The infrastructure sectors that are considered essential and critical to any society are increasingly under threat, such as through cyberattacks, disasters and even physical attacks. In the Caribbean region and based on recent occurrences, there is great concern that these essential sectors may not have the means to withstand or efficiently recover from cyberattacks and other threats.
In our February 2023 Community Chat, one of the topics discussed was the challenge critical, but under-resourced, sectors experienced with respect to cyber security. As was noted during the conversation, the impetus for the topic was the cyber-attack at the Queen Elizabeth Hospital (QEH) in Barbados, which occurred in December, and more recently, the breach that occurred at the Southeast Regional Health Authority (SERHA) in Jamaica. However, these are incidents that made the news. It is likely that many more organisations and arms of government that manage or deliver critical services have experienced a cyberattack.
What infrastructure sectors should we be concerned about?
To a considerable degree, the sectors that are considered critical are likely to vary from country to country, based on how developed the sector is and by extension, the country. However, at its basic, the list is likely to include:
- Electricity and energy, which would include electricity generation, transmission and distribution.
- Emergency services, which would include the police/law enforcement, fire and rescue services, emergency medical service, disaster and emergency management, public works.
- Food and agriculture, which would include farms, food manufacturing, processing, and storage facilities.
- Healthcare and public health, which would include hospitals, clinics, testing laboratories, mortuaries, crematoria, drug manufacturing and distribution channels, and other healthcare facilities.
- Telecommunications and IT/ICT, which would include the internet, base stations, towers, data centres, terrestrial telecommunications networks, wireless networks, satellite communications, critical internet resources.
- Transportation, which would include roads and motorways, airports and seaports, aircraft, air traffic control systems, airports, heliports, landing strips, marine vessels and waterways, mass transit and passenger rail.
- Water and wastewater, which would include the preparation and delivery of potable water, managing sewerage and wastewater.
These services and sectors could be considered essential for the functioning of our societies, as their absence or incapacity would have a debilitating impact on our collective well-being.
However, with the exception of telecommunications and IT/ICT and electricity, which in the Caribbean are often privatised or privately owned, the other sectors and services tend to be government owned and operated. Invariably, these sectors are underfunded, resulting in less-than-optimal services being delivered to citizens.
The cybersecurity challenge
In managing critical infrastructure and delivering critical services to citizens the security of those sectors is becoming increasingly crucial. Over the years, cyberattacks on critical services, especially the electric grid, such as at the Jamaica Public Service, have become more common. However, hospitals and healthcare facilities, such as QEH, SERHA, and the Hospital for Sick Children in Toronto, Canada, are just a few of the recent casualties.
Unfortunately, as many security experts have stressed over the years, a breach of an organisation’s security is almost inevitable. It is more a case of ‘when’ rather than ‘if’.
It thus means that as much as there should be an effort to ensure that good perimeter security is in place; and since it is not infallible, there should also be an emphasis on intrusion detection, management, and remediation. However, the systems and manpower can be costly, regardless of whether they are maintained in-house or outsourced to a third-party service provider. They are not a one-off or capital expense. Costs to maintain and upgrade the systems, to regularly test them and to keep the staff up to speed on the latest developments require regular investment, which all add up.
However, with hospitals and clinics and emergency services trying to operate and deliver services on a shoestring budget, how much money is available to comprehensively address cybersecurity generally, and more so when are becoming an even greater target for attack?
Critical infrastructure security and resilience planning
In light of the financial and other resource constraints that critical infrastructure sectors face in the Caribbean region, their security should not be left to luck and chance. As was noted in an article published last week in Barbados, and nearly two months since the breach at QEH, the institution had not fully recovered. Although our Community Chat panellists posited that should a critical sector come under attack, governments will find the resources to address and remedy the issue, such situations are fraught with several challenges. Some of the issues that would need to be addressed include: whether to pay the ransom if demanded, improving the security of the associated systems and networks, ensuring the integrity of the data should the systems be restored, and navigating the requirements regarding individuals’ personal information, cognisant of the emerging data privacy and data protection regimes.
Noting the vulnerability of our critical infrastructure sectors and the limited resources available, it would be prudent for these sectors to be given deliberate attention, through the establishment of a framework through which critical infrastructure could be strengthened and made more secure and resilient to attacks. This framework would not only focus on cybersecurity, but should also consider natural disasters, physical attacks, along with other exigent or emergency situations that could threaten the proper functioning of these sectors.
Governments would be advised to consider common or harmonised policies and procedures that would allow for benefits from economies of scale and scope to be realised. Across the region, government ministries, departments and agencies still tend to operate in silos, which often results in a disjointed and uncoordinated approach and the uneven application of resources and development of policies and procedures.
Finally, coordination across the public sector, and even across sectors between Caribbean countries could improve and increase the information and intelligence that would guide the security and resilience-related policies and procedures that are developed, whilst also fostering greater regional cohesion as we move towards a single market and economy.
Images credit: Gerd Altmann (Pixabay); MELANIO SALOME JR. PEC (Pexels); Erich Westendarp (Pixabay); Alina Kuptsova (Pixabay)
Although understood that the list is not exhaustive, I would have thought the banking system, too, is not only critical but also highly vulnerable to, probably even coveted for, such attacks.
Increasingly, victims are refusing to pay any ransoms demanded in order not encourage further attacked.