With AI-powered threats and state-sponsored cyber-warfare rife in the digital age, what mindset change is needed in critical infrastructure industries?

Nowadays, it seems like we can hardly go a day without seeing news of cyberattacks in South-east Asia (SEA) in the headlines. More worryingly, major victims of cyberattacks in 2023 have been critical infrastructure operators.

High-profile victims should be the exception rather than the rule, and this rise in incidents is the canary in the coalmine when it comes to the state of ransomware and cyberattacks on essential services in the region. SEA is facing the brunt of this endemic issue, and the immediate effects have been dire — essential services disrupted, planes grounded, and financial services coming to a halt — not to mention, the far-reaching costs and consequences of a slow recovery.

Cybersecurity is often a focus in these instances, and it is a legitimate area to be concerned with, but when critical infrastructure fails to resume quickly, it is clear that region has a larger data resilience problem.

Protecting data while on AI “Hard Mode”
Data resilience ensures that the necessary data is available wherever and whenever it is needed. That should be in spite of disruptions, should it be the natural disasters which SEA is prone to, or cybersecurity incidents.

The challenge of ensuring data resilience is exacerbated by the nature of critical infrastructure businesses. As high-impact targets, they are vulnerable to ransom demands. Besides handling high volumes of sensitive data, they are also highly visible and essential systems. In SEA, rapid digitalization has often outpaced the growth of adequate data protection and security measures. As a result, some legacy systems continue to get left behind, and at the same time, the rushed adoption of nascent technologies may harbor unforeseen or misunderstood data resilience challenges.

Furthermore, complexity is further compounded due to the sheer size of these organizations. For example, a healthcare services operator can have multiple key offices that are connected to different data centers. While this improves their flexibility and agility, its larger surface area also renders the organization more susceptible to faster, smarter and more prolific attacks on all fronts.

Also, critical infrastructure operators are leveraging AI in “Hard Mode”. With AI now entering the cybercriminal fray and drastically improving the volume and sophistication of attacks, critical infrastructure threats are only set to increase in severity and scale.

We have heard of how cyberattackers can more easily automate ransomware attacks using AI, but it is no longer about creating convincing AI-generated phishing attempts that pass the Turing test. AI-powered ransomware can identify potential vulnerabilities and exploits at scale, and they are also capable of adapting their tactics in real time to stay off the radar of security systems and successfully infiltrate organizations. Once they find a way to get into a network environment, they can easily find ways to mitigate or turn off various security measures.

While investing in cybersecurity is prudent, this alone does not provide data resilience.

Adding Zero Trust principles to data resilience

A data resilience mandate focuses less on trying to minimize or defend against threats. Rather, it already assumes that data loss incidents and breaches are simply a fact of life. With data resilience aforethought, greater focus is placed on ensuring the security and immutability of data backups, having them available for use at any location and at any time, and being able to immediately recover to bounce back to business-as-usual.

A core resilience framework that critical infrastructure operators can adopt to apply Zero Trust principles in ensuring data resilience, where trust is never assumed, and involves a data-focused approach to include backup infrastructure and operational IT.  Also, the best-practice principles of explicit verification and least-privilege access across the organization’s ecosystem will also include data backup environments.

Organizations must verify that there are secure and immutable backups across all environments, and regularly test disaster recovery processes to ensure they continue to meet all of the business’ recovery objectives. The recommendation is to apply the 3-2-1-1-0 rule, which expands on the traditional 3-2-1 backup strategy with two extra steps: ensuring one backup is offline air-gapped or immutable; and ensuring zero errors after automated backup testing and recoverability verification.

Also, there must be clearly defined and tested Recovery Point and Recovery Time Objectives to facilitate immediate recovery when recovering from a ransomware attack. Without a clean recovery point, reinfection can occur, or critical business data can be lost: and if it takes too long to recover, the impact of the disruption grows.

Protecting the high stakes involved
Data security and protection will always be an arms race between bad actors and critical infrastructure operators.

When lives are reliant on the continuous availability of important data, organizations cannot delay adopting data resilience, or be complacent when moving to a zero trust data resilience environment.

With so much at stake, adopting a data resilience mindset provides the answer to swift recovery and, more importantly, immediate operational continuity to keep our world running.