The critical infrastructure of the United States includes all those systems and assets that are essential to the proper functioning, economy, health, and safety of American society. The roads and railways that we travel on; the Internet and the mobile networks that connect us; the water that we drink; the healthcare, financial services and security that we depend on; and the electricity that lights our world — essentially, all we consider vital for our routine lives relies on the critical infrastructure that supports these sectors.
So, what happens if this critical infrastructure becomes the target of a planned cyber disruption? Life as we know it could come to a halt. Such cyber attacks could have grave implications whether they threaten citizens’ lives or a state’s sovereignty.
What Makes Critical Infrastructure So Vulnerable?
There are 16 major sectors considered critical by the Department of Homeland Security (DHS). Despite the increasing digitization, most sectors still rely heavily on legacy systems. This presents threat actors with a unique opportunity to bank on the vulnerabilities of decades-old infrastructure components.
In addition, a significant portion of the U.S. critical infrastructure is owned and operated by the private sector. This means that cybersecurity can become less of a priority than that of maximizing corporate profits. Most companies also outsource functions that are not part of their core competencies. This results in a complicated mesh of technologies and services, increased attack surfaces and loss of visibility and control. For smaller companies, lack of budget and cybersecurity expertise is yet another issue.
Importance of Threat Prevention in Critical Infrastructure Sectors
Security experts have repeatedly warned about the possibility of Supervisory Control And Data Acquisition (SCADA) attacks that can cause complete blackouts and worse. Advanced Persistent Threat (APT) hacker groups have become a virtual extension of nation-states' military forces because of the potential damages and chaos caused by successful critical infrastructure cyber attacks.
There has been no shortage of cyber attacks launched due to issues escalating between states. NotPetya is a notorious example of how a state-sponsored cyber attack can completely debilitate a transportation giant.
Now, imagine a ransomware attack crippling the production systems of a pharmaceutical company responsible for manufacturing critical medication and equipment in the middle of the pandemic. The consequences could be devastating.
Recent Cyber Attacks on Critical Infrastructure Sectors
On April 8, 2020, DHS, the Cybersecurity & Infrastructure Security Agency (CISA) and UK’s National Cyber Security Centre (NCSC) released an alert warning about the numerous security incidents in which APT threat actors have targeted the critical infrastructure of healthcare bodies, pharmaceutical companies, medical research organizations and universities following the onset of the COVID-19 pandemic.
Despite stealing much of the spotlight in the past year, healthcare has not been the most targeted critical infrastructure sector in the United States. State-sponsored hackers continue to probe U.S. power companies in the hopes of causing blackouts across the country. In March 2019, for instance, attackers leveraged a firewall vulnerability to create blind spots for a company’s power grid operators for almost 10 hours. The impact could have been worse.
Just in February 2021, hackers compromised the water plant of a small Florida city to raise the level of sodium hydroxide to 11,100 parts per million, a dangerously high level. Luckily, the attack was detected. Also in February 2021, DHS confirmed a ransomware attack against the critical infrastructure of a natural gas compression facility. The attacker used spear phishing to access the organization’s IT and OT networks, causing the facility to shut down for two days.
A similar spear-phishing tactic was previously used in other country-wide attacks that targeted employees with privileged access to critical controls of several nuclear plants including the Kansas-based Wolf Creek Nuclear Operating Corporation.
Addressing the Cyber Threats
Preventing attacks and protecting critical infrastructure requires a dynamic security perimeter surrounding Industrial Control Systems, IT and OT networks and SCADA systems in addition to the employees and operators. These sophisticated threats necessitate a layered, risk-based approach towards cybersecurity.
Organizations operating in critical sectors need to invest in risk management products and plans. To deal with sophisticated threats, adopting the NIST framework — Identify, Protect, Detect, Respond, Recover — is vital. Continuous monitoring and conducting frequent vulnerability assessments are also imperative to stay ahead of APT threat actors.
Employees play a critical role in the prevention of cyber threats. Keeping them up-to-date on the threat landscape and equipping them with the right cybersecurity tools and technologies is paramount. This particular point also highlights the importance of sharing threat and incident information with other government and private organizations operating in the critical sectors. Forewarned is forearmed; organizations can better prepare for cyber threats that are known and understood.
The Government Plans to Protect U.S. Critical Infrastructure
CISA identified critical infrastructure as a prime target of the massive SolarWinds hack that was disclosed earlier this year. The true scale of its impact is still unknown. The attack could have exposed systems and information that could potentially cause wide-scale disruptions in the future. Following the attack, CISA, the NSA and the FBI urged all organizations and cybersecurity stakeholders to patch publicly known vulnerabilities, especially those being actively targeted by nation-states and state-sponsored hackers.
The Biden Administration has also just recently launched a comprehensive cybersecurity initiative to protect U.S. critical infrastructure from various threat actors, especially state-sponsored APT groups. As a starting point of the campaign, the Department of Energy announced a 100-day plan to improve the cybersecurity posture of the energy sector. The plan includes some much-needed milestones for modernizing cybersecurity measures including prevention, detection, response and forensic capabilities. Other critical infrastructure sectors are also likely to follow suit.
Other measures and orders are expected to be executed in the coming weeks and months. For example, the government may make it mandatory for federal contractors to preserve records and bills for the software components sold to the U.S. government. They may also be required to disclose cyber incidents, produce records and further cooperate with CISA and FBI for the investigation of any cyber incidents. Finally, the cybersecurity initiative may also necessitate advanced cybersecurity strategies like multi-factor authentication and encryption for data in transit and data at rest.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.