The Cyber and Infrastructure Security Centre (CISC) highlighted in its inaugural annual risk assessment that the merging of operational technology (OT) and information technology (IT) is amplifying the threats to critical infrastructure.
The annual review of Critical Infrastructure, available in PDF format, highlights the growing risk associated with the integration of Internet of Things (IoT) technologies. This integration, coupled with IoT rollouts, introduces a potential avenue for lateral movement between systems, leading to the possibility of catastrophic cascading consequences, as stated in the report.
Furthermore, the adoption of IoT in critical infrastructure is contributing to an increased reliance on third-party inputs for information, data sharing, and data analytics, posing additional security challenges. The report expresses concerns that the rapid digitization embraced by companies is outpacing our collective cyber literacy and security practices.
One alarming issue outlined in the review is the potential presence of pre-positioned malicious code within critical infrastructure networks, making it difficult to fully understand and mitigate the extent of this threat. A North American incident cited in the report revealed the discovery of possibly malicious code hidden within critical infrastructure networks, including those responsible for power, communication, and water supply. The removal of identified code is a delicate task, as it may inadvertently alert adversaries, facilitating future exploit attempts.
The report also draws attention to the risks posed by individuals, particularly the recruitment of "disgruntled employees" by foreign intelligence services through dark web job advertisements. Additionally, the ongoing trend of remote work is identified as a challenge, as offsite connectivity may decrease the detectability of potential threats and increase the risk of trusted insiders removing local data or providing unauthorized access to third parties.
