Critical Infrastructure Under Cyber Siege

Weak, outdated technology and a lack of security awareness can make critical infrastructure vulnerable to ransomware. Kate O’Flaherty investigates

Ransomware is increasingly hitting critical national infrastructure (CNI) services such as the energy sector. According to a report by consultancy firm Bridewell, 60% of UK CNI organisations have experienced at least one ransomware attack over the previous 12 months. More than a third (35%) suffered up to five ransomware attacks.

According to the research, three out of 10 CNI organisations that have fallen victim to ransomware have risked legal repercussions by paying their attackers. The average cost of a ransomware attack on UK CNI organisations is now £295,230, the Bridewell research reveals.

According to an eye-opening Zscaler report, ransomware attacks have increased by 17.8% since 2023, with the energy sector experiencing a 500% year-over-year spike.

60% of UK CNI organisations have experienced ransomware over the previous year

“Our teams found that critical operations and infrastructure were squarely in the line of attack, with the most common targets being businesses in the manufacturing, healthcare and technology sectors,” says Tony Fergusson, CISO at Zscaler.

CNI organisations are often easy targets for adversaries, partly because they use old, outdated systems that are not built with security in mind. Censys research reveals that approximately 1,500 control systems in the UK are exposed to the public internet and, therefore, are more vulnerable to ransomware.

With weaknesses, including unpatched vulnerabilities, unsecured legacy technology exposed to the internet, and a lack of cybersecurity awareness and budget, it’s easy to see why ransomware affects CNI. So what can be done about it?

Targeting CNI

Attackers target CNI because the impetus to pay is much higher. “CNI operators feel pressured to pay to quickly restore essential services,” says Aiden Holland, security researcher at Censys.

Take the example of the US Colonial Pipeline, which was hit by data-locking malware in 2021, disrupting a major fuel supply to the East Coast.

Outside of the energy sector but still a crucial service, healthcare organisations are also being increasingly hit by ransomware for this very reason.

Disrupting CNI can cause “significant operational downtime”, pressuring organisations to pay ransoms quickly to restore services, says Abdulrahman H. Alamri, senior adversary hunter at Dragos.

Essentially, the “huge radius” of the attack raises the chances of the ransom being paid, says Fergusson. “The bigger an organisation is, the larger the impact will be on people’s lives, and this pressure is then leveraged for financial gains.”

Additionally, government and healthcare institutions are generally not as well funded and lack the necessary budgets to update their security infrastructure, says Fergusson.

Legacy technology

Legacy operational technology (OT) that interfaces with the physical world – such as outdated supervisory control and data acquisition (SCADA)-based systems used in industries such as the energy sector – worsens the problem.

In many cases, CNI organisations have existed for a long time. Fergusson says that this has seen them changing infrastructures and “piling up complex IT architectures with a lot of legacy technology” that renders them more vulnerable.

“The bigger an organisation is, the larger the impact will be on people’s lives, and this pressure is then leveraged for financial gain” Tony Fergusson

Attempts at modernisation and facilitating remote access have caused greater integration between traditional IT systems and OT networks, says Adam Harrison, managing director of the cybersecurity practice at FTI Consulting.

And OT systems, such as those controlling power grids or water supplies, may not have been designed with security in mind, leaving critical processes vulnerable to attacks, says Harrison. “Many CNI organisations operate using outdated legacy infrastructure. These systems are often incompatible with security best practices and are more vulnerable to exploitation, but the cost to replace them can be prohibitive.”

Insufficient patch management adds to the challenge, says Holland. “Many CNI systems, especially in sectors such as energy or water, rely on outdated or end-of-life technology and software that is missing important security updates. Due to the critical nature of operations, many CNI organisations delay necessary security updates to avoid downtime, leaving systems open to exploitation.”

Meanwhile, CNI often relies on a network of third-party vendors and contractors, which can introduce weaknesses through supply chain vulnerabilities, Holland adds.

Human error is another common issue that can make CNI vulnerable to ransomware. “Utility companies, financial institutions and healthcare providers employ thousands of workers who have access to sensitive systems and information,” says Aare Reintam, chief operating officer and co-founder of CybExer Technologies. “Falling for phishing attacks and using weak passwords can inadvertently introduce vulnerabilities.”

Several regulations have attempted to address the risks posed by ransom attacks on CNI and the consequences of service disruption. One example is the NIS2 Directive, which has driven some improvement in the sector’s security; however, progress has been slow, says Harrison.

Stopping ransom attacks on CNI

Stopping ransom attacks on CNI is difficult, but steps can be taken to limit the damage. It starts with CNI operators themselves, who need to make sure they understand the basics, including their sector’s specific requirements.

It’s possible to make ransomware attacks less effective through proper vulnerability management and threat detection, including virus scanning and employee training, says Nadine Hoogerwerf, CISO at Zivver.

She advises maintaining a backup that can be recovered in the event of an attack.

“Many CNI organisations operate using outdated legacy infrastructure” Adam Harrison

Ensure third-party risk management by vetting providers to ensure they adhere to appropriate security standards. Meanwhile, CNI providers should limit third-party access to the minimum required, says Harrison.

Understanding all of the interconnections within your environment is “a big step”, says Andy Swift, cybersecurity assurance technical director at Six Degrees. “This can be a complex task, and an effective approach is to work backwards from the perimeter to thoroughly map out network entry points.”

It’s also worth noting that while many organisations have implemented IT-specific incident response, fewer have dedicated ICS-specific plans, says Alamri. “These are essential for knowing when to take action in the OT environment during a cyber incident.”

Sharing information is also crucial to tackling ransomware. Governments, CNI operators and the private sector must collaborate to share intelligence about the latest ransomware threats and techniques.

At the same time, CNI organisations must be equipped to act upon this advice to ensure up-to-date protection, says Harrison. “Initiatives such as public-private partnerships and participation in information sharing platforms allow for faster identification of threats and coordination of response efforts.”