Critical infrastructure, such as the energy sector, financial systems, government operations, national security, transportation networks, water supply, blood supply and the health system, is fundamental to our daily life. It is also heavily dependent on cyber networks. Threats to cyber networks are increasing in number, frequency and impact. Cyber attacks originate from various persons including financial opportunists, activists or government, and the motives for such attacks are equally varied. Motivation for cyber attacks include financial gains, political statements, destructive intentions and power. The nature of the attacks and their targets correspond with the motives of the attacks.
A cyber attack that shuts down, disrupts or manipulates operations relating to electricity, power, water supply, blood supply or financial systems, for even a few hours, can have wide-ranging and significant results.
Threats to cyber networks and the corresponding cyber security has become a critical issue among government leaders from industrialized nations, as well as within the international economic unions and community, often resulting in cyber threats and cyber security being an agenda item during their summits. The Canadian government has also declared that cyber security is a key threat to its economy and critical infrastructure. The United States has declared that cyber security is one of the most serious economic and national security challenges it faces, which has resulted in both domestic and international cyber security initiatives. The European Union has pushed for directives that would require harmonized rules on cyber security among member states.
At this point, all critical infrastructure operations and industries must have cyber threats as one of their key risks to manage with the corresponding cyber security measures as an integral and pervasive part of their operations. The approach to preventing and reacting to cyber security threats should be informed, without ego, built into the fabric of all of the business operations and ongoing.
Cyber security must include a technology component, but only as one of many elements. Cyber security initiatives must include threat risk assessments which include penetration testing and human engineering testing. Responses to difference cyber threat scenarios – from ransomware to denial of service to operation shut down or manipulation – should be anticipated, documented and practiced. Policies need to set out what is to be done in each type of threat, who is to be notified, what the goals are of each response and who has what responsibilities. Employees and human connections to the operations are the weakest entry point. While written policies are a must, each employee must be educated and tested on cyber security protocols and policies, and consultants, agents and other representatives who have access to the cyber infrastructure must be held to the same standards. The final success or failure should rest with the organization’s most senior officers.