How phishing resistant authentication can secure critical infrastructure from cyber threats

In my new blog post, I examine the critical infrastructure sector. This sector is becoming an increasingly common target of cyberattacks around the world. I will demonstrate how phishing-resistant authentication can effectively protect these facilities. Finally, I will show you the innovative, technologically advanced authentication solutions that Swissbit offers to protect digital identities.

The number of cyberattacks on critical infrastructure facilities is increasing worldwide According to the European Repository of Cyber Incidents, reported security incidents on critical infrastructure have surged by 668% since 2022. In the last year, 56% of global gas, wind, water, and solar utilities reported at least one cyberattack. In addition, 54% of utilities worldwide expect an attack on critical infrastructure in the next 12 months, according to a recent study on the resilience of critical infrastructure worldwide.

In Germany too, the number of cyberattacks on critical infrastructure increased by over 40% in 2024 compared to previous years. A total of 769 incidents were reported to the Federal Office for Information Security (BSI). These cyber security incidents are attributable to both non-state and state actors.

The United Nations Office for Disaster Risk Reduction (UNDRR) defines critical infrastructure as follows: “The physical structures, facilities, networks and other assets that provide services essential to the social and economic functioning of a community or society.”

The BSI defines critical infrastructure for Germany as follows: “Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.”

The following sectors are also defined as critical infrastructure by the BSI:

• Energy
• Information Technology and Telecommunications
• Transport and Traffic
• Health
• Media and Culture
• Water
• Food
• Finance and Insurance
• Municipal Waste Management
• Government and Administration

As shown by the listed sectors, critical infrastructures encompass almost all areas of our everyday social and individual lives. They affect the continuous supply of energy, food, and water, as well as stable IT and telecommunications. Finally, they affect the healthcare sector, in which hospitals play a pivotal role. The worsening threat situation shows the need for action. In the past, less was invested in defending against cyber threats, especially critical infrastructure.

A recent case in Spain and Portugal also confirms this. A blackout occurred across much of the Iberian Peninsula and relatively quickly there was talk of a cyber attack, which was not confirmed. Conversely, the sectors are increasingly interconnected, defying the perception of distinct compartments. Accordingly, virtual attackers target IoT devices, which are interconnected, as well as OT systems, which control physical industrial processes. 

Regulatory requirements were established as a consequence of the increasing frequency and proliferation of attacks. Regardless of if it’s the NIS2 or the CER-Directive, which by the way aims to enhance the resilience of critical entities, such as infrastructure and services that are essential for society and the economy, against physical threats (Europe), the US PPD-21 or the Japanese Cybersecurity Basic Act: All these regulatory requirements and norms aim to strengthen the resilience against cyber attacks. And all of them demand - either directly or indirectly – strong Multi-Factor-Authentication.

Learn more: Cybersecurity: EU regulations like NIS2, RED, CRA, Data Act that companies should know now. See also: DORA: How hardware authentication can secure financial companies

To protect critical infrastructures from modern cyber threats, effective support in terms of implementation and robust hardware equipment is crucial. Swissbit can provide this support. Below are some key strategies:

1. Adopt passwordless authentication. Switch to non-password-based methods like FIDO2/Passkeys or Certificate based authentication, as passwords are vulnerable to phishing attacks.
2. Enable phishing-resistant MFA (multi-factor authentication) to ensure all users are protected.
3. Use hardware-based passkeys (Roaming Authenticator). Deploy modern authentication solutions such as FIDO security keys, like the iShield Key 2, which uses hardware-backed security to protect critical resources.
4. Implement Zero Trust architecture. Never trust – always verify: This approach verifies every access request, minimizing the risk of unauthorized access.
5. Empower and educate your colleagues through IT Security training and education. For example, employees need to recognize the characteristics of phishing emails, as they remain the most prevalent form of cyberattacks.
6. Ensure that your digital access management and your physical access management policies are in synch. Combine both methods on one device like the iShieldKey.

These strategies can significantly improve the security of facilities of critical infrastructure against evolving cyber and pyhsical threats. The latest figures from the State of Passwordless Identity Assurance Report show that these strategies are becoming increasingly popular, not just theoretical. Among other things, it states:

• For the first time in the report’s history, passwordless and FIDO-based authentication methods are gaining significant traction with 46% of respondents now utilising these secure solutions
• This adoption of phishing-resistant authentication marks a paradigm shift in cybersecurity with FIDO passkeys and hardware keys poised to become the gold standard in authentication by 2027

It is especially important to make companies, organizations, and their employees more resilient against external cyberattacks, particularly in the area of critical infrastructure. At the same time, data and digital identities must be adequately protected. Otherwise, external actors can take control of critical supply systems. To prevent access to relevant systems and data, it is essential to invest in multi-factor authentication (MFA). The long-term goal should be to create a robust, phishing-resistant authentication infrastructure that doesn't use passwords. This would not only strengthen cybersecurity but also significantly increase the cost-efficiency of the security architecture.

Good to know: Phishing remains a perennial cybersecurity threat. According to the Microsoft Cyber Digital Defense Report, phishing attacks increased by 58% in 2023, with an estimated financial impact of $3.5 billion US in 2024.

Swissbit can provide effective advice in terms of both implementation and hardware equipment. The following facts once again highlight Swissbit's position as the technological leader in hardware authentication with the new iShield Key 2 series.

• The new iShield Key 2 MIFARE is the world's first FIDO2 security key that combines digital and physical access.
• The iShield Key series supports all globally relevant protocols and standards, such as FIDO2, FIPS 140-3 Level 3, and MIFARE.
• The iShield Key 2 family forms the foundation for a Zero Trust strategy, supports MFA, and fulfills regulatory requirements through NIS2, CRA, DORA, and the U.S. executive order on cybersecurity.