Know Your Adversary: Why Tuning Intelligence-Gathering to Your Sector Pays Dividends

Critical national infrastructure (CNI) sites and providers are targeted by some of the most advanced and persistent threat actors in the world. The nature of CNI – which encompasses everything from communications and transportation industries to energy networks and water utilities – makes it the ideal high-profile target for ideologically motivated threat actors. Successful attacks demonstrate adversary infiltration and digital superiority. To compound the challenge, CNI has become increasingly vulnerable due to ongoing digital transformation efforts. While these are essential to provide the level of service expected by today’s citizens, growing digital dependence unavoidably introduces a plethora of new risks and interdependencies between disparate systems and services that can be cumbersome to identify and manage.

I was reminded of this with two recent stories that appeared in the press, one in The Wall Street Journal: U.S. Fears Undersea Cables Are Vulnerable to Espionage From Chinese Repair Ships. Google, Meta Platforms and other digital service providers have shared ownership of many cables that carry cross-global internet traffic, but they rely on third-party maintenance specialists, including some with foreign ownership. U.S. officials are concerned that these cables could be vulnerable to tampering by Chinese-owned repair ships. Another story concerns attacks on rural US water system facilities, of which there have been several over recent years attributed to bad actors backed by Russia and Iran.

Similarly, the federal Government – together with peers from the UK, Canada, Australia and New Zealand – recently warned that state-sponsored Chinese hacker group Volt Typhoon had infiltrated CNI networks in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors, and had been inside these networks for more than five years. Still more concerningly, authorities warned that the nature of the compromise did not follow typical intelligence-gathering or espionage-related patterns, but instead appeared to be the precursor to planned attacks on major infrastructure sites. Both these stories indicate an escalation in adversary activity, moving from reconnaissance to pre-attack phases.

Cyber attacks in CNI cause widespread disruption

Protecting Critical National Infrastructure sites is essential because any disruption to these systems can have serious consequences for citizens. For example, a cyberattack on a power grid or water supply network can result in the widespread disruption of essential services, potentially putting people’s lives in danger. Such disruptions also negatively impact public confidence and citizens’ views on the competence of suppliers. Likewise, protecting these facilities is important economically as interruptions can result in substantial financial losses and cause interference with the supply chain and business operations. Such sites are also heavily interdependent, and a disruption in one sector can ripple across others to cause significant issues across the wider economy.

But of equal importance, the uninterrupted operation of these facilities contributes to national security and to the country’s reputation as a stable, safe place to live. That’s why they are a political target. Even if infiltration is eventually discovered, as in the Volt Typhoon example, the fact it has happened at all and remained undetected for so long impacts trust in the affected sectors and allows adversaries to send a message of digital superiority.

Consequently, protecting Critical National Infrastructure – and being seen to do so effectively – is crucial for maintaining national security, protecting reputations, and preventing large-scale disruption.

Challenges for CNI cybersecurity protection

On top of its attractiveness to adversaries, the CNI sector is characterised by other factors making cybersecurity a challenge.

Key among these is legacy technology integration. Physical infrastructure such as water, gas and electricity networks existed long before digitisation, and technology networks were mapped onto them retrospectively. As a result, many are controlled by a variety of ageing, standalone industrial control systems (ICSs) and Supervisory Control and Data Acquisition (SCADA) systems. Initiatives to link such systems with modern cloud-based controls and IoT-based monitoring have been generally successful, but have also introduced further risks and opportunities for bad actors to infiltrate. For example, a vulnerability emerging in a legacy SCADA system may be difficult to address without disrupting operations, leading to delays in fixing it and a larger window of opportunity for adversaries.

Know your adversary

All the above serves to underline that there is no one-size-fits-all approach when it comes to collecting, assembling, and analyzing threat intelligence about adversaries. There is a vast amount of information available – from open source, externally curated intelligence feeds and internal threat intelligence data, but without tuning your approach to fit your sector, amongst other variables, you’ll be faced with an unmanageable amount of noise. An emerging threat may generate a lot of attention, but if it turns out that it is primarily targeting the retail sector, as a CNI provider you don’t want to waste limited resources on it.

As you may have gathered, the adversaries that target CNI have certain characteristics and motivations, and the CNI sector has distinct characteristics, which are reflected in the TTPs used to target the sector. It is interesting that the Volt Typhoon announcement identified a change in tactics that alerted authorities to an alteration in approach – this kind of insight can only be achieved if you know your adversary and how they typically behave, so that when they deviate from that approach, you are alerted. Highly tuned threat intelligence gathering and analysis will have been vital to gaining this insight.

So how do you go about tuning your systems to enhance protection? Here are some tips:

• Establish the context of your environment: Ensure you understand its inherent vulnerabilities, regulatory constraints, and the resources at your disposal.
• Gain situational awareness: Integrate vulnerability data from across the entire infrastructure including cloud, on-prem, IoT, mobile and legacy systems.
• Consolidate and filter your intelligence feeds: Using the context and data above, filter your intelligence feeds to eliminate noise and prioritize the active threats with the highest potential impact and severity.
• Move from reactive to proactive: once you have a stronger understanding of your adversary, you can start proactively hunting evidence of their operations.

By tuning threat intelligence in this way, CNI providers can strengthen their response to the escalating threat environment, better understand their adversaries and armed with this information, begin to operate proactively to detect and respond to infiltrators.