Mind the gap: Critical systems at risk of cyberattack

When some people speak of cybersecurity, they think of phishing scams, malware attacks, ransomware and other programmes that hack into systems in the private sector and extort businesses for money.

But that is just the tip of the iceberg when it comes to the potential threats involved in cyberattacks. The public sector too, especially agencies that deal with critical infrastructure – electricity, water, telecommunications, oil and gas production and downstream manufacturing – are highly susceptible to cyberattacks.

Programme leader of the University of Trinidad and Tobago's (UTT) Centre for Information and Communication Prof Yufei Wu, in a conversation with Business Day, said as a country with a digital transformation ministry and a cybercrime bill, Trinidad and Tobago is in the lead where protecting essential systems from cyberattacks is concerned.

But more must be done, as attacks have increased not only worldwide but locally. Wu said TT needs to take a proactive approach to ensuring that the systems that most people take for granted are protected.

The cyberattack on Massy Stores at the end of April was only a small example of the damage that can be done to systems once hackers get into an organisation's database.

The cyberattack forced all 23 of the supermarket chain's branches to shut down on the eve of the Eid-ul-Fitr holiday, which also was at the end of the month, a peak time for supermarkets.

The shutdown lasted about two days, and while Massy has not determined the losses incurred from the attack and subsequent closure, one can only assume it was in the millions.

But these attacks are not limited to the private sector alone. Last Friday, Public Utilities Minister Marvin Gonzales admitted while answering questions in Parliament that a malware attack caused a shutdown of the Telecommunications Services of Trinidad and Tobago Ltd's (TSTT) online payment systems in March.

"TSTT’s system detected a security attack directed at a number of the company’s internal only solutions and applications," he said. "As a precautionary measure all possibly impacted systems were isolated, including TSTT’s online payment application from TSTT’s website stored within the private cloud environment."

He added that TSTT took immediate steps to enhance environmental protection of its systems, including destroying the infected machines' software master records and rebuilding the cloud host servers.

Internationally, cyberattacks on critical infrastructure has also increased, especially coming out of the pandemic.

Last May the US Federal Bureau of Investigation (FBI) confirmed that a cyber criminal organisation which calls itself DarkSide admitted to hitting Texas-based Colonial Pipeline – which supplies the American East Coast with 45 per cent of its diesel, petrol and jet fuel – with a ransomware cyberattack.

The attack resulted in the overall shutdown of the plant. In June Colonial Pipeline’s CEO and president, Joseph Blount Jr, told the US Senate the company paid a US$5 million ransom the day after the attack.

At the end of May another ransomware attack hit JBS USA Holdings Inc, one of the world’s largest meat producers. CEO of the company’s US Division Andre Nogueria said the company forked up a US$19 million ransom to remove the ransomware and prevent future attacks, but not before it disrupted supply chains in Canada, the US and Australia.

Wu told Business Day a deeper look is needed for protecting these critical systems. He said hackers are more than capable of breaking into these critical systems and wreaking havoc.

“What if hackers got into a manufacturing system and changed parameters and made defective products? What about hacking into a medical system or a healthcare network?

“In minutes someone could hack into various systems and networks. Hackers’ first step is to get into an easy target and use that as a launchpad to break into more privileged systems."

Wu said while TT is leading the charge in the region in developing systems to combat cyberattacks, a proper defence has to be set up. He said in countries such as Uruguay millions of dollars have already been spent on cybersecurity infrastructure and policies.

But TT, which in Wu’s opinion has the potential to be a fintech and digital hub for the Caribbean, needs to get its house in order.

“Very soon there will be cashless societies where even your money will become digital. If TT has the ambition of becoming a regional fintech hub, it will need infrastructure to attract international organisations to set up regional headquarters.”

He added that cybersecurity is in itself a rapidly growing industry. According to estimates it is worth more than US$200 billion and is growing at a rate of 15 per cent a year.

“TT can build an industry in cybersecurity for itself,” he said. “This will provide jobs and can provide services to the Caribbean.

"If a private company gets hacked they would have to enlist the services of experts in the US and England. Why not have home-grown experts that could fix problems and do investigations at a fraction of the cost?”

Thus far, there are multiple pieces of legislation that deals with cybersecurity and protecting data, but these laws are either partially enacted or not enacted at all.

The Data Protection Act of 2011, for example, provides for the protection of personal privacy and information processed and collected by public bodies and private organisations. But it was only partially enacted in 2021.

Business Day understands that no timetable has been set for enacting the rest of the act, and it is possible that there may be changes to it before it is proclaimed.

Clause 10 of that bill focuses on critical infrastructure and proposes to impose greater penalties on people who intentionally and without lawful excuse or justification access a computer system that affects critical infrastructure. It proposed such an offence would carry a penalty of $2 million and 15 years' imprisonment.

Wu said critical infrastructure organisations currently use industrial SCADA systems – a combination of hardware and software systems which enables the capture of data and automation of industrial processes – to control their critical operations. But these systems are vulnerable to attack.

At a two-day USAID Caribbean Cybersecurity forum held between Tuesday and Wednesday, Wu said UTT’s masters programme in cybersecurity was launched in 2019, is fully accredited by the Accreditation Council of TT (ACTT), and is the first of its kind in the region.

He said the programme now has about 70 active students and has delivered eight graduates so far.

The programme includes courses on computer security; laws, policies, management and economics; digital forensics and cybercrime investigation; hacking and penetration testing; and cybersecurity for critical infrastructure.

He said the programme is rare because cybersecurity programmes are not readily available in the region.

“A general agreement on the best measures and methods for cybersecurity and training has not been reached,” he said. “Not even in the US.

“It is important to establish as much as we can current, up-to-date cybersecurity training offerings, especially for critical infrastructure protection.”

Osvaldo Laracuent, the cybersecurity engineering degree programme co-ordinator at the Instituto Tecnologico de Santo Domingo (INTEC), said since 2002 the Dominican Republic has championed the cause of adopting regulations in digital technologies electronic commerce and cybercrime. He said the newly elected government has put a focus on digital transformation which includes cybersecurity. The Dominican government stressed updating and expanding current legislation on cybersecurity, promoting governance mechanisms and general public awareness and building alliances in cybersecurity

“We have been creating alliances with the US government, Europe and different private-sector entities in order strengthen the local capacity to prevent and promote awareness in our society,” he said.

Wu told Business Day most of the students in the UTT cybersecurity programme see the importance of protecting critical systems and want to meet that need.

“By law, some companies need to set up cybersecurity departments,” he said. “Our graduates may be the first people to grab those new jobs. Some would like to develop their own businesses in that area.”