Critical infrastructure is the heartbeat of America. It covers everything from shelter and agriculture, to public health and transportation. So when a cyberattack causes one of them to go down, it can have severe negative impacts on the country. This was apparent with the recent ransomware attack on Colonial Pipeline. The ransomware attack, led by Russian cybercriminal group DarkSide, caused the shutdown of vital pipeline systems across the East coast and saw Colonial Pipeline pay $4.4 million to the hacker group on the day of the attack in order to regain control of its system.
The cybersecurity concerns around critical infrastructure systems is a rising issue for the United States. In December 2020, the Department of Energy reported falling victim to the third wave of Solarwinds hacks. In March at Oldsmar, Florida a hacker was caught attempting to infiltrate the control system of the city’s water supply and raise the content of sodium hydroxide to a lethal level. But since last year, a sequence of attacks that targeted the public resource supply chains have escalated this long-existing issue to an urgent level.
The decision by the CEO of Colonial Pipeline to pay the extremely high ransom was made to avoid a national gas outage, but if the vulnerabilities within the systems sustain, this sort of decision will only encourage further attacks as hackers will pick up the pattern that life-support companies are too essential to afford a shutdown.
Critical infrastructure systems have become America’s Achilles’ heel as they are less protected, easy to break, and too important to the everyday life of American citizens. If no immediate remedy and protection are made, it is just a matter of time before the bad actors start another more damaging and deadly strike. Therefore it is important for companies operating within this space to implement practices and technologies to protect their systems and the country. Below are just a few measures that should be taken to improve the security of our critical infrastructures.
Gap the business and control systems
Some critical infrastructures choose to converge their IT-based business systems with operating technology (OT) systems, which contain hardware and software that controls physical equipment. According to research from Edith Cowen University, the convergence of IT and OT can potentially increase cybersecurity risks as the integration makes the system even harder to secure. Like the facilities, these OTs mainly were built and used decades ago with minimal renovation throughout the years. With the convergence, the outdated OT systems became a perfect weak spot where hackers can quickly gain control of both systems. Even though most companies apply high-level firewalls to their IT-based systems, this negligence can make the whole defense fall short. Therefore, it is crucial to gap the IT-based business systems with the OT-dominated control systems and make sure that those two systems are not on the same network so that if one goes down due to cyber extortion, the other is not affected. If the convergence is already adopted, make sure to build a risk management system and a response plan to cyber incidents while considering updating the current systems.
Put checks and balance systems in place
The operation of a critical infrastructure facility requires coordination among several different systems to support its operations, management and decision-making. Any delay caused by one internal disconnection can lead to a ripple effect on the whole facility. If not addressed immediately, the clog can quickly make an impact on the downstream supply chain and the public. Therefore, building stronger checks and balances systems to maintain a fast, direct and efficient approach to deal with cyber emergencies is a top priority for all critical infrastructures. This can be achieved by putting in place a 24/7 monitoring system that can control and mitigate attacks by implementing certain protocols as soon as something changes in the system or if any type of cyberattack, such as ransomware, is spotted on the network. The software will flag unusual network activity and trigger a warning to block the behavior when an external signal attempts to access files or an employee tries to reach databases outside of their usual working perimeters. Additionally, it is important that when a risk is detected it is possible and easy enough to pull the system offline, preventing it from spreading through the network.
Increase the budget on updating the infrastructure system
Most U.S. critical infrastructures are in dire need of renovation. According to research from the American Society of Civil Engineers (ASCE), the average rating of U.S. infrastructure condition is “mostly below standard,” and there is a funding gap of $2 trillion for overall critical infrastructure construction, refurbishment and maintenance needed to close by 2025. All critical infrastructure systems support the basic function of society in an indispensable way. However, because of the mixed-ownership and funding deficit, putting in place timely management and maintenance for these systems has been challenging. After years of delays, their maintenance light is now blinking red. If the deficits stay, and the goal of the funding is failed to be met, the deterioration in transition and supply of energy will gradually lead to further delay the productivity of the society and lead to about $4 trillion loss in GDP by 2025. Following Biden’s improvement plan on America’s power grid in his 100-day plan, a $1.7 trillion infrastructure bill was proposed by the white house but is now still in the debate between both parties. The longer it takes for the fund to arrive, the more likely this crumbling system will face another attack.
Additional staff training on cybersecurity
The last thing in cyber defense anyone would want is human error. Small unconscious habits such as clicking unknown email attachments or forgetting to log out of company systems can result in a company-wide data breach or successful ransomware attack. Any institution in this sector should ensure that they have sufficient controls on email spam and malicious email filterings to make sure staff don’t click on any dangerous incoming emails. It is necessary to educate staff on what to look for when it comes to suspicious emails and activities. Administrators should also take a “zero-trust” approach to cybersecurity, this means that there should always be an assumption that any device on a network could be compromised and employees are given the minimum level of access and only to data that is required to do their jobs. This approach also includes keeping more sensitive information stored in databases that require a higher level of authorization.
Cybersecurity for critical infrastructure is often neglected. The longer we debate on the best approach to handle this issue, the more likely systems will continue to fall victim to more cyberattacks. Certain steps need to be implemented to avoid further crippling attacks. While Biden’s cybersecurity executive order is a step in the right direction, companies within the critical infrastructure sectors need to take action now – be it establishing the gap between the OT and IT systems, or investing more into employee cybersecurity education programs, something needs to be done.