Critical infrastructure: How cyber immunity will keep us safe

“I believe it is not possible to enter the cyber age without cyber immunity,” said Eugene Kaspersky (CEO & Co-Founder at Kaspersky) at #LEAP22.

We’re already living in the dawn of the cyber age. And as critical industries increase their reliance on virtual networks, we’re also entering a new era of global insecurity — because the cyber security solutions currently available are not capable of protecting industrial systems against attack.

But why can’t existing cyber security tech be scaled to protect critical infrastructure? And what can we do about it?

The weak spot of connected networks is…connectedness

The ability to connect systems and facilitate direct communication throughout every piece of a complex network is a superpower of the cyber age. But it could also be our downfall.

In 2013, Iranian hackers breached the Bowman Avenue Dam in New York. They gained control of the sluice gate, which wouldn’t have been a major national threat but would have caused disruption for local residents — except that, as reported by Industrial Cybersecurity Pulse, the sluice gate had been manually taken offline for routine maintenance.

The damage potential in this particular attack was minimal, but it highlighted bigger implications of global interconnectedness. In a statement, Preet Bharara (then-Manhattan U.S. Attorney) said,

“The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime. We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse.”

Vulnerable infrastructure ranges from nuclear power plants and oil refineries to water systems, transport, and manufacturing. In fact, according to the annual IBM X-Force Threat Intelligence Index report, manufacturing was the most attacked industry in 2021 — and while this is clearly a huge problem for the private sector, it also has the potential to disrupt supply chains for critical industries, including food production.

Kaspersky told us that his company collects about 380,000 new unique malicious applications every day, developed by thousands upon thousands of criminals around the world. But the current technology works for private businesses because it can detect suspicious activity, and facilitate risk management by enabling those businesses to predict and balance out the effects of an attack.

“You invest in cyber security and balance the risks,” Kaspersky said quite simply.

This strategy does not, however, work for critical industries. Why? Because the damage is unpredictable. While a private company can estimate financial losses, critical industries come with bigger implications: “What happens if a power plant is under attack?” Kaspersky asked. “What happens if critical industries are victims of highly professional hacker attacks?”

Current cyber security solutions sit on top of a network and look down into it, but they don’t actually make an attack impossible. Kaspersky likened it to the difference between wearing a mask and getting a vaccine; the mask (cyber security) works for private enterprises, but critical industries need the vaccine. They require cyber immunity. And that has to be built into the DNA of a system.

So we have to protect critical infrastructure by isolating each piece

In order to make this happen, Kaspersky is developing a system in which security is built into the architecture of a network, with unique permissions for each piece of that network.

“Every piece of the system speaks to [the others] on the security layer, and the security layer checks permissions. Every piece of the system has its own, very secure behaviour, and you can’t change that.”

Essentially, it’s a system of isolation — an attack on one part of the system will remain isolated there, and will not affect any other piece of the system. This is what Kaspersky means by ‘cyber immunity’ — the doors in the system are closed to prevent the movement of malware from one area to another. The nature of a system like this is limited in functionality; but when a system’s weak spot is its interconnectedness, it makes sense to reduce the interconnectedness of critical systems.

But even when the immunity tech is ready and operational, Kaspersky and partners will face the challenge of shifting behaviour and mindsets around cyber security. In the U.S., The National Institute of Standards and Technology (NIST) has found that in spite of cyber threats against industrial systems, users of said systems are often reluctant to adopt security tech because of their impact on system performance. So it’s reasonable to expect that users will be wary of a system that isolates every piece and implements rigorous permissions access.

It’s a different way of thinking about technology in 2022. We’re constantly driving for more connection, faster communication, more synchronised and streamlined operations. But the uncomfortable truth is that when we become so committed to those functions — to the point where they are transcending tech and becoming human values in a global culture that revolves around connectivity — we also put ourselves at risk. And while more and more of the world’s critical infrastructure relies on cyber security, the implications of an attack are potentially catastrophic.

Cyber immunity doesn’t exist yet. But when it does, it may well become a non-negotiable solution to keep industries safe in the cyber age.