It can be said that the biggest weakness today for the critical infrastructures in the various countries is the supply chain, after Corona forced organizations and countries to change the perception of their information systems, and quickly move to the perception of digital services with multiple providers in real time. This has created many security vulnerabilities and a much wider area of attack for criminal organizations and countries that use offensive cyber.
The vulnerability of the supply chain is mainly due to third-party suppliers in the country, where the contract with them is conducted without careful management of their information security system, and outdated software and management systems are used. In fact, these are critical infrastructures that are not designed for cyber protection.
Iran has made headlines this week following a series of massive cyber attacks in recent days, targeting national infrastructure, including the national rail network. An attack on critical infrastructure, as occurred in Tehran, is a task that combines several types of attacks, may last for many months and requires considerable financial resources. This suggests that large organizations, and even countries, are the ones who are usually behind such attacks.
My assessment is that in parallel with the apparent attack, that anonymous attacker, who is doing significant damage to Iran’s national infrastructure, will also try to locate reliable personal information about the suppliers of state organizations, and plant some damage in future software updates. Now, all he has to do is wait for the supplier to automatically update the systems, which will infect the core systems – in this case the Iranian railway system – and thus it will be possible to completely take over the damaged system, and later also disable it completely.
This will be possible on the assumption that the attacked country and its suppliers will not be able to locate the cyber worm hiding among their data. This is a very complex and sometimes almost impossible task, especially when existing cyber defense systems are not advanced enough and on the other hand there seem to be serious resources, technologies and experts.
Cost versus benefit
Unfortunately, although the cyber issue has become the most talked about issue in recent years, companies, organizations and even countries are not educated to use professional experts and build for themselves a meaningful protective shell that will protect them. In fact, the price an organization will pay for the construction and maintenance of such a protection system is tens of times smaller than the price it will pay in the event of a takeover of the systems, and repair of the damage to them.
Criminal and terrorist organizations operating in the global cyber field, employ fairly simple methods and search across the network for organizations with few protective envelopes, and plenty of hacking and intrusion options. These organizations may, in the end, fall victim to those hackers.
Why? Because it is the simplest and most effective for cybercriminals. Therefore, whether you are a large retail company or a law firm or a small firm – in the current era, you must protect yourself.
The author is CISSP, Director of Cyber Business Development for the Southern European Region at CISCO