Critical Infrastructure’s Massive Cyber Risk
We are living in an age of accelerated digital transformation. This high-tech progression is wonderful for maintaining human connections and increasing efficiency and sustainability as people continue working, networking, and celebrating remotely.
However, this digital transformation also significantly increases our reliance on technology and data, creating opportunities for greater cyberattacks – with critical infrastructure being the most vulnerable. This ever-evolving advancement calls for higher proactive efforts to protect critical infrastructure systems like water processing, energy networks, and fuel pipelines. Cyberattacks on national infrastructure threaten economic security and infrastructure assets and impact public safety and health.
In short, critical infrastructure’s lack of cyber security is a national security risk.
The biggest challenge is that 85% of critical infrastructure is privately owned. There is no enforcement, incentivization, or penalization for not being cyber secure. This is very concerning since most of these privately-owned companies deliver vital services to the public.
In February 2021, a hacker was able to access the water supply and change the toxicity level of the drinking water at a facility that treats water for about 15,000 people near Tampa, Florida. This cyber-attack happened not once but twice. The potential consequences of a successful attack of this nature could have been catastrophic and potentially life-threatening to the local community.
In May 2021, the Colonial Pipeline, the largest refined products pipeline in the U.S., which delivers almost half of the diesel and gasoline consumed on the East Coast, was forced to shut down due to a cyber-attack. “Depending on the duration, the supply shock could leave the region with widespread fuel shortages,” said Michael Tran, RBC Capital’s director of Global Energy Strategy.
The question is – how vulnerable are we as a society in the face of critical infrastructure cyber-attacks?
The gas and water sectors are just two of many critical infrastructure industries at risk. A prolonged and widespread cyber-attack on the energy sector would cause repercussions to other essential industries, including medical, public transportation, banking services, and even the logistics like food supply chains.
Cybersecurity must become a priority for the critical infrastructure industry. Improving the cybersecurity of our infrastructure addresses the fortification of our national security and the continued health of our communities.
Cyber threats and ransomware attacks have spiked in the past five years, especially throughout the COVID-19 pandemic, due to more services moving parts of their business online. However, unlike in the past, these cyber threats appear to be more directed at destruction rather than criminal activity for monetary profit. This is no surprise with geopolitical tensions rising and hackers having additional access to evolving technology.
Historically we’ve looked at cyber threats/hackers as binary. When defending against them, we must be right all the time, but the hacker only needs to be right once. This new way of thinking, also known as zero trust, assumes that hackers will always get in, and we must learn to operate securely in a hostile or compromised environment. It’s like building a commercial ship: you design it to work even if the hull has been breached.
The Department of Defense (DoD) mandates strong cybersecurity practices and information sharing. However, that requirement does not currently exist within critical infrastructure. The critical infrastructure industry must follow the DoD model for minimum security standards and be regularly held accountable through auditing and enforcement.
The cyber threat is not new, but it is rapidly evolving, and the industry must accept that legacy security models are no longer adequate. We must adapt. It’s important to explore the hindrances that define the current state of affairs.
Reliance on industry to self-perform security without proper incentive and directive has resulted in inactivity. In addition, the private sector’s access to the tools needed to identify and prevent these attacks is limited by legal and administrative constraints. Lastly, the government’s capabilities are dispersed across various agencies and departments, which adds to the complexity of the current environment.
In March 2020, a U.S. Information Technology company, SolarWinds, was targeted by a cyberattack that went undetected for several months. SolarWinds provides services to government agencies such as DHS, DOE, NNSA, NASA, some areas of the Pentagon, and the U.S. Treasury. Major organizations like Microsoft, Cisco, and Intel were also attacked in this hack that no one saw the attack coming. Consequently, it went undetected for many months. The very nature of this attack caused immense time, effort, and resources to secure networks again.
In response, the Department of Homeland Security (DHS) is investigating these attacks to bolster cyber protection. In May 2020, the Cyber Safety Review Board (CSRB) was created to determine the fallout of the SolarWinds attack on government agencies and how Critical Infrastructure industries must protect their networks from growing vulnerabilities.
The CSRB comprises fifteen cyber leaders from government and Critical Infrastructure. According to Katie Moussouris, founder of Luta Security and one of the members of CSRB, “It [is] instrumental [to] strengthen our resilience in the face of cyber incidents that affect public and private sectors with increasing frequency.”
One positive area that came from this massive attack is the renewed need for the U.S. government and Critical Infrastructure industries to pull together their resources and fight attacks happening now and in the future. By pooling resources together, changes in cybersecurity create new ways to get out in front of cyberattacks. As the cliché goes, it isn’t a matter of if. It’s a matter of when.
Any investments in modernizing critical infrastructure must make cybersecurity mandatory, especially as the U.S. administration continues to roll out the new infrastructure bill passed in late 2021. There will never be enough money to secure our infrastructure fully, but increased accountability and partnership will help. Unfortunately, we don’t have a choice. The threat is real, and it is here.