The Biggest Cyber and Physical Security Threats to Critical Infrastructure by Fas Mosleh, ex-HP, ex-IBM, ex-Broadcom. Discusses how critical infrastructure can be compromised by physical and security threats. Critical infrastructure refers to the systems, facilities, and networks that are essential to the functioning of a society and its economy. These are the assets that, if damaged or disrupted, could have a significant impact on public health and safety, economic security, and national security. Social engineering: This involves manipulating people into divulging sensitive information or taking actions that compromise security. Phishing is a primary example of such manipulation and is still one of the most prevalent types of attack. According to the 2021 Data Breach Investigations Report by Verizon, phishing was involved in 36% of all data breaches, making it the top threat action in the report. Phishing attacks are also becoming increasingly sophisticated and targeted, with attackers using social engineering tactics to trick victims into divulging sensitive information or downloading malware. This can include impersonating trusted individuals or organizations, creating convincing fake websites or emails, and using urgent or threatening language to pressure victims into taking action. According to the 2021 State of the Phish Report by Proofpoint, 75% of organizations surveyed reported being targeted by phishing attacks in 2020, and 59% of those attacks were successful in compromising at least one user account or system. The report also found that COVID-19 related phishing attacks were particularly prevalent in 2020, taking advantage of the pandemic to trick victims into providing personal information or downloading malware. 5. Distributed denial of service (DDoS) attacks: These attacks flood a system with traffic, overwhelming it and causing it to crash or become unavailable. 6. Advanced persistent threats (APTs): APTs are sophisticated, long-term attacks that target specific organizations and can involve multiple stages of infiltration and exfiltration. According to the 2023 CrowdStrike Global Threat Report, An uptick in social engineering tactics targeting human interactions – Tactics such as vishing direct victims to download malware and SIM swapping to circumvent multi-factor authentication (MFA).

1. The Biggest Cyber and Physical Security
Threats to Critical Infrastructure
Introduction: Critical infrastructure refers to the systems, facilities, and networks that are
essential to the functioning of a society and its economy. These are the assets that, if damaged or
disrupted, could have a significant impact on public health and safety, economic security, and
national security.
Examples of critical infrastructure include:
1. Energy systems (power plants, oil and gas refineries, pipelines)
2. Transportation systems (highways, bridges, airports, railways, ports)
3. Communication systems (telecommunications, internet, data centers)
4. Water and wastewater systems (dams, reservoirs, treatment plants)
5. Financial systems (banks, stock exchanges, payment systems)
6. Emergency services (police, fire, and ambulance services)
7. Healthcare systems (hospitals, clinics, medical supply chains)

2. Of the many cyber and physical security threats to critical infrastructure here are some key ones:
1. Malware and ransomware attacks: Malicious software can infiltrate a system and cause
damage or disruption to operations, and ransomware can encrypt files and demand payment in
exchange for the decryption key.
There have been several high-profile ransomware attacks on critical infrastructure in recent
years, including attacks on energy and water utilities, transportation systems, and healthcare
providers. Some recent statistics on ransomware attacks on critical infrastructure:
 In 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported a
significant increase in ransomware attacks on industrial control systems (ICS) and critical
infrastructure. These attacks involved a range of sectors, including manufacturing,
energy, and transportation.
 According to a report by cybersecurity firm Dragos, there were at least five ransomware
attacks on operational technology (OT) networks in 2020, including attacks on energy
and manufacturing companies. Dragos also said in February 2023 that ICS/OT
ransomware attacks are up 87%.
 The 2021 Data Breach Investigations Report by Verizon found that ransomware was
involved in 10% of all data breaches in the public sector, which includes critical
infrastructure organizations.
 In May 2021, the Colonial Pipeline, which supplies fuel to much of the eastern United
States, was hit by a ransomware attack that caused a temporary shutdown of its
operations. This incident highlighted the vulnerability of critical infrastructure to cyber
attacks.
 According to a report by cybersecurity company CrowdStrike, the number of ransomware
attacks on critical infrastructure increased by 158% in the first half of 2021 compared to
the same period in 2020.
 According to the 2023 CrowdStrike Global Threat Report, eCrime actors moving beyond
ransom payments for monetization – 2022 saw a 20% increase in the number of
adversaries conducting data theft and extortion campaigns. China-nexus espionage surged
across all 39 global industry sectors and 20 geographic regions tracked by CrowdStrike
Intelligence – Rise in China-nexus adversary activity shows that organizations across the
world and in every vertical must be vigilant against the threat from Beijing.

3. 2. Insider threats: Malicious insiders can use their access to cause damage or steal sensitive
information. Here are some famous examples of cybersecurity insider threats that have
succeeded in causing damage:
 Edward Snowden: In 2013, Snowden, a former contractor for the U.S. National Security
Agency (NSA), leaked classified documents to the media that revealed the extent of the
agency's surveillance activities. The leak caused widespread controversy and prompted
changes in how the U.S. government conducts surveillance.
 Harold Martin: In 2016, Martin, a former contractor for the NSA, was arrested for
stealing classified information from the agency. He was found to have taken terabytes of
data over a period of two decades, including highly sensitive information about U.S.
intelligence capabilities.
 Chelsea Manning: In 2010, Manning, a former U.S. Army soldier, leaked classified
documents to Wikileaks that included diplomatic cables, military reports, and other
sensitive information. Manning was convicted of espionage and other charges and
sentenced to 35 years in prison, although her sentence was later commuted by President
Barack Obama.
 Harold T. Martin III: In 2020, Martin, a former contractor for the National Security
Agency (NSA), was sentenced to nine years in prison for stealing classified information
from the agency. The stolen data included hacking tools and other sensitive information
that Martin had stored on his personal devices.
3. Physical attacks: Physical attacks on critical infrastructure, such as sabotage or destruction
of equipment, can also pose significant cybersecurity risks. Examples include:
 Sabotage: This involves intentionally damaging or destroying critical infrastructure
assets, such as by planting explosives near a key bridge or dam.
 Theft: This involves stealing critical infrastructure assets or materials, such as copper
wiring from a power substation or fuel from an oil refinery.
 Vandalism: This involves damaging or defacing critical infrastructure assets, such as by
graffiti or destruction of communication lines.
Physical attacks on critical infrastructure can have serious consequences, including loss of life,
environmental damage, and economic disruption. It's important for organizations responsible for
critical infrastructure to have physical security measures in place to prevent and respond to
physical attacks. These measures may include surveillance cameras, physical barriers, access
controls, and emergency response plans.

4. 4. Social engineering: This involves manipulating people into divulging sensitive information
or taking actions that compromise security. Phishing is a primary example of such manipulation
and is still one of the most prevalent types of attack. According to the 2021 Data Breach
Investigations Report by Verizon, phishing was involved in 36% of all data breaches, making it
the top threat action in the report.
Phishing attacks are also becoming increasingly sophisticated and targeted, with attackers using
social engineering tactics to trick victims into divulging sensitive information or downloading
malware. This can include impersonating trusted individuals or organizations, creating
convincing fake websites or emails, and using urgent or threatening language to pressure victims
into taking action.
According to the 2021 State of the Phish Report by Proofpoint, 75% of organizations surveyed
reported being targeted by phishing attacks in 2020, and 59% of those attacks were successful in
compromising at least one user account or system. The report also found that COVID-19 related
phishing attacks were particularly prevalent in 2020, taking advantage of the pandemic to trick
victims into providing personal information or downloading malware.
5. Distributed denial of service (DDoS) attacks: These attacks flood a system with traffic,
overwhelming it and causing it to crash or become unavailable.
6. Advanced persistent threats (APTs): APTs are sophisticated, long-term attacks that target
specific organizations and can involve multiple stages of infiltration and exfiltration.
According to the 2023 CrowdStrike Global Threat Report, An uptick in social engineering tactics
targeting human interactions – Tactics such as vishing direct victims to download malware and
SIM swapping to circumvent multi-factor authentication (MFA).
Epilogue: If you have thoughts and ideas on how to improve security for critical infrastructure I
would love to hear them. In the meantime, here is a presentation on why power plants are
particularly vulnerable to cyber threats. https://www.youtube.com/watch?v=rCG-WaLGFQw