By Sylvia Wanjira
What is critical infrastructure?
Critical infrastructure refers to any physical systems or assets that are vital to the citizens of a country whose destruction or incapacity would have debilitating effects on the safety, health, and economy of the country.
In Kenya, under the Computer Misuse and Cybercrimes Act 2018 (CMCA), critical infrastructure is defined as “the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Kenyans and the effective functioning of Government.”
The Act also defines a critical information infrastructure system or data as “an information system, program or data that supports or performs a function with respect to a national critical information infrastructure.” Under section 9 of the CMCA, the Director of NC4 (National Computer and Cybercrimes Coordination Committee), is given the power to designate critical information infrastructure. The identified Critical infrastructure sectors or systems in Kenya include the:
- Defence, public safety, and security sector
- Banking and Finance sector
- The Electoral and Judicial sector
- Health, Education, Food, Water, and Land sector
- Telecommunications sector
- Energy, Transport, and Industry sector
Critical infrastructure is the foundation of contemporary society and is crucial to the development of a country. Critical Infrastructures support not only the efficient running of companies and services but also the long-term confidence and planning in an area, and consequently continued investment levels hence they are essential for economic growth.
However, there are disruptions to the services critical infrastructure provides, and cyberattacks are among these disruptions.
Common Types of Cyberattacks on Critical Infrastructure
The most common types of cyber-attacks on critical infrastructure include malware and ransomware which disrupt the functionality of these internal systems. Ransomware attacks involve the encryption of a victim’s files and a demand for payment in exchange for the decryption key.
Distributed Denial of Service attacks (DDoS) involves overwhelming a network with traffic to make it unavailable to users. Phishing attacks involve tricking users into giving up sensitive information by posing as a legitimate entity.
Overview of Recent Cyberattacks on Critical Infrastructure
Around the world, cyber-attacks on critical infrastructure have continued to increase over the years. The most high-profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus.
The worm, which targeted PLCs, disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material. In July 2021, South Africa’s ports were almost totally shut down after a ransomware attack.
Kenya is not immune to this increase in cyberattacks on its critical infrastructure. In fact, in 2017, Safaricom managed to stop an attempted attack by hackers who sought to gain access to customer funds in M-PESA. The following year, the National Bank of Kenya, admitted that they lost approximately Ksh. 29 million in a fraud attack.
Safaricom’s M-PESA platform experienced another attack in 2019 that caused an outage across the country leading to a loss of millions of shillings, across many economic sectors, within two hours of the Denial-of-Service attack. Another incident occurred in May 2021 when the systems of the National Hospital Insurance Fund (NHIF) were allegedly hacked leading to the exposure of the Personal Identifiable Information (PII) belonging to millions of Kenyans.
However, the company dismissed those claims. Recently, on 21st April 2023, there were reports that Naivas supermarket was allegedly hacked and a large amount of confidential data had been stolen.
These cyberattacks highlight the vulnerabilities of Kenya’s critical infrastructure and the need for better cybersecurity measures to protect these systems from future attacks.
Cybersecurity Measures for Critical Infrastructure
Kenyan law recognizes the importance of critical infrastructure and the potential dangers that it faces especially from cybercriminals. It has thus put in place measures to protect critical infrastructure.
The CMCA states that the committee (NC4) should consult with any person who owns a critical infrastructure and submit its recommendations for the entities to be Gazetted as critical infrastructure. Thereafter, the Committee is mandated to:
- Conduct risks, threats, and vulnerability assessments to determine the probability of a cyberattack across all sectors.
- Determine the harm that the country’s economy may incur in the case of a breach.
- Measure the overall preparedness of each sector against breaches or attacks.
- Identify any other risks that might endanger public safety and health or national socio-economic well-being.
- Make recommendations to the owners of the systems of critical infrastructure on the best methods to secure the systems against cyber threats or attacks. Examples include; firewalls, data encryption, and threat detection systems.
The Act additionally makes provisions for the reporting of attacks on critical infrastructure. In the event that there is a threat, the owner should report to the committee any incident of the threat and state the course of action they intend to take so as to manage the threat.
The Committee is then tasked to provide technical assistance to mitigate the threat upon receipt of such a report. Further, the Committee has been given the power to institute its own investigations on a critical infrastructure so as to ensure its security. The Act also provides for information-sharing agreements where a private entity can enter into an agreement with a public entity so as to ensure cybersecurity, protect the life of an individual or property, protection of national security, and investigate and prosecute cybercrimes.
Finally, the Act makes a provision for the annual auditing of critical infrastructures by the Committee to ensure compliance.
These cybersecurity measures that are in place are very effective in protecting and securing the critical infrastructure in Kenya.
Challenges of Securing Critical Infrastructure
Despite the above measures being put in place under Kenyan law, there are still challenges that owners of critical infrastructure continue to face. First, networks are rapidly growing and are being reconfigured and reengineered every day. The owners and the government, therefore, need to keep up with this speed so as to avoid any vulnerabilities.
Secondly, developing the information sharing and coordination capabilities needed to effectively deal with computer threats and actual incidents is complex and challenging.
Thirdly, insufficient funding to the critical infrastructure sector poses a great challenge because cyber protection requires significant investment in cybersecurity tools and personnel. Limited resources allocated to cybersecurity can lead to inadequate protection of critical infrastructure, making them vulnerable to cyberattacks.
Fourth, cybersecurity is a complex field that requires specialized skills and knowledge. However, there is a shortage of cybersecurity experts in Kenya, making it difficult to implement effective security measures and respond to cyber threats in a timely manner.
Further, there is limited awareness and training for most employees working in critical infrastructure sectors. This can result in security breaches due to unintentional actions such as opening malicious emails or using weak passwords.
Last but not least, critical infrastructures face the continual challenge of balancing access and transparency against protecting constituents’ sensitive information. This challenge is brought about by the need for a level of openness which in turn makes it difficult to prevent all intrusions.
Cyberattacks on critical infrastructure in Kenya pose a significant threat to the country’s security and stability. It is therefore crucial for organizations and governments to take cybersecurity seriously and implement robust measures to protect critical infrastructure from cyberattacks. Failure to do so can result in significant financial losses, damage to critical systems, and harm to the general public.
Sylvia Wanjira, Jomo Kenyatta University of Agriculture and Technology