In October 2017, the FBI and Department of Homeland Security (DHS) released a joint statement warning of Advanced Persistent Threats (APT) aimed at the critical infrastructure.
While this warning was specific to APTs and a phishing campaign to socially engineer malware downloads, there is a more general concern about the cybersecurity risks for the critical infrastructure. According to an Accenture survey, 76 percent of respondents say there is at least a moderate risk to our electric grid, with more than half worried that a cyberattack would cause a serious disruption in power supplies.
Remember the 2003 blackout across the Northeast? People from Cleveland to New York City were in the dark for days. Now, imagine what it would be like if someone successfully attempted a cyberattack on that same grid.
“There’s a new paradigm going on; we are seeing extremely sophisticated attacks that are able to easily exploit the legacy technology and systems used by critical infrastructure,” said James Heinzman, EVP of financial services solutions for ThetaRay. “If there is a breach of an electrical grid or nuclear facility, it could be catastrophic.”
Defining the Critical Infrastructure
What we think of as the critical infrastructure is influenced by the industry you’re in. To someone in the financial industry, for instance, the critical infrastructure might focus on credit card systems and online banking operations. For this piece, however, we’ll look at the larger scope of the critical infrastructure as defined by DHS: “Overall, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
“Given the breadth of this definition, critical infrastructure is at risk of attack against all three categories of cybersecurity risk: confidentiality, integrity and availability,” explained Grant Shirk, VP of Marketing at Vera, a security platform company.
“Much of the focus in the media is on protecting the availability of these services: what happens if the grid goes down, or connectivity is lost to critical services,” he added. “However, attacks on the integrity of these services will become a bigger challenge as actors seek to influence how data-driven decisions are made (like the recent political ad scandals on social media, but on health care and energy grid data).”
Vulnerabilities Within the Infrastructure
As in any other type of network infrastructure, the risks come because the bad guys know where the fault lines are. The critical infrastructure is not any different. The APTs mentioned earlier are spread by phishing attacks. Phishing works because employees fall for the tricks. Critical infrastructure may also fall victim to rogue or unaware insiders that leave corporate assets exposed.
“Perhaps more interesting are risks in the supply chain, which are a huge concern for critical infrastructure,” said Jake Olcott, former legal advisor to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security Committee, and current VP at BitSight. “This includes the software and hardware providers that organizations rely on in addition to their service providers.”
Speaking of software, many of today’s cyberattacks focus on unsupported and/or unpatched software. Is this an area of risk for the critical infrastructure?
It can be, Olcott explained. Traditional infrastructure organizations often have different acquisition cycles, so upgrades to this network architecture work on different timelines than typical IT upgrades. Also, operational technology has longer lifecycles than the IT environment.
“Patching and updating systems is an added cost, and regulated utilities must have this approved by regulators, either on the state or local level, to authorize additional spending and raised rates for consumers,” Olcott said.
In addition, the organizations within the critical infrastructure run on legacy systems that are now unsupported, and patching such systems could lead to business disruption. “Oftentimes, critical infrastructure organizations try to be reliable and resilient in terms of their production and, addressing vulnerabilities in their systems could result in unintended consequences to the reliability of such production systems,” Olcott added.
Challenges in Protection
The challenge in protecting the critical infrastructure from cyber threats is twofold, according to Shirk. First, the complexity and diversity of the infrastructure requires covering and supporting an immense breadth of tools, platforms and applications. There is a delicate balance in keeping systems resilient and updated and running.
“The second aspect of this challenge is one of focus,” said Shirk. “So much investment is being made in the availability of these resources that risks to the confidentiality and integrity of the data that supports these services get triaged at a much lower priority. These services need to protect access to core data and establish a clearer way to trust actors manipulating that data.”
Solutions for Improving Cybersecurity
Despite the challenges and the vulnerabilities, the critical infrastructure has, so far, been one area that has avoided a major attack. Because the different organizations within the critical infrastructure are owned and operated by different entities, some in the private sector, each organization is responsible for its own security and protections. And perhaps it is because there are so many different entities across the infrastructure that it has a built-in safeguard. It would likely take multiple attacks, rather than one, to create a nightmare scenario. That isn’t to say it won’t happen, of course, and the critical infrastructure has to be prepared for any potential threat.
“We need to make sure we’re not outgunned, and that we have the best defense possible,” said Heinzman. “Our water, power and other infrastructure must be protected, and we must equalize the battle and turn the tables.”
We should utilize machine learning and artificial intelligence, which recognizes threats by analyzing anomalies in data rather than relying on pre-established signatures and rules. We also need stronger regulations and information sharing.
“The risk of an attack on critical infrastructure is not a people issue,” said Olcott. “We have no leverage in this situation. To understand the problem, organizations must be able to measure their risk and monitor it continuously.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba