The convergence of operational technology (OT) and IT is compounding the risks to critical infrastructure, the Cyber and Infrastructure Security Centre (CISC) has said in its first annual risk assessment.
The Critical Infrastructure Annual Review [pdf] added that these, together with IoT rollouts, creates a vector for lateral movement between systems, which “can create catastrophic cascading consequences”.
“Adoption of IoT in critical infrastructure also leads to a growing integration of third-party inputs for information, data sharing and data analytics,” the report added.
Companies’ enthusiasm for digitisation also worries the CISC, which said that is ‘outpacing our cyber literacy and security practices”.
The organisation is also concerned that bad actors are hiding malicious code in critical infrastructure networks for later exploitation.
“Pre-positioned malicious code”, the report stated, is hard to mitigate “as the full extent of this threat remains elusive”.
The review cited an experience from North America, where possibly malicious code was found “hidden inside critical infrastructure networks” including power, communication and water supply.
“Removing any identified code may alert adversaries to what has been found, aiding future attempts,” the report said.
The CISC is also concerned at the risks posed by people.
“Disgruntled employees” recruited by foreign intelligence services through dark web job ads are another risk, the review said.
The work-from-home revolution is also causing problems, because offsite connectivity “may reduce the detectability and overall difficulty for a trusted insider to remove local data or provide access to a third party.”
