Critical infrastructure sectors -- from communications and energy to transportation and water -- are subject to risk, just like any other organization. Understanding the top risks and how to manage them is key.
Before delving into the top risks, let's clarify what cyber-risk is and how it's properly understood for critical infrastructure.
Risk vs. cyber-risk
The simplest definition of risk is the probability of loss -- that is, how likely is it that some unwanted event might happen and how bad would it be if it did. This can be expressed as a formula:
RISK = event-likelihood x event-consequence(s)
What distinguishes traditional infrastructure risk from cyber-risk is two additional factors: cyber threats and cyber vulnerabilities. Unlike traditional risk, such as an accident or fire, cyber-risk is far more harmful. It has an added intelligent, highly skilled threat actor who -- from a distance -- can hide in a network and exploit weaknesses in computing technologies. Now, the formula becomes more complex:
CYBER-RISK = (cyber-threat x cyber-vulnerabilities) x (event-likelihood x event-consequence(s))
Adding the threat actor into the equation helps illustrate why cyber-risk is so challenging.
What is critical infrastructure cyber-risk?
Critical infrastructure risk is found in the dangerous intersection of traditional critical infrastructure risks and the newer cyber threats.
Traditional critical infrastructure risks include the following:
- Operational risk involves operations downtime and the inability to perform the company's mission.
- Safety risk includes physical harm or death to employees and other people nearby.
- Environmental risk encompasses toxic physical harm to land, waterways, animals, foliage and people.
- Fires/explosions/equipment damage can cause physical harm to the plant and surrounding community.
- Financial risks include regulatory fines and penalties, loss of license to operate, civil and criminal actions, cleanup and remediation costs, reputation loss and stock price loss.
- National security risks can consist of supply chain disruptions leading to loss of basic civilizational needs, such as food, drinking water, heat, fuel and electricity.
When you combine a threat actor remotely attacking critical infrastructure and the physical impacts that can result, you have a recipe for national mayhem. This is why governments are increasingly concerned about critical infrastructure cybersecurity.
Top critical infrastructure cyber-risks
With a clearer understanding of the definition, we can list the top critical infrastructure cyber-risks:
- operational risk
- safety risk
- environmental risk
- fires/explosions/equipment damage
- financial risks
- national security risks
Surprise -- it's the same list as traditional risks. It isn't the types of risk that have changed; it's the probabilities that have changed with the addition of the cyber threats.
Let's look at ransomware as an example. Ransomware is often called a risk, but it is not. Ransomware is a threat. This is not merely a semantic issue, as this distinction is fundamental to properly understanding the actual risk.
Let's plug a ransomware example into our formula:
CYBER-RISK = (threat (Dharma ransomware family) x vulnerabilities (Citrix CVE-2019-19781, Windows CVE-2021-36942)) x (likelihood (high/medium/low) x (consequences (operational shutdown, revenue loss, ransom payment, other financial consequences, other national security consequences))
Here's a different, even more troubling example. Let's look at nation-state threat:
CYBER-RISK = (threat (nation-state attacker) x vulnerabilities (zero-day safety-system vulnerability)) x (likelihood (high/med/low) x (consequences (operational shutdown, revenue loss, fatalities, fire/explosion, equipment damage, environmental toxic release, other financial consequences, other national security consequences))
These examples show why it is so important to properly identify, assess and quantify risks -- not just threats. Security professionals can't just tell C-level executives: "We have ransomware risk," or "We have nation-state risk." That's not giving them anything useful. Executives need to know what can happen, the potential range of impacts and how likely various scenarios are. The best way to do this is to perform a formal risk assessment.