THe draft Critical Infrastructure Protection Bill in South Africa, the successor to the National Key Points Act of 1980, has elicited heated debate from several quarters.
However, it remains focused on improving security measures in critical infrastructure organisations, safeguarding the welfare of essential services in the process, writes Gregg Petersen, regional vice-president at Veeam.
The aim is to make critical infrastructure more resilient to the major disruption that could be caused by things like power outages, hardware failures, and environmental issues. And then there is also the risk of targeted attacks against this critical infrastructure to weaken the country. But looking beyond the physical protection, consideration also needs to be paid to the growing number of cyber attacks. In fact, many analysts cite this as one of the most significant business threats local organisations are facing in 2018.
Whatever the facts, one thing’s for sure: we have entered a ‘new era of warfare’ and our critical infrastructure organisations need to be better primed for the inevitability of cybercrime.
A matter of when, not if
Given how technology has become integrated into all aspects of our lives, individuals, businesses, and government have become dependent on the reliable and secure operation of these systems. Contrary to popular belief, South Africa is not immune to cyber attacks.
There are a number of well-publicised ones that began with the 1994 elections all the way through to the leaked State Security Agency spy cables in 2015. From accessing personal data to undermining the government, these and other attacks could significantly change how people do business and engage with one another over digital platforms.
Indeed, there are far bigger issues at stake when it comes to critical infrastructure being compromised. The crippling ramifications it could have on daily life and public welfare, for instance, range all the way from economic chaos to the disruption of essential services. Or, in worst-case scenarios, citizen injury or death.
Worryingly, as a community we’re still a long way from even understanding the causes of these infrastructure breaches. A 2015 Black Hat investigation found that hackers have been penetrating systems for at least a decade, with little known about how they gain access. And little has changed since then. With prevention and proactive response both struggling, back-up becomes increasingly vital.
The vulnerability problem
Even though official local statistics are hard to come by given the potential for reputational (and financial) damage, the WannaCry ransomware and NotPetya malware that made global news headlines last year, can cause significant issues in South Africa if organisations and government do not take cyber security seriously.
But vulnerabilities in our critical infrastructure aren’t only caused by failure to comply with security standards. Nor are they necessarily caused by lack of awareness on the part of industry bosses. Instead, a big part of the problem is that many of the key computer systems that run critical infrastructure are legacy – powerful, yes, but not fit for modern day protection against hackers.
These industrial-grade security systems are designed to protect physical assets and entry points, but as more critical public services become supported by data networks and cloud-hosted assets, the shift to bolster cyber security is becoming a matter deserving urgent attention.
Availability is key
Given the imminent arrival of Microsoft Azure data centres in Johannesburg and Cape Town, the spotlight will be on the country to show other multinational vendors the potential that exists here. With that in mind, security of critical infrastructure should be a priority.
For this to happen, IT leaders in the industry must be given the support and budget to bolster their data networks and develop robust business continuity systems. Simply having a data back-up system is no longer enough; it’s vital that critical infrastructure providers embed orchestration and automation as core components of their networks if they are to meet the latest recovery objectives and ensure minimal disruption to business availability and – crucially – to public welfare.
Whether an attack is made through sheer devilment or outright warfare, it could debilitate essential services – which is not a risk that providers should be willing to take, especially when we’re talking about the very services that are vital to the proper functioning of the economy and society, like power grids, water supplies, transport networks; public health, financial and security services; electricity, gas, agriculture, telecoms – the list goes on.
The point is simple: when it comes to critical infrastructure, downtime simply isn’t an option. The impending regulatory penalties for organisations that don’t get their security act together are not just arbitrary fines. They’re an object lesson in the importance of available critical infrastructure, for the sake of business continuity and public welfare alike.