The attack surface of critical infrastructure is constantly expanding, making it prone to data breaches, ransomware and zero-day vulnerabilities which are software security flaws or weaknesses unknown to an organisation that can be exploited. As supply chains become more interconnected, society must confront how it defends and invests in keeping these vital systems and services safe. 

The size of Europe’s cyber security market, measured by revenues, is estimated by Mordor Intelligence to be $51.75bn in 2023. It expects the market to grow at a compound annual growth rate of 12.34% to reach $83.5bn by 2028. Despite this level of investment, the number of cyber attacks and highly public breaches is growing. For various reasons, many critical infrastructure institutions are still vulnerable to cyber incidents. These include increasingly sophisticated threat actors, outdated technology and legacy systems, inadequate security measures, insider threats, insufficient training and awareness, and resource limitations. Additionally, the proportion of nation-state attacks on critical infrastructure doubled (from 20% to 40%) between July 2021 and June 2022. 

Investing for the future

This year, 48% of critical manufacturing organisations scored C, D or F on SecurityScorecard’s security ratings platform. These operate across sectors that produce primary metals, machinery, electrical equipment and components, and transportation equipment. New research estimates that the breakout time, or how long it takes a hacker to take over an entire network after infecting the first computer, has gone down from 84 minutes to 79 minutes. 

With this in mind, organisations in critical infrastructure sectors need to invest in technologies, people and processes that can respond quickly and decisively to any type of threat. But what does that look like? In the world of cyber security, this requires three key things. 

First, governments must allocate the funding necessary to develop and enhance cyber security measures, namely, advanced technologies, security audits and training. Second, a shared sense of responsibility between public and private sectors. Information sharing and collaboration is vital and means exchanging threat intelligence and best practices. Third, governments must enact and enforce regulations that mandate critical infrastructure operators to meet specific requirements to ensure a minimum level of security across sectors. We’ve seen a spike in this area, with recent regulations from the White House, the US Securities and Exchange Commission, and the EU’s Digital Operational Resilience Act, better known as Dora. 

More on cyber security:

• Waking up to cyber risks
• Industry 4.0 sparks new era of cyber attacks
• The rise of cyber security in location decisions

Weak links

Third-party cyber risk has become a major issue, causing some of the biggest breaches in recent history including software groups SolarWinds and Log4j and file transfer service MOVEit to name a few. SecurityScorecard research from this year found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the past two years. As a result, organisations are realising they can no longer use static security assessments of their supply chain, but rather must continuously monitor cyber security risk across their vendor ecosystem.  

Organisations providing critical infrastructure to gain trust and improve resilience need a simple way to measure risk and quantify the trustworthiness of any other organisation. Security ratings are a recognised and trusted source based on objective, data-driven metrics for cyber security performance. They also provide a common language with which to assess and mitigate risk. This allows organisations to identify cyber risks posed by all suppliers — including third- and fourth-party vendors — and make informed decisions to help their partners strengthen their own cyber defences.

Maintaining trust

It should go without saying that protecting critical infrastructure during armed conflicts and geopolitical instability is critical to ensuring the safety of civilians, maintaining essential services and facilitating post-conflict recovery. Identifying vulnerable spots, implementing strict access controls, establishing back-up systems and redundancies and establishing clear channels of communication are all strategies that should be in place.

A proactive approach to increasing the cyber resilience of critical infrastructure is necessary to ensure the continued delivery of vital services. And the move towards cyber metrics, regulations and strengthening the supply chain all point to a more secure future, where organisations improve their cyber security health for their sake and the greater good. With a more transparent and measurable view of cyber risk, critical infrastructure institutions can not only become more sustainable, but preserve trust as well.   

Aleksandr Yampolskiy is CEO and co-founder of SecurityScorecard

Do you want more FDI stories delivered directly to your inbox? Subscribe to our newsletters.