Critical Infrastructure: Downtime is simply not an option

In October last year, the Singapore government passed the Infrastructure Protection Bill – laws to improve protection for iconic buildings providing essential services, with failure to do so resulting in fines of up to S$200,000 and jail of up to two years. 

The aim is to make critical infrastructure more resilient to the major disruption that could be caused by things like power outages, hardware failures and environmental issues. This ramped-up approach takes into account the fact that critical infrastructure is increasingly a target for cyber-attacks. Who could forget the two major hospitals in Indonesia hit by WannaCry last year, affecting hundreds of hospital staff and patients?

In observance of World Availability Day today (30 March), here are my thoughts on the ‘new era of warfare’ that we have inadvertently found ourselves in, and the need for our critical infrastructure organisations to be better primed for the inevitability of cybercrime.

A matter of when, not if
As Singapore moves towards becoming a smart nation, Prime Minister Lee Hsien Loong has recognised protection of critical infrastructure as a matter of national importance.

The consequences of an attack on critical infrastructure are potentially catastrophic – and not just in terms of business continuity and reputational damage, or lost revenue, privacy and trust. Far bigger issues are at stake when it comes to critical infrastructure being compromised. The crippling ramifications it could have on daily life and public welfare, for instance, range all the way from economic chaos to the disruption of essential services. Or, in worst-case scenarios, citizen injury or death.

Worryingly, as a community we’re still a long way from even understanding the causes of these infrastructure breaches. A 2015 Black Hat investigation found that hackers have been penetrating systems for at least a decade, with little known about how they gain access. And little has changed since then. With prevention and proactive response both struggling, back-up becomes increasingly vital.

The vulnerability problem
Vulnerabilities in our critical infrastructure aren’t only caused by failure to comply with security standards. Nor are they necessarily caused by lack of awareness on the part of industry bosses. Instead, a big part of the problem is that many of the key computer systems that run critical infrastructure are legacy – powerful, yes, but not fit for modern day protection against hackers.

These industrial-grade security systems are designed to protect physical assets and entry points, but as more critical public services become supported by data networks and cloud-hosted assets, the shift to bolster cyber security is becoming a matter deserving urgent attention.

Availability is key
The role of cloud services in critical infrastructure is undeniable, with many of Singapore’s digital initiatives relying on cloud technology, and the success of the Smart Nation Programme depending on a healthy cloud ecosystem. 

IT leaders in the industry must be given the support and budget to bolster their data networks and develop robust business continuity systems. Simply having a data back-up system is no longer enough; it’s vital that critical infrastructure providers embed orchestration and automation as core components of their networks if they are to meet the latest recovery objectives and ensure minimal disruption to business availability and – crucially – to public welfare.

Whether an attack is made through sheer devilment or outright warfare, it has the potential to debilitate essential services – which is not a risk that providers should be willing to take, especially when we’re talking about the very services that are vital to the proper functioning of the economy and society, like power grids, water supplies, transport networks; public health, financial and security services; electricity, gas, agriculture, telecoms – the list goes on.

The point is simple: when it comes to critical infrastructure, downtime simply isn’t an option. The impending regulatory penalties for organisations that don’t get their security act together are not just arbitrary fines. They’re an object lesson in the importance of available critical infrastructure, for the sake of business continuity and public welfare alike.