Cybersecurity: why it matters in critical infrastructure
In decades past, before the turn of the millennium, folks believed that "critical" services for society should not be connected to the Internet. However, this thought process has not withstood the technological advances of recent years and the Internet itself is now a critical infrastructure on which many companies and services depend daily.
Considering today's reality, organizations can no longer afford to ignore the issue of cybersecurity, nor can it be reduced to the notion that "the most critical systems are not connected and no attacker will get to them."
Even when an incident doesn't directly harm a factory or public service, we have to remember the existence of billing services, contract monitoring, and financial services – processes that are connected to the network and could be interrupted by a cyberattack.
Real cases already exist. In 2021, an oil pipeline in the United States shut down after ransomware interfered with the accounting and billing system. The oil was still being pumped, but it wasn’t feasible to continue operating without restoring the billing system.
In the logistics and transportation sector, a cyber incident may not affect cranes, trucks, trains, or buses, but it can certainly jeopardize the information systems that store passenger lists, tax documents, and loading plans. An example of this occurred in 2023, when a port in Japan was brought to a standstill, also due to ransomware, since there was no way of registering incoming cargo.
In the case of the electricity sector, there have been confirmed incidents of blackouts caused by cyberattacks and physical damage to uranium enrichment plants. These events, which occurred in Ukraine and Iran respectively, are believed to be linked to geopolitical tensions and were caused by virtual attacks.
A diverse sector
The term "critical infrastructure" might lead us to think that we are talking about a select group of companies, but the fact is that many organizations and branches of activity are considered critical.
As such, the list of sectors that fall under this classification may be longer than imagined. Consider the following branches: transportation, health, government, telecommunications, energy, food and water, emergency services, factories, and even financial services. They are all interconnected and are essential services within society.
Some are also closely linked to communication networks, as is the case with financial services. In this scenario, bank drafts have given way to international banking networks and ‘card machines’ that operate via the same networks we use to talk to friends and family on our cell phones.
Approached from this angle, it’s clear that critical organizations often depend on each other.
The human factor in defending critical infrastructure
As in many other companies, professionals working in organizations linked to critical sectors have much to contribute to cybersecurity. This is the case with technology teams that can prevent the exposure of vulnerable systems. However, they are not the only ones who can contribute: criminals know that they can try to trick system operators with malicious messages or contact attempts, whether by email, telephone, or even in person.
In this case, a single click or the use of an unauthorized device, such as a keyboard, USB flash drive, or even a mouse, can be enough to damage an entire system and set off a domino effect. In some of the more serious situations, scammers may even try to bribe or threaten the physical integrity of an employee to force them to carry out an action that could put the organization at risk.
That's why, in addition to complying with the security rules, employees and associates must know how to identify the most common threats directed towards organizations – like phishing and malware – so that they remain alert to the risks and don't click on suspicious websites or open unknown files, links, and attachments.
Relationships with suppliers also call for caution, as some incidents occur when passwords used by third parties are not canceled after an employment contract has ended.
Finally, it's important to note that you don't need to be a cybersecurity expert to know about good cybersecurity practices. It's the small daily tasks that, executed with awareness and responsibility, form a real barrier capable of protecting the company's security.