By Karen Allen, Senior Research Adviser, Emerging Threats in Africa, ISS Pretoria
Cyber criminals infiltrated a water treatment plant in Florida, United States, last month, trying to alter the chemical composition of the water supply. The real-world consequences of such a cyber attack are frightening.
With increased digitisation of critical infrastructure and the ability for those with malicious intent to gain remote access to a plant’s computers, a picture of dystopian proportions emerges.
For developing economies such as South Africa, the knock-on effect from cyber attacks on critical infrastructure is potentially devastating. Imagine cyber criminals disrupting the logistics network for food, energy or vital medical supply chains.
Cyber security is largely absent from the South African Cybercrimes Bill, which is waiting to be signed into law. Concerns about government over-reach have driven the argument favouring a separate future bill on cyber security. Until such time, technology experts warn, best practices should be adopted to secure operational technology and protect basic utilities such as water and electricity.
One of the biggest problems is the speed at which cyber threats are evolving. Many South African businesses have experienced denial-of-service and Ransomware attacks where databases are encrypted by criminals who demand payment to release a ‘key’ to restore access.
The rapid roll-out out of internet of things (IoT)-based technologies has potentially increased the ‘threat surface’ in which cyber criminals operate. Medical, financial, manufacturing and extractive industries are among South Africa’s sectors increasingly applying IoT processes. So are IoT devices easier to hack?
Tiaan van Schalkwyk from Deloitte South Africa’s cyber risk team says, ‘They are not secure by default. The security needs to be configured before they are deployed.’ Worldwide, this hasn’t always happened. In Europe, he says, in the early days of smart meters, devices were rolled out initially without such security configuration – making them vulnerable to manipulation.
South Africa’s critical infrastructure has experienced cyber attacks, although the impact has been limited. An attack on Johannesburg’s municipal electricity system for example largely affected billing rather than other technical operations.
What is defined as critical infrastructure is contained in the Critical Infrastructure Protection Act 2019. It includes infrastructure ‘essential for the economy’ and relating to ‘security, public safety and the continuous provision of basic public services.’
By and large the country has robust protocols for dealing with intrusions in critical infrastructure. This includes a system of Computer Security Incident Response Teams for identifying, responding to and mitigating risks, across different sectors of the economy.
‘Where we have more vulnerability is in electricity,’ says Eric McGee from Deloitte South Africa’s cyber risk team. ‘We have a single entity which is Eskom. The dependency is significant and so the risk of impact is high. It is dominated by a single player which makes it vulnerable. There is a similar risk for telecoms infrastructure because it is underpinned by a single player – i.e. Telkom (although this has improved somewhat over time).’
South Africa’s financial institutions have also been the target of cyber attacks, including the Anonymous cyber campaign that peaked between 2013 and 2016. More recently the SolarWinds attack on Microsoft in the US demonstrated how emails and other sensitive material from various US government agencies were compromised.
Although South Africa may consider itself an unlikely target for state-to-state attacks, the threat of being collateral damage is real. So too is the danger posed by hacktivists – cyber activists – or lone individuals with criminal intent.
Given this risk exposure, South Africa should learn from best practices elsewhere. For instance, the US National Institute of Standards and Technology publishes a blueprint to protect against cyber attacks that may offer guidance in a rapidly evolving cyber-dependent environment.
The South African Banking Risk Information Centre (SABRIC) already shares best practices and reports of intrusions among its members to mitigate the risk of data being stolen, access denied or processes being meddled with. Similar bodies are expected to be developed for the cellphone industry.
As well as physical infrastructure, there are vulnerabilities in information infrastructure, South African government experts told the Institute for Security Studies. Banks are part of the country’s critical information infrastructure, as are government-held databases and communications infrastructure, including cellphone networks.
Malicious actors could grind a country to a halt by capturing its banking sector or cellphone network, and inflict as much damage as they would by capturing the national grid. Although systems such as centralised biometric databases to verify, for example, a person’s identity are held by the public sector in South Africa, much critical information infrastructure resides in the private sector.
Here there are deep concerns about government and the State Security Agency in particular meddling in cyber security matters. Hesitant to give the state the monopoly to secure critical information infrastructure, banks and other financial institutions are seeking to develop cyber resilience by sharing best practice through this SABRIC model of collective security.
Other sectors such as the cellphone industry, CCTV camera networks and healthcare providers could do the same – sharing best practices and adopting codes of conduct, pledging not to exploit competitors’ vulnerabilities.
As much a risk to critical infrastructure is the risk of cyber intrusions through mis- or disinformation campaigns. This has implications for law and order, elections and more broadly free speech.
Deloitte’s McGee sees this as a greater risk to South Africa than attacks on critical infrastructure. ‘If we look at China, the ability to influence is as much a threat as attacking infrastructure. In South Africa our infrastructure has the ability to recover pretty quickly – but influence is harder to respond to.’
In the short term though, the most efficient way to address the more tangible threats to critical infrastructure would be to share best practices, adopt codes of practice for threats and exchange information.
Karen Allen, Senior Research Adviser, Emerging Threats in Africa, ISS Pretoria