Coursework Electronic Submission Cover Sheet

Person Number: PN1140823

Student Name: Ye Myat Thway

You should only
complete this field if you
are not submitting this
work anonymously.

Module Code: 6513CSMM

Module Title: Network defences

Coursework Title: Critical Infrastructure and

Threats

Name of Tutor: Daw Lae Win Thwin

Due Date: 25.12.2024

Word Count: 4178

Marker (If different

from tutor):

Group Submission?

Group Members:
Please include the
names of all group
members, and if you are
submitting anonymously
include their six-digit
Person Numbers.

Table of Contents
1. Critical Infrastructure Vulnerabilities and Threats....................................................1
1.1. critical infrastructure...........................................................................................................1
1.3 Impact of IoT Devices on Attacks on Critical Infrastructure...........................................4
2. Security Policy................................................................................................................6
2.1. Introduction/Scope...............................................................................................................6
Fig 1. Physical Network Diagram for Critical Infrastructure Firm........................................7
2.2. Security Policy......................................................................................................................8
2.3. Security Tools.......................................................................................................................9
3. References.....................................................................................................................11
1

1. Critical Infrastructure Vulnerabilities and Threats

1.1. critical infrastructure

Critical infrastructure has been defined as the portfolio of systems, assets, and networks
that become so fundamentally important to the day-to-day operations of a nation, its economy,
and institutional stability. In such infrastructures lie public safety, national security, economic
resilience, or simply vital services that keep modern society alive: energy, water, transport,
healthcare, communications, and financial systems and emergency-response services. These
sectors ensure that the delivery of goods and services is not disrupted, therefore fostering
societal stability and economic growth.
Not every single critical infrastructure sector plays an identical role in supporting
everyday life. Powering the home, industries, and businesses with energy enables the economy
to be productive and advanced in technology. Transportation allows goods and people to move,
facilitating trade, logistics, and individual traffic. Health protection is ensured through the
healthcare system, assurance of prevention of disease outbreaks, and management of
emergencies. Communication networks allow for easy information flow, connecting people,
businesses, and governments. Financial systems supportive of economic transactions and
market stability, and emergency services quick to respond in time of crisis for the safety of the
public. These are often interdependent sectors in a country, so disrupting any one sector can
trigger ripple effects on the other connected sectors, increasing further potential impacts of a
failure.
With technology evolving and deeply embedded in these critical systems, the trend was
toward highly technical solutions and interconnected platforms, which in their way increased the
likelihood of a disastrous failure. Critical infrastructure has one very obvious, fast-growing
challenge: cybersecurity. For instance, power supplies are vulnerable to cyberattacks that can
paralyze whole cities, with subsequent consequences such as a complete standstill of industrial
processes, health centers in disarray, and dysfunctional transport systems. In addition, attacks
on communications disrupt the flow of information and processes of decision-making and
emergency response. Such attacks are typically more sophisticated, better-coordinated, and
exploit various vulnerabilities in systems to affect maximum damage.
Natural disasters further show the weaknesses in critical infrastructures: earthquakes,
hurricanes, flooding, and wildfires damage physical structure, disrupt services, and thereby
create long-lasting obstacles to restore the situation from such devastations. In this manner, an
2

earthquake could kill power plants, water treatments, and transportation routes that render
people devoid of these very services for very long amounts of time. Climate change has also
increased both the pace and magnitude of natural disasters, hence adding more troubles to an
already vulnerable system of infrastructure.
In addition to cyberattacks and natural disasters, a high level of risk can also be posed
by human malicious activities: terrorism, sabotage, and insider threats. Definitely, terrorist
attacks against transport nodes or energy installations result in immediate harm and long
disturbances. Insider threats-when employees intentionally or unintentionally compromise
systems-add another layer of complexity to securing critical infrastructure.
With these vulnerabilities and threats, protection of the critical infrastructure has become
a major concern for governments, private organizations, and international stakeholders.
Protection will be effective only with a multi-layered approach: physical security, cybersecurity,
and risk management strategies. It is expected that governments work in collaboration with
private entities in establishing comprehensive policies and frameworks, considering newly
arising threats. It therefore requires a public-private partnership in sharing information,
resources, and expertise in developing defenses against attacks and ensuring rapid response
capabilities.
The management of risk should first be identifying the vulnerabilities within the systems
and the likelihood and impact assessment of possible threats. This shall be through regular
audits, putting in place advanced monitoring tools, and deploying cybersecurity measures for
protecting the networks and systems. Another layer for hardening of the physical infrastructure
includes hardening the building as well as securing important facilities that ensure resilience
against disasters in relation to nature or even against physical attacks. On the other hand,
developed and tested disaster recovery and continuity plans allow critical services, if disrupted,
to restore very rapidly.
1.2. Examples of a cyber-attack against critical infrastructure
Example1: Stuxnet Worm Attack on Nuclear Facilities
Stuxnet, under MITRE ATT&CK ID: T1569, System Services: Service Execution, was a
super advanced worm that hit the Iranian Natanz nuclear facility in 2010. It spread via infected
USB drives and used bugs like CVE-2010-2568 (Windows shortcut bug) and CVE-2010-2729
(Windows print spooler vulnerability). Once inside, Stuxnet manipulated PLCs through Siemens
Step7 software to control centrifuges by changing their rotation speeds. It did all this without
tripping any alarms. It showed how cyber threats can use infrastructure vulnerabilities to cause
physical damage and remain stealthy.
3

Example2: Colonial Pipeline Ransomware Attack

In 2021, the Colonial Pipeline ransomware attack was attributed to MITRE ATT&CK ID:
T1486 and exploited vulnerabilities in critical energy infrastructure. DarkSide hackers used
stolen credentials from phishing or brute force to get into the pipeline’s systems and encrypt
business data, shutting down the pipeline and causing fuel shortages across the eastern US.
They used a few known vulnerabilities, including CVE-2018-13379 (Fortinet VPNs) and CVE-
2020-1472 (Netlogon). Again, it shows the importance of access controls and patch
management.
Example 3: NotPetya Attack on Ukrainian Power Grid
NotPetya malware (MITRE ATT&CK ID:T1210 - Exploitation of Remote Services) hit
Ukraine’s power grid in 2017. Exploiting SMB vulnerabilities (CVE-2017-0144 (EternalBlue) and
CVE-2017-0145) the malware spread laterally across the network, encrypting critical system
data. Although it pretended to be ransomware, its purpose was destruction, making systems
unworkable. This attack showed the damage that can be done to critical infrastructure, power
distribution and other essential services.
Example 4: Ukraine Power Grid Attack (BlackEnergy)
In 2015 the BlackEnergy malware (MITRE ATT&CK ID: T1203 - Exploitation for Client
Execution) hit Ukraine’s power grid. The attack started with spear phishing emails containing
malicious Office macros which exploited vulnerabilities (CVE-2014-4114 and CVE-2015-2545).
Once inside the attackers used remote access tools to manipulate industrial control systems
(ICS) and cut off electricity to hundreds of thousands of people. This attack showed the risk of
phishing and unpatched software in critical infrastructure.
Example 5: SolarWinds Supply Chain Attack
The SolarWinds supply chain attack in 2020 (MITRE ATT&CK ID: T1195 - Supply Chain
Compromise) hit IT management software used by many organizations. Attackers inserted the
“SUNBURST” backdoor in a legitimate SolarWinds Orion software update. This backdoor-
exploited vulnerabilities (CVE-2020-10148) to get access to sensitive systems and spy. The
attack showed the need for more security in software supply chain to prevent similar breaches.
Example 6: WannaCry Ransomware
The WannaCry ransomware attack in 2017 (MITRE ATT&CK ID: T1486 - Data
Encrypted for Impact) exploited Microsoft Windows vulnerabilities (CVE-2017-0144
(EternalBlue). It spread globally, encrypted data and services in healthcare and transportation
sectors. The attack caused significant downtime and financial loss, showed the importance of
timely patches to prevent such damage.
4

Example 7: Triton/Trisis Malware Attack on Industrial Systems

The Triton malware attack in 2017 (MITRE ATT&CK ID: T0816 - Manipulation of Control
Logic) targeted safety instrumented systems (SIS) at a petrochemical plant. Exploiting
vulnerabilities (CVE-2018-8840) the attackers injected malicious code in Schneider Electric’s
Triconex controllers. This manipulation was trying to disable safety mechanisms, putting
physical damage and human life at risk. Triton showed how cyber threats can compromise
safety-critical systems in industrial environments.
Example 8: Shamoon Malware Attack on Oil and Gas Sector
The Shamoon malware (MITRE ATT&CK ID: T1485 - Data Destruction) hit Saudi
Aramco in 2012, one of the largest oil and gas company. The malware infected systems and
overwrote master boot records, making them unusable. Shamoon exploited weak network and
lack of IT-OT segmentation to spread inside the organization. This attack showed the
destructive power of malware to disrupt energy sector operations, with big impact on
productivity and data availability.

1.3 Impact of IoT Devices on Attacks on Critical Infrastructure

The rapid adoption of IoT devices revolutionized critical infrastructure, enabling greater
efficiency, automation, and connectivity. In so doing, it opened a Pandora's box by allowing new
vulnerabilities that raised the stakes for cyberattacks targeting these important systems much
higher. The devices ranged from simple smart sensors and controllers to interconnected
industrial equipment, integral to critical sectors including energy, transportation, healthcare, and
water management. While their benefits cannot be doubted, the broad applications and inherent
security challenges within make critical infrastructure more exposed to cyber threats.
This makes IoT devices one of the major contributors to the increasing attacks due to
their intrinsic incapacity for robust security. Most IoT devices are designed mainly for
functionality and cost efficiency, thus compromising on security. Most of them lack encryption,
secure authentication protocols, and firmware updates, thus being easy targets for attackers.
Poor credential usage, such as the default usage in IoT devices or poor password construction,
may enable an attacker to access systems that provide a doorway to greater and more critical
infrastructure.
This is further exacerbated by the nature of IoT devices: one compromised device opens
a door for lateral movement across networks to critical systems by attackers. This is particular
concern in critical infrastructure settings where many IoT devices interact with ICS and SCADA
5

systems, though the impact of such kinds of breaches results in complete disruption of whole
operations due to service outages, economic losses, and even threats of public safety.
Besides, IoT devices generate large volumes of data, which could be intercepted or
manipulated in case proper security measures are not taken. Cybercriminals may eavesdrop on
sensitive communications, disrupt data flows, or launch an attack driven by data through the
exploitation of vulnerabilities. For example, DDoS attacks have increased drastically with the
recent proliferation of IoT devices. Attackers compromise large numbers of unsecured IoT
devices to form botnets, which are then used to flood critical systems with traffic, overwhelming
their capacity and causing significant disruptions.
Other factors contribute to this situation: there are no unified security frameworks for IoT
devices because their producers usually apply several diverse security practices. That
inconsistent protection of the device opens the gap that the attacker could enter. Also,
organizations' inability to manage large-scale IoT deployments in critical infrastructure
diminishes the capabilities for visibility and control of all the devices connected to the
organizational network. Without proper asset management, vulnerabilities cannot be found and
mitigated in real time.
Remote work and the use of IoT devices for remote monitoring and control have also
increased the attack surface for critical infrastructure. While organizations are increasingly
dependent on IoT-enabled solutions that can help them manage operations remotely, this has
created more opportunities for attackers to exploit insecure connections or poorly configured
devices. This necessitates secure access protocols, strong authentication mechanisms, and
thorough monitoring of IoT systems.
The organizations operating critical infrastructure should make IoT device security a
priority. This will include best practices like frequent software updates, strong authentication
methods, and end-to-end encryption of device communications. Network segmentation can also
be used to isolate IoT devices from sensitive systems, reducing the risk of lateral movement in
case of a breach. Of equal importance is cooperation among manufacturers, regulatory
authorities, and infrastructure operators in industry-wide security standards when designing IoT
devices.
While IoT devices can provide a big boost to both efficiency and functionality, especially
in the case of critical infrastructure, they do offer significant pathways for security risk. These
are related to how vulnerabilities and challenges from the said devices allow more attacks to
rise against critical systems. All these risks call for an active and coordinated mitigation
6

approach to IoT security so as not to diminish the benefit of IoT integration due to the increased
threat of cyberattacks.

2. Security Policy

2.1. Introduction/Scope

This Cyber Security Policy is developed from the basic need to protect computers,
devices, and networks in critical infrastructure firms from this exponentially increasing threat.
Due to the continuous sophistication of these threats, it becomes of essence that there is a
proactive, holistic approach in reducing vulnerability and minimizing the probability of
exploitation in protecting integrity in operations. The aim of this policy is to provide a guideline
toward the implementation of effective security measures for organizational assets, including
hardware, software, and communication networks, in assuring the continuous and secure
operation of critical infrastructure systems.
This policy will also apply to all devices and systems within the organization, including
desktops, laptops, servers, mobile devices, networking equipment, or even Industrial Control
Systems like Supervisory Control and Data Acquisition systems. Most of these systems are a
backbone to operations in critical infrastructure and hence very important. This policy is
applicable to both on-site and remote working environments and ensures that all endpoints
within the organization's physical premises or remotely connected are held to the same security
standard. Firm-provided devices, personally owned devices used to access work, better known
as BYOD, and any third-party systems connecting to the organization's network are within the
scope of this policy, which aims at preventing unauthorized access and mitigating risks from
unregulated devices.
The policy covers the isolation and protection of critical systems from unauthorized
physical and digital access through the use of LANs, secured server rooms, and physical
access control systems for on-site operations. It also provides for remote working scenarios with
requirements for secure connections through VPNs and MFA to safeguard access to
organizational systems from external locations. Also, cloud-based services that are increasingly
integrated into the operation of critical infrastructure are within the scope, with stringent
requirements for data encryption, secure access protocols, and regular monitoring.
The Cyber Threat and Exposure policy focuses on the overall guides that are necessary
in diminishing risks from cyber threats and, in the process, uphold operation integrity. This
document should apply to all the staff members, contractors, and vendors engaged with the
7

organization in maintaining a coherent and collective way of approaching cybersecurity policies.

In being specific about clear parameters, the extension of measures with regard to all device
configurations and networks make it possible to create a tough security framework for critical
infrastructures against ever-evolving cyber threats.

Fig 1. Physical Network Diagram for Critical Infrastructure Firm

8

2.2. Security Policy

This security policy stipulates, in general terms, appropriate measures to avoid cyber
threats and vulnerabilities; it applies to network security, system integrity, remote work
practices, and business continuity planning to ensure the ability to continuously operate even
should there be a cyber incident or any other disruption affecting operations.
Network Security is utmost important as it protects sensitive information and upholds the
integrity of related systems. The organization shall be designed to have very strong firewalls,
intrusion detection systems, and intrusion prevention systems that shall monitor and block
unauthorized access to the network. Network segmentation shall be employed to segregate
critical systems, including Industrial Control Systems, away from general IT traffic and reduce
the risk of an attacker's lateral movement across the network in case of a breach. Access
control and restrictions to network zones will be granted based on the role or responsibility by
using VLANs and ACLs. Besides, all network traffic will be encrypted using secure protocols like
TLS and IPSec to maintain the confidentiality and integrity of the data in transit. This will be
made possible through continuous monitoring and logging of network activity, enabling real-time
detection of anomalies; periodic vulnerability assessment and active penetration testing to
identify and fix weaknesses.
System Security protects all hardware and software assets from unauthorized access
and exploitation. Antivirus software and endpoint detection and response solutions will be
installed on all devices to provide protection against malware and other threats. Regular
software updates and patch management processes will be implemented to address known
vulnerabilities in operating systems, applications, and firmware. MFA will be needed to ensure
access to critical systems, while RBAC will help in providing access to sensitive systems and
data considering the job functions of users. Besides, all kinds of data stored on company-owned
devices or servers will go through encryption to protect the information from being accessed
should the device get stolen or lost. Audit trails and logging mechanisms shall be maintained to
track user activity to provide accountability and support forensic analysis in the event of a
security incident.
With more staff connecting to the systems from outside the conventional office
environments, there will be a need for Remote Working Security. The remote workers will be
obliged to use company-approved devices that are configured with the latest security settings,
including encryption and antivirus protection. All remote connections should be made via a
secure Virtual Private Network (VPN) that will encrypt communications between the employee's
device and the company network. They cannot connect to work using a public Wi-Fi without
9

VPN. Strict BYOD policies shall ensure that personal devices brought to work are up to the
security standards of the organization. Regular training regarding how to identify and evade
phishing attempts, malware, and other social engineering ploys that target remote workers will
be provided.
Business Continuity Planning ensures that the organization remains operational during
and after a cyber incident. A detailed incident response plan will be developed, describing the
actions to be taken in case of a security breach. Critical systems will be regularly backed up,
with backups stored securely offsite or in the cloud. Redundant systems and failover
mechanisms will be implemented to maintain essential operations during disruptions. The
regular exercises in disaster recovery will test the preparedness of the organization and show
the shortfalls that need to be emended. Crisis communication will ensure timely updates to
stakeholders, employees, and customers during incidents, thus reducing the impact of any
potential downtime. This policy creates a single, resilient approach to cybersecurity, with care
for all the critical aspects of modern infrastructure protection and seamless operational
continuity in any environment.

2.3. Security Tools

It requires organizations to implement a multilayered approach toward protecting critical

infrastructure from vulnerabilities and cyber threats using advanced security tools capable of
preventing, detecting, and reducing the impact of an attack. Only such advanced security tools
will be able to create resilient defenses that accurately identify, mitigate, and protect sensitive
systems and reduce disruptions in case of an attack. Such steps of prevention basically depend
on different hardware control systems of firewalls, intrusion prevention, controlling access
towards network access, blocking unauthorized ones. The next-generation firewall adds up in
deep packet inspection and application-layer filtering capability on behalf of higher levels of
protection for the most advanced attacks. In that perspective, there goes the importance of
protection given by endpoint protection platforms through their antivirus solutions to systems or
devices against malware or ransomware forms of such malicious software taking advantage in
vulnerability situations. Vulnerability scanners are a tool that can assist organizations in finding
weaknesses within systems, applications, and network configurations before an attacker does.
Common examples include Nessus or Qualys.
SIEM systems form the basis of real-time threat detection. Splunk or IBM QRadar-like
SIEM tools consolidate and analyze log data across the network, providing actionable insights
with alerting to security teams. Complementing these would be intrusion detection systems
10

monitoring network traffic for any potential breach and offering another layer of visibility into
abnormal behaviors. Solutions like CrowdStrike or SentinelOne are examples of EDR that
extend detection capabilities to the device level, giving security teams the ability to detect,
investigate, and respond to threats at the endpoint level. For higher-order detection of newly
emerging threats, organizations could also deploy NTA solutions and AI-driven solutions with
machine learning to find patterns of attacks that have never been seen before.
This will be achieved through the use of tools that can contain incidents and provide
remediation as quickly as possible to reduce potential harm to critical systems. Automating
incident response involves the use of automated incident response tools, typically SOAR
platforms, running pre-defined playbooks and orchestrating the response across teams. Data
backup and recovery are very important to reduce the impact of a ransomware attack or loss of
data, so the organization can restore systems and resume operations with no downtime.
Disaster recovery tools, ranging from backup software to cloud-based recovery platforms,
secure critical data and configurations while providing access during an emergency. All for the
improvement of resilience: network segmentation tools help segregate compromised systems in
order to negate the ability of lateral movement within a network or taking over sensitive systems
such as SCADA or Industrial Control Systems by the attacker. Additionally, the TIPs also offer
real-time data of TTPs, thus allowing subscribers to improve their defense capabilities against
recently minted threats on a proactive basis.
Finally, organizational resilience has to be nurtured through continuous monitoring and
testing using tools such as a penetration test framework and red team exercises. These
simulated real-world attacks help to expose weaknesses and enhance the organization's ability
to respond effectively to cyber threats. These security tools together provide an all-
encompassing strategy to prevent, detect, and reduce impact, thereby ensuring that critical
infrastructure remains secure and operational in the increasingly hostile cyber environment.
2.4. Recommendations
In fact, this would be effective in the security policy if the personnel is informed and
empowered on the measures of taking care of cybersecurity while working. Additionally, workers
should consider the use of strong and unique passwords for every work account seriously,
enabling multi-factor authentication whenever available. This adds an extra layer of security
against unauthorized access if your password gets compromised. People are a very common
attack vector, so personnel should be watchful about phishing. That includes not clicking on
links and attachments, unless one is sure of who sent the email or that the source is safe. It is
also very important to continue training in cybersecurity regarding evolving threats, best
11

practices, and the security protocols of the institution. Such training provides a security-first
mindset and equips the staff to recognize and respond properly to potential risks.
While working from home, employees should only access the organization's systems
through the use of secure Virtual Private Networks, which ensure encryption of sensitive data
transferred over the internet. It is recommended that personnel avoid working on public Wi-Fi
without using a VPN connection, as such networks are usually not secured and may be prone to
interception by attackers. For those whose work is enabled by the BYOD culture, some key
organizational security requirements will involve installing antivirus software, encryption of
devices, and periodic updating of one's system for vulnerability management. Employees must
be extra careful in disclosing sensitive information; it must be transmitted via approved
encrypted channels only.
Other key recommendations entail not installing unauthorized software or applications,
as these might introduce vulnerabilities or malware into the organization's systems. Any
suspicious system behavior or suspected security incident should be reported to the IT or
security team in time, so that prompt investigations and response to potential threats can be
made. The principle of least privilege in access should also be implemented to ensure that
personnel are accessing systems and data based on the role that the person is performing. This
minimizes the chances of accidental or intentional misuse of sensitive resources.
To support secure practices in physical environments, employees should make their
workspaces secure, especially when they work remotely. This involves locking screens when
leaving them unattended, using privacy screens to block visibility to unauthorized viewers, and
storing any printed documents containing sensitive information in a secure manner. Lastly,
allowing free discussions about cyber concerns motivates personnel to stay updated with, and
work together in respect of, the problems concerning security. By following these
recommendations, the workers play a very vital role in the development of improved general
defenses within the organization against the rising cyber threats and realization of successes for
the instituted policies.

3. References

IEEE (2023). Cybersecurity Challenges in Critical Infrastructure: A Review. IEEE Transactions

on Industrial Informatics, 19(2), pp. 2020–2032. Available at: https://ieeexplore.ieee.org/

NIST (2021). Framework for Improving Critical Infrastructure Cybersecurity. [Online] Available
at: https://www.nist.gov/cyberframework
12

ISO (2020). ISO/IEC 27001: Information Security Management Systems. [Online] Available
at: https://www.iso.org/isoiec-27001-information-security.html (Accessed: 25 December 2024).

IEEE (2016). Cyberattack on the Ukrainian Power Grid: A Case Study on Cybersecurity in
Critical Infrastructure. IEEE Transactions on Smart Grid, 7(3), pp. 1512–1520. Available
at: https://ieeexplore.ieee.org/document/7412356

Loukas, G. (2016). Cyber-physical attacks on critical infrastructures: A survey. IEEE Access, 4,

pp. 2028–2041. Available at: https://ieeexplore.ieee.org/

Clark, D. D. et al. (2019). Cybersecurity resilience in IoT: Addressing challenges and

vulnerabilities. Proceedings of the IEEE, 107(6), pp. 1075–1098. Available
at: https://ieeexplore.ieee.org/

Humayed, P. et al. (2017). Cyber-physical systems security—A survey. IEEE Internet of Things
Journal, 4(6), pp. 1802–1831. Available at: https://ieeexplore.ieee.org/

Sollins, K. R. et al. (2021). IoT security mechanisms in critical infrastructure: Challenges and
strategies. IEEE Internet Computing, 25(3), pp. 57–64. Available at: https://ieeexplore.ieee.org/