Separate wheat from chaff in critical infrastructure

The stakes are high: every single piece of IT in an organisation matters, providing some or other function to the business. However, we all know that some systems are more important than others: ones without which operations will grind to a halt.

Spare a thought then for the pressure on IT teams in organisations where the stakes are higher still.

Paul Flavin, managing director of critical infrastructure specialists Triangle said that when it comes to mission-critical infrastructure, some organisations are in the firing line simply as a result of what they do.

“You can define mission-critical infrastructure in a lot of ways. The board of a fashion retailer would rightly regard their warehouse control systems or supply chain management systems as mission critical: the business will struggle to operate without them, but it won’t have an adverse effect on society.

“We look at the market in two ways: the organisations that are classified as being part of the nationally critical infrastructure and organisations that may not form part of this list but understandably want to safeguard their own mission-critical systems.”

Indeed, Ireland has an official list of nationally critical infrastructure, composed of organisations whose operation is central to the smooth functioning of society. However, even within these organisations, which includes areas such as energy, finance, health and transportation, not every IT system is classified as truly mission critical.

“These are the sectors that are critically important and they’re the ones that have to have very exacting plans. Within those you can’t just say ‘everything is mission critical’. A system to facilitate vacation booking or to capture overtime going down for 24 hours might be an inconvenience, but it won’t halt operations,” Flavin said.

This means organisations have to assess what infrastructure they have that has to remain entirely cyber resilient in the face of outages and cyberattacks.

As time moves on, awareness of the security threat has resulted in an evolution of standards – and a growing awareness of both organisational responsibility and the nature of the threat.

Frameworks such as the US National Institute of Standards and Technology (NIST) offer a pathway for compliance and many firms have adopted it as it is good practice.

“It’s now finding itself knitted into good governance. Indeed, the key difference in NIST 2 is governance and this means it goes up to board level: every c-suite executive needs to be aware of their responsibility,” he said.

A significant issue for businesses today is that consumer expectations are driving them to adopt methodologies that are more difficult to secure.

“With consumers, things are flexible and move at pace and that’s now copied by enterprises. The old ICT enterprise way of doing things, where everything was locked-down, that’s gone,” he said.

Absolutely you want to take advantage of the new technology, the next innovations are key, but you need to do it in a way that manages risk

This poses a problem: businesses do need to keep up to date, but they cannot allow vulnerabilities to creep in.

“Absolutely, you want to take advantage of the new technology, the next innovations are key, but you need to do it in a way that manages risk,” Flavin said.

At the same time, the ranks of the applications and systems deemed mission critical are swelling. Previously, what really mattered was internal systems of record, whereas today many more applications are jockeying for position, creating the paradoxical result that if every system is deemed mission critical then no system is treated as such.

“If you’re in a company, whether you’re in that mission-critical list or not, there are a lot of applications, so you have to ask what is critical and what is not,” he said.

“The telcos have a mission-critical business. If they go down that’s a real problem, and a problem for everyone. There is also an advanced persistent threat that is geopolitical in nature.

“You have to ask which systems are mission critical, but everyone will put their hand up. You have to be really strict and ask: what is required at 8am tomorrow to run this business?”

It differs by organisation and by sector, but around a quarter of systems in a business tend to be absolutely crucial for operations.

“There’s no point in someone in a telco saying this lovely widget on the website is mission critical. It’s nice for the customers, but if the network goes down, you’re goosed”.

And the threat is real. Analysts Gartner recently predicted that 30 per cent of ‘critical infrastructure organisations’ will experience a security breach by 2025.

Flavin said attacks are the reality today. “If you accept that you’re going to be hit, what is the most important thing? Recovery. You have to make your best efforts to stop them, but you also have to go straight to the worst part of the problem, because if you can’t recover then you have no business.”

Given the scale of the threat today, solutions providers like Triangle increasingly deploy artificial intelligence to assist clients. AI is combined with air-gapping backups to ensure that organisations can recover in the event of an attack, Flavin said, because tampering with backups is a key tactic of attackers.

“The first thing they do is puncture your lifeboat before they sink your vessel.”

Despite this, he cautioned against panic.

“You can panic people into stasis. This is a significant threat, but there are solutions,” he said.