Securing Critical Infrastructure: A National Security Challenge
Critical infrastructure supports the lives of billions of people by providing essential services, from governmental functions to healthcare and water provisions. As geopolitical tensions rise, hybrid tactics aimed at destabilising societies have increased. This rise in hybrid tactics has seen a new and diverse set of threats, often blurring the lines between peace and conflict.
With the aim of nation-state-backed disruption and destabilisation, critical infrastructure has become a major target due to its intertwined nature with broader national security principles. Traditionally, this close link between critical infrastructure and national security has led to significant investments in securing these entities from external threats, such as DDos or grid hacks. However, recent developments and a surge in cases have revealed a glaring oversight: the security risks arising from within. Advancing intelligence capabilities enables nation-states to exert influence on individuals within critical organisations, transforming them into assets that have the potential to cause financial harm and disrupt entire societies.
Understanding the Target and the Threat
Critical infrastructure underpins resilient and modern societies, comprising sectors that provide essential services such as information, communication, energy, transport, food, water, healthcare, and financial services. This complex ecosystem features advanced physical assets like nuclear power plants, railways, and energy grids, which have traditionally received the most protection from external threats. Targeting these facilities can cause severe safety concerns, disrupt vital services, and pressure leaders, potentially altering decision-making processes.
An element often overlooked, however, is the intellectual assets behind critical infrastructure. The people with knowledge, and highly advanced intellectual property, are just as vulnerable as the physical assets. Foreign adversaries may procure valuable intellectual property at a fraction of its development cost. Furthermore, the damage potential increases when threat actors operate from within, making legitimate access through infiltration or coercion an attractive avenue to inflict damage on societies and their critical organisations.
Individuals within critical organisations can be influenced by external threat actors who target organisational, professional or personal vulnerabilities. Factors such as increased remote working, reliance on less secure technologies, decreasing workplace loyalty, financial stressors, and rising political tensions create an environment conducive to foreign bribery and coercion. Exploiting these factors can exacerbate divisions and influence individuals from afar or enable the undetected infiltration of organisations.
What Does Insider Risk Look Like?
Insider Risk can manifest in various ways throughout critical organisations, depending on the critical assets and services provided. Governmental institutions, where information and people are critical assets, face espionage as the greatest threat. Other sectors, like energy providers and transport services, may face sabotage or intellectual property theft. Third-party risks also increase as foreign parties compete for and win tender contracts, granting them direct influence and presence within national critical infrastructure networks.
Exploiting insiders not only creates the potential for highly damaging incidents but also helps threat actors conceal their involvement. The covert nature of hybrid warfare makes it difficult for investigators to attribute incidents directly to nation-states. Additionally, policymakers and critical organisations often avoid revealing insider involvement to protect institutional trust. Nonetheless, recent cases highlight the incremental targeting of critical infrastructure across Europe. While external actors are often blamed, the need for insider information and knowledge to execute these efforts is a recurring theme.
Deep-Dive: Germany
Germany exemplifies the vulnerabilities critical infrastructure faces from insider risk. As the European Union’s greatest economic and strategic power, Germany has experienced significant incidents of espionage, sabotage, and third-party risk. High-level cases have triggered political debates and calls for greater mitigation measures.
The most notable sabotage case was the compromise of the Nordstream 1 and 2 gas pipelines, but this case did not involve a know insider component. Perhaps a case receiving lesser attention was the politically motivated attacks on the Deutsche Bahn railway infrastructure. The German rail operator suffered severe disruptions caused by “intentional interference” of communication cables in two separate locations. Whilst foreign influence could not be proven, the attack represented a “high degree of insider knowledge”, and a “level of organisation that we haven’t seen before”.
Cases of espionage have also impacted Germany, so deeply that it has also reached governmental ranks. Espionage activities had been detected within the AfD party, with an aide to Maximilian Krah, who headed the party list for the European election, arrested on suspicion on spying for China. In 2022, two senior officials within Germany’s economy ministry had also been investigated over allegations of spying for Russia. These individuals held key positions within the energy supply.
Germany, amongst other European countries, has also increased efforts to reduce legitimate foreign access to critical infrastructure. Last year, political rows arose over the decision allowing China’s Cosco to buy stakes in three terminals in the port of Hamburg, with concerns over the exertion of Chinese influence in the country. More recently, the German federal government has been reviewing the awarding of a tender for the supply of 16 wind turbines to the Chinese manufacturing group Ming Yang. Evaluation of fair competition and strategic risks associated with foreign access to critical German networks is of priority. Similar developments have occurred in telecommunications, where Germany has decided to phase out Huawei and ZTE from its networks due to strategic dependency and security concerns.
Mitigation Strategies
The increasing risk to critical infrastructure has certainly been acknowledged by leaders globally. The European Union’s commitment was underscored by the Critical Entities Resilience Directive, a framework to support member states to protect critical infrastructure from, among others, “insider threats”. Australia has adopted a similar approach through the Guidance for the Critical Infrastructure Risk Management Program, outlining the role of “Personnel Hazards” and “Supply Chain Hazards” throughout. Whilst these initiatives are hugely important in creating momentum and recognition for insider risk in critical infrastructure, they do not represent comprehensive safeguards.
Greater information and support must be given to critical organisations on how to meet the directive’s requirements, and what actions they may take to begin mitigating insider risk today.
-
- Recognise the Human Vulnerability: Understanding that employees and contractors are potential risk vectors is crucial.
- Increase Awareness and Encourage Reporting: Creating an environment where employees are aware of what insider risk may look like and where they feel safe reporting concerns can help identify potential threats early.
- Participate in Simulation Exercises and Workshops: Regularly conducting exercises to simulate insider threat scenarios can prepare organisations for the containment of real incidents.
- Identify Critical Assets and Vulnerable Positions: Knowing which assets are most critical and which positions have the highest risk can help focus mitigation efforts.
- Conduct Third-Party Risk Assessments: The scope of insider risk also encompasses third parties, whose extensive access to organisational systems, facilities, and data can pose significant challenges.
- Kick-start a Dedicated Insider Risk Program: Developing a program specifically aimed at identifying and mitigating insider risks can provide a structured approach to security.
Conclusion
As geopolitical tensions continue to rise, Europe’s critical infrastructure remains vulnerable to insider threats. While significant strides have been made to protect against external threats, internal risks require equal, if not more, attention. Positive steps have been taken, but more support is needed for critical organisations to meet new directives’ demands and address the threats they face. By understanding these risks, learning from past incidents, and implementing comprehensive mitigation strategies, Europe can better safeguard its critical infrastructure and ensure the continuity of essential services.