Protecting Critical Infrastructure From Cybersecurity Threats
Cyberthreats on critical infrastructure have already occurred in the U.S. It’s time to take action to secure networks before it’s too late.
If you want to see the future of warfare, look to Ukraine. Two days before Christmas in 2015, a massive cyberattack on an electricity generation station in Western Ukraine knocked out power for 250,000 people in the region—the first confirmed hack to take down a power grid. Exactly one year later, attackers struck again, this time taking out Ukraine’s national grid operator Ukrenergo, causing blackouts across a large chunk of the Ukrainian capital Kyiv. While Kyiv’s power remained out barely one hour, subsequent research demonstrated the 2016 attackers’ real objective was to cause widespread physical damage to Ukraine’s grid, something which could have knocked power out for months on end. In the dead of winter, this could have been catastrophic.
It’s not just Ukraine, though. Last March, the first Western electricity infrastructure—a part of the transmission grid in Utah, Wyoming and California—was also knocked out. And widespread reports of hackers penetrating and mapping Western power grids—perhaps laying the groundwork for future attacks—have also been documented.
While cyber defenders traditionally have concentrated on threats to organizations’ IT networks, the real threat to critical infrastructure operators are their operational technologies (OT)—the complex industrial control systems used to manage the generators, pumps, valves and other equipment used to run factories, power and water utilities, trains, oil refineries, ports, chemical plants and other industrial assets. Historically, the OT remained separated, or “air-gapped,” from the internal IT networks connected to the internet; however, this is now changing dramatically.
As organizations seek to leverage AI and big data analytics to drive efficiencies in their operations through “smart networks,” IT and OT networks are converging. In a word, these complex industrial control systems are now connected to the internet, making them vulnerable to hacking. Because many of these industrial control systems were not designed with cybersecurity in mind, it’s not surprising they draw hackers’ attention when these older systems are connected to the internet. Throw in the exponential growth of the internet of things (IoT), and it’s clear the threat vector faced by critical infrastructure operators has grown substantially.
Securing Critical Infrastructure
While it’s tempting to bury our heads in the sand and hope for the best, that would be a huge mistake. If you’ve ever felt helpless and frustrated when you lose power for only a few hours, imagine the effects on society if the lights were out months. This isn’t just sum of all fears stuff. Cyber experts now worry about a catastrophic “Cyber 9-11” on critical infrastructure such as power plants that could bring wealthy Western democracies to their knees. In sum, its time the West realizes the dire threat it faces to its critical infrastructure.
Luckily, there are steps we can take to combat the threat to our critical infrastructure. For starters, critical infrastructure operators need to look at their IT and OT networks holistically and create a comprehensive map of all assets—hardware and software—connected to the internet, including their industrial control systems.
If security teams cyber-map their enterprise’s assets, they can take steps to mitigate risks, particularly if they adopt a “zero-trust” strategy. This means looking at every device in their networks and quantifying the risk of it being breached, as well as the harm a successful attack might cause. Reducing the threat will, at a minimum, require adjusting many employees’ privileges such as administrative authorities or access to data. It may even mean completely disconnecting some industrial control systems from the IT network. If people yell and complain about these steps, it’s a good sign the chief information security officer is doing their job well.
Also, critical infrastructure operators should act quickly to implement customized cyber solutions for their ICS-OT. It’s important when purchasing an ICS-OT solution that organizations first make a complete inventory of all the industrial control systems they use, then ensure that the solution supports all of the models, protocols and firmware used in their enterprise. Luckily, the top ICS-OT vendors take a protocol rather than a vertical-centric approach in designing their solutions so that security teams can make these comparisons.
Although implementing these first three steps will reduce risk, cybersecurity should never be viewed as something to “set and forget.” In a rapidly changing cyber environment, new threats can quickly emerge. For this reason, critical infrastructure security teams should continuously seek to identify new risks. Penetration testing, wherein outside consultants act as black-hat hackers, can help security teams identify risks. In addition, several cybersecurity startups now offer easily installed AI-based solutions that continuously probe networks for vulnerabilities, enabling security teams to identify and patch new vulnerabilities in real time.
Finally, every organization, whether critical infrastructure or not, should implement comprehensive security awareness and training programs for their employees. While it’s natural to think of cyberthreats as technical challenges that can be defeated by even better technical solutions, a 2017 report revealed that over 43% of data breaches last year relied on social attacks such as phishing or watering holes. The number of attacks that could be thwarted simply by training employees not to click on links or attachments of unknown origins is massive.
To be clear, even implementing all these steps isn’t a panacea, and well-resourced nation states retain the ability to overwhelm even the best defenses. Nevertheless, by hardening our critical infrastructure, we can at least reduce the likelihood of a catastrophic Cyber 9-11. It’s time to do so now.
This article was co-authored by Tamar Shlimak, director of Cyber and Fintech at the Government of Israel’s Economic Mission in New York City.
Pingback: Network Infrastructure Security: An Underserved Market - Security Boulevard