidelines that drive best practices across critical infrastructure sectors.
Organisations should recognise the importance of adherence to regulatory frameworks to avoid substantial fines and to maintain the integrity of critical infrastructure. The NIST Cybersecurity Framework and the EU’s NIS Directive, along with standards like ISO 27001 and sectorspecific regulations like NERC CIP, provide a structured approach to managing cyber risks. However, the real challenge for organisations is to stay ahead of the regulatory curve as these guidelines are continually updated to counteract new threats. Governments are not only reinforcing cybersecurity through regulations but also through strategic investments in research and collaborative initiatives, setting a clear expectation for organisations to proactively secure their operations. This underscores the need for ongoing investment in cybersecurity measures that not only meet current standards but are also adaptable to future developments.
Public and private sector collaboration is both a strategic imperative and a regulatory mandate in many regions. Governments recognise that the shared responsibility for safeguarding essential systems necessitates close cooperation between these two domains. Regulatory frameworks and standards often require private sector organisations, especially those operating critical infrastructure, to adhere to cybersecurity guidelines, conduct risk assessments and share information with public agencies. This regulatory approach fosters a collective defence stance, leveraging both sectors’ expertise, resources and capabilities to confront evolving cyber threats.
International collaboration is also paramount. Threat actors transcend borders, making it imperative for countries to work together to fortify essential systems’ resilience. Initiatives such as international treaties, informationsharing agreements and harmonisation of cybersecurity standards foster cooperation among countries to address common challenges. From the Budapest Convention on Cybercrime to sector-specific international guidelines, these collaborative efforts reflect the understanding that cyber threats are a shared concern and that by sharing knowledge, intelligence and best practices, countries can collectively enhance the security of critical infrastructure.12 This international regulatory framework recognises that the stability of global society and economy hinges on the ability to protect and defend critical systems that know no national boundaries.
The role of boards and executives in cybersecurity 07
Criminals are turning to corporate battlefields to cripple world economies and wreak havoc — they want to destroy both the reputation and the business itself. Today, when things go wrong, the implications are a lot more severe than we have ever seen before. Leaders not only have the responsibility but increasingly, the legal and regulatory obligation to protect their organisations.
Start by understanding your applicable legislative requirements, they will vary by jurisdiction. How else can boards best manage this ever-evolving landscape? Outside of ticking a regulatory box, leaders have an opportunity to take stock and mitigate serious consequences. Cybersecurity measures are not an add-on; they are fundamental and an ongoing process, led from the top, to manage systems and processes.
Boards and executive leaders set the direction of investment decisions and are best positioned to embed security throughout the company’s culture — from enabling cybersecurity awareness as part of employee conversations to ensuring that it is prioritised in strategic planning and operations.
Raising a digital ecosystem’s collective defence requires a partnership between the public and private sectors. This creates an environment conducive to sharing best practices and enhancing industry standards for more efficient risk mitigation and threat response.
With a good understanding of assets and the technology that supports them, organisations are better equipped to assess their vulnerabilities and trace possible risk sources. Take inventory and assess which critical infrastructure emerges as a weak link and, therefore, needs immediate action.
Let the picture of potential risks, likelihood and severity guide the overall strategy — including resources and controls — tailored to your unique operating environment to improve cyber resilience. Continuously monitor these safeguards and their ability to respond to evolving risks.
Take a proactive stance and ensure that the security of systems and their components are prioritised, right from conception. This enables optimal defence from the onset instead of being bolted on at a later stage of the lifecycle.
Embedding an effective cybersecurity operating model 08
Having a structured and adaptable cybersecurity operating model (CSOM) as part of a cybersecurity framework is essential for organisations to effectively manage and mitigate evolving threats. Embedding Security by Design is essential for businesses operating in critical infrastructure sectors. The pressing need for an enterprise-wide cybersecurity capability calls for the development of a CSOM that transcends traditional security protocols. This CSOM integrates security functions seamlessly into the fabric of an organisation and offers a comprehensive view of how these functions interconnect within the enterprise structure.
By breaking down complex processes into logical functions, the CSOM helps organisations understand their current cybersecurity posture and serves as a blueprint for transforming towards a more secure future.
With this model, businesses can outline how their key capabilities work together, making sure that security functions collaborate smoothly with operational units and external partners, strengthening defences against cyber threats in critical infrastructure.
This CSOM (Figure 3) simplifies complicated processes into understandable functions, helping to assess the current situation and set the stage for moving towards a better model. It shows how key capabilities relate to each other and summarises how security functions will work with operational units and external partners. This could be further enhanced for its operability through the digitisation of CSOM.
The benefits of this cybersecurity framework include:
A blueprint that illustrates and articulates how security operates in an organisation, embedding Security by Design
Reducing duplicated activities across organisational boundaries with increased role clarity
Reducing the risk associated with delivering security services through process consistency and standardisation
Increasing efficiency, both in terms of time and cost, when enacting changes during transformation.
Establishes clear lines of accountability and oversight and fosters a culture of security awareness and compliance, ultimately safeguarding an organisation’s digital assets.
CSOM
Serves as the foundation of proactive threat detection, incident response and continuous improvement, ensuring that cybersecurity becomes an integral and adaptive part of an organisation’s DNA, rather than just a set of static controls.
Security governance, security programs, security architecture, security Risk, BCM and compliance and security operations. CSOM functions
Case study: Strategic cybersecurity in a large water utility’s digital overhaul
One of largest principal water and sewage utilities in Australia embarked on a digital transformation journey. Tasked with the crucial responsibility of providing drinking water and sewage treatment, the utility faced the challenge of centralisation. This necessitated an overhaul of disparate legacy systems and processes, all within a framework that historically lacked robust cyber protection measures.
To address these challenges, GHD Digital helped the utility undertake a maturity assessment against the NIST industry standard and aligned its risk assessment with the ISO 31000 framework. These efforts were pivotal in tailoring security frameworks and security operating model that aligned seamlessly with business operations. Subsequently, a strategic three-year roadmap accompanied by a clear investment plan was developed, laying the groundwork for the utility’s future endeavours.
The value derived from these solutions was substantial. A clear and actionable security vision was established, leading to an approximate 40 percent reduction in tangible business risks. Furthermore, the adoption of a CSOM provided a structured approach to execute the cybersecurity strategy effectively.
Through a risk-based strategy, the utility realised a vision for cybersecurity that is not only executable but also measurable. The utility’s digital transformation, underpinned by a strong cybersecurity strategy is a testament to the power of integrating technical innovation with security foresight.
Strategy and planning, design and implement and manage and measure. CSOM functional delivery
Security governance, security programs, security architecture, security risk, BCM and compliance and security operations. CSOM subfunctions
Inputs: Security strategy, risk strategy, business strategy, vision and compliance, regulatory strategy.
Provides the necessary guidance and structure to effectively mitigate risks, respond to incidents and safeguard critical assets.
Call to action: Staying ahead of evolving threats
Figure 4: Steps to stay ahead of evolving cybersecurity
1. Continuous monitoring and threat intelligence:
Implement advanced monitoring systems that provide real-time visibility into network traffic and system behaviour. For example, using intrusion detection systems that analyse network traffic patterns can identify unusual activity indicative of an attack. Utilising threat intelligence feeds, such as reports on known malware signatures or tactics used by cybercriminals, allows organisations to proactively defend against emerging threats. These insights empower organisations to detect and respond to anomalies swiftly, reducing the dwell time of threats within the network.
2. Regular cybersecurity risk assessments:
Conduct frequent cybersecurity risk assessments and penetration testing to identify vulnerabilities and weaknesses in critical systems. For instance, simulating a penetration test on a transportation system’s network can reveal potential entry points for attackers. Regularly review and update risk assessments to adapt to changing threat landscapes. Vulnerability scanning should not be limited to just digital aspects; it should also encompass physical aspects, such as access control to critical infrastructure facilities.
3. Employee training and awareness:
Cultivate a cybersecurity-aware culture within the organisation by training employees to recognise phishing attempts and social engineering tactics. For example, conducting phishing simulation exercises where employees receive simulated phishing emails can help them learn to identify and report suspicious emails. Regular cybersecurity awareness programs and training reinforce vigilance among staff members, as human error remains a significant vulnerability.
4. Defence-in-depth strategy:
Embrace a defence-in-depth approach by layering security measures. For instance, robust access controls can restrict unauthorised access to critical systems, while firewalls can filter incoming and outgoing traffic. Intrusion detection systems can monitor for suspicious activities, and network segmentation can isolate critical components from less secure parts of the network. This approach reduces the likelihood of a successful breach and limits lateral movement within the network.
5. Public-private partnerships:
Collaborate with governmental agencies and industry peers through publicprivate partnerships. For example, sharing threat intelligence and incident data with other transportation organisations and government agencies can help identify trends and threats specific to the sector. Participation in sectorspecific Information Sharing and Analysis Centers (ISACs) enhances access to threat intelligence and incident response resources, fostering a collective defence approach.
6. Regulatory compliance:
Proactively adhere to cybersecurity regulations and standards relevant to critical infrastructure. Compliance provides a baseline of protection and ensures that essential security measures are in place. For example, complying with the NIST Cybersecurity Framework or ISO 27001 standards can help organisations establish robust cybersecurity practices and stay current with regulatory requirements and best practices.
7. Innovation and technology adoption:
Embrace emerging technologies such as AI and machine learning for threat detection and response. For example, machine learning algorithms can analyse vast amounts of data to identify abnormal behaviour patterns indicative of cyber threats. Leveraging automation for security orchestration and incident response can reduce response times, enabling rapid mitigation. Exploring the use of blockchain for enhancing supply chain security and data integrity can also add an extra layer of protection.
8. Incident response planning:
Develop and regularly test incident response and recovery plans specific to critical infrastructure. These plans should include steps for swift detection, containment and mitigation of cyber threats. Regular tabletop exercises and simulations, such as simulating a ransomware attack on a transportation system’s network, help ensure preparedness and effective response during a cyber crisis.
9. Resource allocation and budgeting:
Allocate sufficient financial and human resources to support cybersecurity initiatives. For example, budgeting for ongoing maintenance, training and technology upgrades ensures that cyber defences remain robust and up-to-date. Investing in cybersecurity is not just a cost but an essential element of risk management, as it safeguards critical infrastructure from potential threats.
10. Adaptive risk management:
Embrace an adaptive risk management approach that evolves with the threat landscape. Continually assess and reassess risks, vulnerabilities and threat actors. For example, regularly reviewing threat intelligence reports and conducting red team exercises to simulate real-world attack scenarios helps organisations adapt their security strategies and investments to address emerging threats effectively. This adaptability is crucial in the everchanging cybersecurity landscape.
In the relentless battle against evolving cyber threats in critical infrastructure, the path to success relies on a shift from a mere reaction to a proactive stance, where technology, human expertise and collaboration converge to forge an unbreakable shield.
At its core, the foundation of cybersecurity within an organisation rests on proactively anticipating threats and weaving security into every facet of work. Security isn’t just one department’s responsibility; it requires an organisation-wide commitment. The future of critical infrastructure security is in our hands, and by embracing the above principles, we can work towards a future where threats are met with unwavering vigilance and strength.
Contacts
Sunil Sharma
Global Cybersecurity Leader, GHD Digital
E Sunil.Sharma@ghd.com
Suna Taymaz Critical Infrastructure Cybersecurity Lead, North America
E Suna.Taymaz@ghd.com
Endnotes
1 GHD Digital analysis based on data from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Critical Infrastructure Protection (CIP) Standards, The Center for Internet Security (CIS) and Information Systems Audit and Control Association (ISACA).
2 Ibid.
3 Ibid.
4 Ibid.
5 Government Technology, “Cyber Attacks Against Critical Infrastructure Quietly Increase,” 31 July, 2022.
6 IBM, “Half of Breached Organisations Unwilling to Increase Security Spend Despite Soaring Breach Costs”, 24 July, 2023.
7 GHD Digital analysis based on data from IBM’s Cost of a Data Breach Report 2022
8 The New York Times, “Cyberattack Forces a Shutdown of a Top U.S. Pipeline,” 13 May, 2021.
9 The New York Times, “DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down,” 14 May, 2021.
10 ARS Technica, “2 municipal water facilities report falling to hackers in separate breaches”, 29 November, 2023.
11 Bloomberg, “UK Water Supplier Hit by ‘Extremely Concerning’ Cyberattack,” 17 August, 2022.
12 Council of Europe, “ The Budapest Convention (ETS No. 185) and its Protocols”.
About GHD Digital
We are GHD’s digital transformation business, dedicated to helping clients unlock innovation, embrace the future and change communities for good. Our diverse and talented team of more than 600 people includes data scientists, design thinkers, immersive digital consultants, project managers and innovators who are creating lasting community benefit.
With the combined global and local expertise of GHD’s 11,000 engineering, construction and design experts, we take a role by your side, helping you navigate and solve complex challenges with advanced technology. Together, we can create positive change for generations to come.
