Six Key Risks in Attack Surface Management for Critical Infrastructure

Why should critical infrastructure systems care about attack surface management (ASM)?

Just a few weeks back, the U.S. healthcare system suffered a major blow when the Blackcat/ALPHV ransomware group attacked Change Healthcare, the largest health payment processor, disrupting services for nearly a month. The attack crippled pharmacies, hospitals, and clinics nationwide, leaving them unable to process prescriptions, conduct check-ups, or deliver essential care. The American Hospital Association labeled it the most consequential attack in U.S. healthcare history, underscoring the devastating effects of cyberattacks on critical infrastructure.

Why Attack Surface Management Matters for Critical Infrastructure

By now, we know that no sector is cyber-incident-proof. The damage escalates exponentially when critical infrastructure is under attack. Take a closer look at these recent incidents:

This year, Dutch ethical hackers uncovered vulnerabilities in solar IoT devices that could have caused widespread outages and financial losses if exploited. In 2023, Iran-linked hackers attacked the Pennsylvania water system, forcing it into manual operation, while Russian group Sandworm attacked Ukraine's power grid in 2022, resulting in blackouts and casualties. 

The Colonial Pipeline ransomware attack in 2021, which caused fuel shortages along the U.S. East Coast, is an excellent example of nationwide disruption caused by critical infrastructure attacks. When the pro-Russian KillNet group launched disruptive DDoS attacks targeting healthcare, energy, and defense sectors, the targets were spread across multiple countries.

Depending on the loophole exploited, the scale and spread of the attack can go to unpredictable lengths. A deeper understanding of all these incidents show a common characteristic: a slip in attack surface management (ASM). Critical infrastructure’s safety systems are heavily dependent on how well the attack surface is guarded. 

Six Key Risk Areas in Attack Surface Management

Over these years of client interaction and incident analysis, Hadrian has spotted six common areas where critical infrastructure systems fail in attack surface management:

Incomplete asset discovery and shadow IT

Many critical infrastructures operate without knowing the full extent of their connected assets, leading to unmanaged systems or "shadow IT" slipping through the cracks. For example, legacy devices, like SCADA systems in utilities, often go unnoticed because they weren’t properly integrated into the organization’s modern ASM tools.

Solution:

Continuous asset discovery: This service ensures real-time tracking of all assets, identifying shadow IT and unmanaged systems to keep everything visible.

IoT & OT visibility: Particularly crucial for CNIs, this ensures that legacy industrial systems and new IoT devices are monitored to prevent exposure in complex networks.

Fragmented security and governance

Fragmented oversight is another common problem, with different divisions managing security in silos rather than as a cohesive strategy. Energy grids or water treatment facilities may use different security policies across regions, making it difficult to coordinate cyber responses across the entire infrastructure. 

Solution:

Compliance reporting automation: This tool helps align all divisions under a unified compliance framework, ensuring consistent adherence to regulations across the board.

Automated vulnerability management: It prioritizes the elimination of critical risks across fragmented networks, unifying security efforts under a common strategy.

Limited threat intelligence integration

Many CNIs rely on outdated or static threat management models that react to incidents instead of preventing them. A power utility, for example, might only deploy basic firewalls but fail to integrate real-time threat intelligence, leaving it blind to emerging risks.

Solution:

Automated penetration testing: Simulates real-world attacks to proactively identify vulnerabilities and prepare defenses before actual threats arise.

DNS monitoring: Protects against phishing, brand abuse, and targeted threats by monitoring suspicious activities at the DNS level.

Operational constraints

The need to maintain uninterrupted operations often prevents CNIs from applying security patches or updates on time. A manufacturing plant might postpone vulnerability scans to avoid downtime, inadvertently leaving its systems exposed to potential threats.

Solution:

Automated vulnerability management: This solution focuses on identifying and eliminating the most critical vulnerabilities automatically without disrupting operations.

IoT & OT visibility: This ensures continuous monitoring without interfering with operational uptime by providing passive asset tracking.

Inadequate workforce and expertise

The shortage of cybersecurity professionals skilled in both IT and operational technology (OT) environments further complicates ASM implementation. Many facilities rely on outdated skill sets, making it difficult to deploy and maintain complex ASM tools effectively. 

Solution:

Compliance reporting automation: Reduces the administrative burden on cybersecurity teams by automating reporting tasks.

Automated penetration testing: Helps overburdened security teams by running simulations without requiring constant manual intervention.

Supply chain vulnerabilities

Critical infrastructures depend heavily on external vendors for software and hardware, exposing them to supply chain attacks. For instance, compromised vendor software used in water treatment facilities could serve as a backdoor for attackers to infiltrate the entire system.

Solution:

3rd party risk monitoring: This service ensures continuous monitoring of vendors and third-party providers, minimizing exposure to supply chain risks.

Cloud misconfigurations management: Detects security issues within cloud services used by vendors, reducing the likelihood of breaches through cloud-based tools.

Effective adaptation of these steps result in risk mitigation as well as improvement in business processes. Take the case of our client here: 

Case in Point: SHV Energy

SHV Energy, a global leader in off-grid energy distribution, plays a crucial role as critical national infrastructure by delivering sustainable and renewable energy solutions across 25 countries.

The company faced challenges with asset management due to the deployment of IoT, OT systems, and cloud technologies, compounded by mergers and acquisitions that increased the workload for its security teams. 

To overcome these issues, SHV Energy implemented Continuous Asset Discovery and IoT & OT Visibility tools from Hadrian, improving visibility into its digital environment and automating manual tasks. With Automated Penetration Testing and Vulnerability Management, the company prioritized risks effectively and streamlined workflows, saving 40 hours weekly. 

These measures enhanced security alignment with business goals, enabling a proactive and efficient security strategy.