Securing Critical Infrastructure 

By: Bikal Dhungel 

(Disclaimer: The views and opinions expressed in this article are solely my own and do not reflect the official policy or position of my employer)

In September 2015, a ransomware attack hit several European airports, including London Heathrow, and brought them to a complete standstill. Staff had to handle check-ins and boarding manually, which was a massive headache for an airport that serves over 80 million people a year. Beyond the delays, the stress on people traveling for medical care, work, or family was immeasurable. These kinds of disruptions don't just stay in one place; they ripple outward. For example, a 2025 cyberattack on Jaguar Land Rover stopped production worldwide, and back in 2017, the WannaCry attack on the UK health system affected hundreds of clinics. Doctors couldn't access records and surgeries had to be canceled, which is life-threatening. If a power grid gets hacked, it could mean no lights, no heat in winter, and no phone service. Thousands of these attacks are recorded every few months, and with AI making them more sophisticated, we have to take security seriously to prevent widespread chaos.

The initial step in this endeavour is to identify which infrastructures are to be secured, how, by whom, using which tools and mechanisms and relying on which frameworks. I think, in Nepalese context, five key areas need to be overlooked: Banking and Digital Payment Systems, Telecommunication Networks, Aviation Systems, Energy Grids & Hydropower plants and Healthcare Institutions. 

 

1)    Banking and Digital Payment Systems : Online banking and payment is widely used nowadays providing the lifeline for businesses to run and for citizens to carry out their daily transactions smoothly. Disruptions here would stifle their ability to fulfil basic needs. It can cause a mass panic often leading to Bank run outs and when citizens have no means to purchase goods for daily consumption, looting and vandalism might occur. 

2)    Telecommunication Networks : Telecommunication system is not merely a communication medium between two individuals or entities, rather, is increasingly being integrated from education to healthcare, from public services to energy systems, digital payment systems and other domains. Any disruption in this sector is highly likely to put a halt to a wide range of  services. The impact can be sensed by analysing the recent attack on Singapore’s four main providers using a zero-day vulnerability in their firewalls. Furthermore, we live in a society where  smart phones and social media use have been an integral part of life. Some people have developed an addiction to it, without which, it will be difficult for them to carry on with life. Yet, for others, smart phones are Swiss Army Knife as Jonathan Haidt has put in his beautifully written book, The Anxious Generation. Smart phones and social media relies on telecommunication systems to run. Without the internet, most of the applications we use are useless. 

3)    Aviation Systems: Aviation is a lifeline for Nepal if road transport is to be blocked, for example in the case of natural calamities or blockades by foreign countries. The recent Iranian attacks on UAE and Qatar demonstrated that any disruption in the aviation sector triggers a multifaceted crisis. Hence, protecting Aviation industry from cyberattacks is vital to maintain stability. 

4)    Energy grids and Hydropower: Hydropower provides nearly all of Nepal’s electricity generation and any turbulence or breach in this sector could lead to a total economic and societal paralysis. Modern energy grids are hugely interconnected and international experience, such as the Mumbai Power Outage in 2020 shows that even an attack in a single substation can cause a regional blackout. Furthermore, Nepal’s policy makers aim to electrify every kitchen to reduce the dependency on imported LPG gas for cooking. In a scenario of total blackout caused by a cyberattack, the impact is going to be huge, not only for people who can no more cook using electricity.

5)    Healthcare Institutions : Unlike other sectors, where the risks of cyber attacks are economical or financial, in the health sector it causes a direct threat to human lives and patient safety. When emergency surgeries cannot be conducted, patient information cannot be retrieved from electronic medical records (EMR), when health information system does not work, when lab reports of patients cant be known, this could mean end of life for many patients. Internet of Medical Things (IoMT) is largely used nowadays in consumer level. These devices can be hacked too. In 2018, security researchers named Billy Rios and Jonathan Butts demonstrated how they could deliver a malware in a pacemaker and make changes remotely. It can kill somebody from heart attack and the real cause of this might never be known. Imagine someone altering medical data like blood type or medicine doses from a patient profile within an EMR leading to a catastrophic end for that person. When it is done in a mass scale within the digitalised medical care system, a catastrophe is inevitable. Hence, Healthcare systems, Electronic medical record systems as well as medical devices need to be protected to save lives. 

 

Acknowledging that we have limited cybersecurity expertise, lack of regulatory frameworks, low awareness among policy makers and dilapidated systems, especially in government institutions, it is not too late to take steps to secure these infrastructures . Recent experiences from some other low and middle income countries shows that good results can be achieved if right policies and technologies are on place. If Rwanda, with a lower per capita income than Nepal can have National Cybersecurity Authority to oversee the critical infrastructure across all sectors and carry out CyberDrills, Nepal can do it too. 

 

The measures should start from government level. A comprehensive national cybersecurity policy should be developed and implemented with a primary focus on critical infrastructure. This should eventually be extended to all levels of government entities and private sector. Here, establishing a national CERT ( Computer Emergency Response Team) is the first step. The CERT monitors potential threats, responds to cyber incidents and performs cross-sector coordination to contain the threat, manage vulnerability and steps required to prevent such events in the future. It can also conduct awareness programs and train employees and other stakeholders for better preparations. Typically, a CERT has a cross-functional team consisting of incident managers, technical lead, forensics analysts, legal experts among others. However, with cyber threats growing bigger and more complex ,there might be a scope of  AI Experts, Digital Psychologists or people with other skill sets that can adapt with the changing nature of threats. I am convinced that Nepal do not have all these experts yet. Some institutions have recently started degree programs in Cybersecurity but until they have gained expertise and the government has trained an in-house pool of experts, many things will happen in the world. A cyber incident will not wait until the experts are ready, quite the contrary. Nepal’s insecure infrastructure will be low-hanging fruit for the hackers. The Good news is that the international community, especially the tech industry, can help. Speaking in World Economic Forum in Davos, Switzerland, Satya Nadella, the CEO of Microsoft, shared the stories of how Microsoft helped Ukraine migrate its digital infrastructure, especially critical public sector data to Microsoft cloud, Azure both before and after the war. So, the Nepalese government should reach out to global tech industry to get their help in securing critical infrastructure for now. 

 

Within the government-level measure of cybersecurity strategy, a legal and regulatory framework should be built, aiming to enforce security standards, mandate the reporting of cyber incidents from the private and public sector however small or big they are and to introduce penalties for non-compliance. The Government can adopt international standards like ISO/IEC 27001 for a robust information security management. A GDPR-like data handling policy is essential for public sector data. It can be extended to the private sector too. 

Some works have been done in the past, including the establishment of Nepal CERT (National Computer Emergency Response Team). Such institutions should be upgraded to around the clock rapid response force in the case of security crisis. 

 

Furthermore, the implementation of zero trust architecture is increasingly becoming common in countries around the world, which Nepal can immediately adopt. A Zero Trust policy (‘Never Trust, Always Verify’) system can help in identifying anomalies and suspicious behaviours. When a staff member working with critical infrastructure logs in from a new device from an unusual location and accesses files that are classified or syncs a large amount of data, it can be a sign of a malicious act. A nefarious action detection engine or an AI tool can be implemented to delay the process so that the suspicious action can be monitored by a second person or higher authority to avoid a breach or attack. For everybody who has been security cleared for accessing critical infrastructure IT systems, SMS based authentication codes or device push notification codes should no longer be permitted. They can be tapped or bypassed. A person can also be socially engineered to take the codes. To my best knowledge, push notifications and SMS-based verification systems are still a widely used practice in at least some part of the critical infrastructure in Nepal. Internationally, the gold standard in this regard is FIDO2/ Web Authentication hardware security keys. Public key infrastructure (PKI) relies on asymmetric cryptography and can protect against remotely executed credential harvesting. In addition to it, platform authenticators are also widely used in corporate devices. The secure enclaves combine biometrics of the user with device possession where the biometrics are secured locally on the chip, making it as robust as the external hardware keys.

 

No matter how robust the technology is, in the end it relies on human intelligence to run. Human behavioural aspects can contribute to system compromises. Thus, everything necessary on the human level should be done to ensure a healthy cyber hygiene. It can mean a wide range of cybersecurity awareness programs in all staff levels, mandatory trainings for IT staffs about security threats, upskilling in security certifications like CISSP, GICSP or CompTIA+ and courses on how AI can be used to secure the critical infrastructure. Additionally, within the domain, there should be a penetration testing units whose job is to exploit the vulnerabilities and report it to the organisation to mitigate the exploitation from nefarious external actors. A bug bounty program can be launched where even external people can find vulnerabilities and report it to earn a bounty. This is a usual practice in private industries in the west. Apple Inc for example, launched the bug bounty program where anyone can find a bug in Apple’s infrastructure and report it. One can be rewarded with several thousand dollars to millions, depending on the severity of the bug. In this way, well-intentioned testers can test the system and get financial reimbursement. Apple can then bring patches to the system and this will make Apple’s devices and services safer for the end user, a win-win situation. Nepal’s private and public sector can learn and implement this policy. 

 

Cyber warfare is real, and we will certainly face security incidents. It is not a matter of if, but rather, when it will occur.  That we have not faced a major incident yet does not mean that we can neglect securing our critical infrastructure. The threat has grown to be advanced, more complex and ambiguous. So is the need to take action now vital for public safety. The small steps to create the threat monitoring system, building the back-up system and maintaining the integrity of the back-up system, coupled with the aforementioned policies in this article, can help us secure the critical infrastructure. It can improve our ability to mitigate the extent of loss and recover from hostile events. This article only talks about the topic on a surface level. A more detailed and comprehensive approach is needed to secure and maintain critical infrastructure.