New technologies, human-machine interfaces & government demands increase pressure on contractors to ensure consistent, robust security
While best known for its impressive physical presence (think powerplants), society’s critical infrastructure largely operates digitally via Industrial Control Systems (ICS): human-machine interfaces that bridge the digital and physical. Unfortunately, locked doors and security guards no longer keep threats at bay. As the frequency of cyberattacks on critical infrastructure rises, the organizations contracted to provide and manage these vital resources and services hold the public’s safety in their hands.
Critical infrastructure refers to the essential systems and assets that keep society and the economy afloat. Water treatment facilities, major financial services, telecommunications centers, ports, transportation networks—destabilizing or disrupting any of these can cripple supply chains, jeopardizing what humans need most: sustenance, healthcare and protection from extreme temperatures, not to mention quality of life essentials like light, internet connectivity and free movement.
Cyberattacks are never good, but successful attacks on critical infrastructure precipitate public emergencies, threatening lives and leading to catastrophe. Security in this arena is, therefore, as critical as the infrastructure under its protection.
We have seen throughout history what happens when critical infrastructure fails due to natural or manmade destruction: A malfunctioning powerplant turns entire regions cold, dark and dangerous. A downed bridge or airport brings food insecurity overnight.
Despite the high stakes involved with critical infrastructure breaches, contractors and service providers often fail to implement appropriate security policies and technologies, leading to outdated or ineffective software, credentials and passwords.
Critical Infrastructure: A Favorite Target for Cybercrime
In the US, the Director of National Intelligence (DNI) shared a report by the Cyber Threat Intelligence Integration Center that highlighted the growing number of cyberattacks on critical Industrial Control Systems (ICS) in late 2023 and 2024.
In one instance in early 2024, attackers gained access to the control systems of two water facilities in Texas, managing to deactivate pumps and alarms to overfill tanks past shutoff levels.
This report reflects a broader global trend in which cyberattacks are increasing in frequency. In Luxembourg, the number of cyberattacks doubled year on year in Q2 2024, averaging nearly 1,200 attacks on commercial and government entities per week.
Last year, German defense and auto firm Rheinmetall AG reported a data breach to its automotive operations, similar to a malware attack that occurred in 2019. In 2017, an aerospace engineering firm was hacked and sensitive information about Australia’s navy and defense programs was compromised.
Securing Industrial Control Systems
Industrial control systems, unlike information technology (IT), refer to the remote control or automation of physical processes. By hacking human-machine interfaces, cybercriminals can control the physical actions of industrial machinery.
The US Cybersecurity and Infrastructure Security Agency, Water Information Sharing and Analysis Center, Environmental Protection Agency and FBI outline four top recommendations to help reduce ICS attacks:
- Immediately change default passwords
- Conduct inventory of ICS assets, identifying vulnerable devices & managing common vulnerabilities & exposures
- Implement user access controls & multifactor authentication for remote access
- Complete a cybersecurity risk assessment that examines how to reduce exposure to public-facing internet
Defense Industry Threats: From Trench Warfare to Cyber Crime
The defense industry serves government militaries, but beyond that unifying factor, the industry is incredibly diverse, encompassing communications systems, logistics, electronics, R&D, operational support, weaponry, machinery and more.
Along with other providers of critical infrastructure, the defense industry faces sophisticated adversaries backed by nation states with particularly nefarious objectives., e.g.:
- Seizure of sensitive IP or military intel
- Access to systems in order to control, tamper or eavesdrop
Successful large-scale attacks have propelled governments to involve themselves in the cybersecurity of defense contractors. In the US, for example, the Department of Defense published a strategy in 2024 for strengthening the cybersecurity of the organizations and facilities providing defense materials to the US government.
For its part, Europe’s association of security, defense and aerospace companies (ASD) has been vocal in its push for harmonized and increased security standards, including across cloud infrastructures.
Assessment & Security: PKI & KMS Partnerships
New government standards and evolving threats incentivize organizations to elevate and harmonize their cybersecurity, enabled largely by solutions in the following areas:
Public Key Infrastructure (PKI):
- Authentication & Digital Signatures: Create, manage & revoke digital certificates; verify the identity of senders to establish secure connections
- Encryption: Facilitate secure data transfers in all areas of operation
Key management systems (KMS):
- Gain unified oversight of footprint-wide encryption practices
- Handle all key management processes via one user-friendly platform
- Define user permissions based on highly specific categories
Cryptography expertise:
- Take inventory of cryptographic material
- Identify vulnerabilities & assess risk
- Develop encryption strategies & solutions
- Implement & monitor solutions
Providers of critical infrastructure rely on innovation partnerships to bring their cybersecurity up to par and meet the contractual demands of governments.
These partners must understand the constraints and demands placed on both contractors and governments. State-owned Keys&More provides PKI and KMS solutions to governmental entities and private companies, utilizing in-house encryption expertise and a vendor-agnostic approach to develop custom solutions.
By partnering, critical infrastructure and defense organizations access crucial cryptographic expertise and services, the first step in better protecting their data, their communities and their governments.