Cyberprotection for Critical Infrastructure Resilience
As the geopolitical environment becomes more volatile, conflict ought to be part of any country’s cyber risk management framework. How does one build resilience with conflict in mind? This article considers aspects of creating cybersecurity resilience for a time when conflict may become a reality. It does so by examining the case of Taiwan. While the Taiwanese context may have some lessons for other geopolitically volatile regions, they are not meant to be generalized.
Please note that the text below includes only the beginning of the chapter “Cyberprotection for Critical Infrastructure Resilience: The Case of Taiwan” and does not include footnotes. To read the full chapter (p. 171) or the complete report with footnotes, please download the PDF version.
With the integration of information technologies into critical national infrastructure (CNI) during the last decades, cybersecurity has become crucial to CNI resilience. Information technologies create more efficient ecosystems and the ability to operate technologies remotely. At the same time, these opportunities create new possibilities for malicious actors to compromise the confidentiality, integrity, or availability of data residing on those systems.
While CNI operators still actively build resilience against traditional threats such as natural disasters, aging and decay, terrorist activities, and cascading failures of systems, cyber threats have made it to the top of the list of threats to critical infrastructure. With the rise of cyber threats, resilience against them has also become a considerable point of concern.
Resilience is about preventing the likelihood of shocks, reducing their impact, and allowing entities to recover quickly from incidents. In the academic literature, resilience has been examined in four contexts: techno-centric, organizational, community, and urban. Resilience building that focuses on technological aspects emphasizes the need for security guidelines, the preparation of emergency procedures, and network segmentation among other measures. Organizational resilience, for its part, deals with the social aspects. It comprises command structures within an organization or the public outreach an organization conducts when an incident occurs. Furthermore, community resilience is concerned with how the public reacts to crises and how CNI operations can be reestablished to a level that allows societies to continue operations to a tolerable level. Lastly, urban resilience relates to the resilience of cities.
In cybersecurity terms, resilience is often enhanced through a mix of social and technical measures such as redundancy (having a backup strategy), network segmentation (limiting access throughout an entity’s systems), or the training of personnel (increasing the sensitivity to security guidelines).
Measures to protect power grids, pipelines, or hospitals are not that different from measures taken to improve one’s own cybersecurity. The 2016 attack on the Ukrainian power grid by Russia shows how crucial updating software is. A glitch in Siemens software, for which the company had issued a patch, remained unpatched in the Ukrainian power grid, thereby allowing Russian malicious actors to take advantage of it and wreak havoc. Hence, regular patching of systems is key to the resilience of CNI, similarly to conducting frequent software updates as an individual user. Simple steps, such as network segmentation and multifactor authentication might have avoided the Colonial Pipeline ransomware attack and saved a hefty sum for the targeted company. The European Network and Information Security 2 (NIS2) Directive requires essential and important entities to implement network segmentation and multi-factor authentication. In addition to this, such entities need to have secure emergency communication systems within the organization and adopt zero-trust principles among other measures. Essential/important entities that violate these regulations can be fined at least €10 million/€7 million or a maximum of 2 percent/1.4 percent of total worldwide annual turnover.
The remainder of the article is structured as follows. It starts by examining the resilience of Taiwan’s internet infrastructure. Taiwan has increased the number of undersea cables connecting it to the world and engaged in building up backup communications channels via microwave internet and satellite technologies. The second part goes beyond the analysis of how resilient Taiwan’s internet infrastructure is. It explores more in depth Chinese malicious cyber activities that have been targeting Taiwanese CNI. This part analyzes Chinese threat actors, which CNI they target, and the aims they pursue. The article concludes by examining how China perceives Taiwanese resilience and how this perception might feed into Chinese assessments on whether or not to invade the island country.
This text is one chapter of the report “Enhancing Resilience In a Chaotic World: The Role of Infrastructure” and was first published by ISPI in June 2023.