As society emerges from the global COVID-19 pandemic, one thing is true: we are living in an age of accelerated digital transformation. This high-tech progression is wonderful for maintaining human connections and increasing efficiency and sustainability with more people working from home and fewer commuters on the road.
However, this digital transformation also significantly increases our reliance on technology and data, creating opportunities for greater cyberattacks – with critical infrastructure being the most vulnerable. This ever-evolving advancement calls for higher proactive efforts to protect critical infrastructure systems, like water processing, energy networks, and fuel pipelines. Cyberattacks on national critical infrastructure not only pose risk to economic security and infrastructure assets, but also impact public safety and health.
In short, critical infrastructure’s lack of cyber security is a national security risk.
The biggest challenge is that 85% of critical infrastructure is privately owned.There is no enforcement, incentivization, or penalization for not being cyber secure, which is concerning since most of these privately-owned companies deliver vital services to the public.
In May of this year, Colonial Pipeline, the largest refined products pipeline in the U.S., which also delivers almost half of the diesel and gasoline consumed on the East Coast, was forced to shut down due to a cyber attack. “Depending on the duration, the supply shock could leave the region with widespread fuel shortages,” said Michael Tran, RBC Capital’s director of Global Energy Strategy.
In February 2021, a hacker was able to access the water supply and change the toxicity level of the drinking water at a facility that treats water for about 15,000 people near Tampa, Florida. This cyber-attack happened not once, but twice. The potential consequences of a successful attack of this nature could have been catastrophic and potentially life-threatening to the local community.
The question is – how vulnerable are we as a society in the face of critical infrastructure cyber attacks?
The gas and water sectors are just two of many critical infrastructure industries that are at risk. A prolonged and widespread cyber attack on the energy sectorwould cause repercussions to other essential sectors including medical, public transportation, banking services, and even the logistics like food supply chains.
Cybersecurity must become a priority for the critical infrastructure industry. Improving the cybersecurity of our infrastructure not only addresses the fortification of our national security, but also the continued health of our communities.
In the past five years, cyber threats and ransomware attacks have spiked, especially throughout the COVID-19 pandemic due to more services moving parts of their business online. Unlike in the past, these cyber threats appear to be more directed at destruction rather than on criminal activity for monetary profit. This comes with no surprise with geopolitical tensions rising and with hackers having additional access to evolving technology.
Historically we’ve looked at cyber threats/hackers as binary. When defending against them we must be right all the time, but the hacker only needs to be right once. This new way of thinking, also known as zero trust, assumes that hackers will always get in, and we must learn to operate securely in a hostile or compromised environment. It’s like building a commercial ship: you design it to operate even if the hull has been breached.
The Department of Defense (DoD) mandates strong cybersecurity practices and information sharing. That requirement does not currently exist within critical infrastructure. The critical infrastructure industry must follow the DoD model for minimum security standards and must be regularly held accountable through auditing and enforcement.
The cyber threat is not new but it is rapidly evolving and the industry must accept that legacy security models are no longer adequate. We must adapt. In order to do so, it’s important to explore the hindrances that define the current state of affairs.
Reliance on industry to self-perform security without proper incentive and directive has resulted in inactivity. In addition, the private sector’s access to the tools needed to identify and prevent these attacks is limited by legal and administrative constraints. Lastly, the government’s capabilities are dispersed across various agencies and departments, which adds to the complexity of the current environment.
What is needed is an elected senior-level position that can effectively coordinate and exercise operational control. A National Cyber Strategy focused on offensive cyber to shape opponents’ risk calculations along with an executive Chief Information Security Officer (CISO) should be appointed, whether at the cabinet-level or as head of Cybersecurity and Infrastructure Security Agency (CISA).
Any investments in modernizing critical infrastructure must make cybersecurity mandatory, especially as the U.S. administration considers a new infrastructure bill. There will never be enough money to fully secure our infrastructure, but increased accountability and partnership will help. We don’t have a choice. The threat is real and it is here.