There are other methods, of course, such as supplier dependence, which is when the supply chain is targeted. We saw this toward the end of last year in the SolarWinds incident, which resulted in very serious consequences for the organizations and companies affected, and then most recently during the summer when a violation at Kaseya meant that the Swedish supermarket Coop’s payment system went down.
Why is it important for critical infrastructure to take cybersecurity into consideration?
Critical infrastructure organizations have gone through a rapid digitization and development over the past decade. Security has not kept up with this rapid development and there is now a gap between digitization and security. This gap has grown—and continues to grow—and it’s more important than ever to reduce this distance and make sure security work catches up.
What is the most common method for criminals to break into critical systems?
What we see, and what the statistics confirm, is that the most common way to break into an organization’s critical systems is through malicious emails, called “phishing,” where they simply trick the recipient into opening a link or a document that contains harmful code. This is often the first way into an organization. Another usual method to penetrate an organization is through remote access systems, such as Citrix servers, remote desktops and so on. A common reason that criminals manage to break in this way is that organizations fail to update their systems with sufficient security measures, or due to weak passwords.
Why do you think healthcare is a current topic when it comes to cybersecurity threats and risks?
Healthcare organizations are complicated, with many complex systems, which means that gaps in security can easily arise, creating routes where someone can break into their critical systems. Because healthcare systems are complex, it’s difficult to secure them, but they’re also attractive targets. If a ransomware attack targets a typical company, the company can hopefully refuse to pay the ransom. But in healthcare, where people’s lives are at stake, it’s much, much harder to refuse to pay the ransom required to regain access to critical systems.
In addition to having a complicated environment, healthcare is also one of those operations where there is a clear conflict between security and safety. Patient security and safety—systems that need to function without interruption—are often in conflict with basic IT security procedures. Healthcare is worthy of the best-possible protection—and security in healthcare is literally life-and-death.
How should we approach security work when it comes to such a critical function in society?
The most important thing is to have balanced security. There are many kinds of healthcare systems: the usual administrative systems, medical technology equipment and its systems, and finally building control systems that control things like oxygen supplies, ventilation and so on. You can’t look at just one of these systems. You need to have balanced security for all of them. It’s comparable to physical security: it doesn’t matter if you secure the front door with a steel door and combination lock if the porch doors are old and flimsy and easy to break with a crowbar.
What can society’s critical infrastructure and operations do to increase their cybersecurity?
The important thing is to make sure security is taken seriously in the entire organization. It’s not solely the responsibility of an IT Manager. It has to reach from the Board all the way to every part of operations. It’s important to be aware of what threats there are and how to stay within an acceptable level of risk. Security can’t be an afterthought—it needs to be a part of the organization.
We need to realize that there are people out there who don’t have our best interests at heart, intelligent assailants who will attack our weakest points. To protect ourselves against them, our protection needs to be as intelligent as they are.