In June 2021, I was discussing with a colleague why, despite all the discourse about security, we continue to read about cybersecurity attacks. On that same day, the Belgian city of Liege announced that it had been the victim of a ransomware attack. During our chat, my colleague held up a golf ball and said, “This cannot be hacked.” The implication was that a closed system cannot be compromised. In actuality, it can, but the effort to do this is dramatically higher than systems that have an internet connection to the outside world.
Einstein said that the definition of insanity is doing the same thing over and over and expecting different results. So, what should change? I believe there are three areas that are ripe for improvement that would make a significant difference in the battle against cyberattacks.
You Must Be This Tall to Ride This Ride
In the case of Liege and also the well-documented attack on the Colonial Pipeline, the systems were accessed through fairly simple means:
- A lack of two-factor authentication for access to critical infrastructure. We do this to access our bank accounts and wherever there is a significantly bigger prize, particularly when compared to my own checking account.
- Non-unique passwords. Hackers can often leverage known passwords to gain access to other network assets such as an energy grid. Passwords should be unique for every project and system.
- Separation of OS and networking virtual machines: It’s imperative that the virtual machine that is running the operating system is sequestered from the one that manages the internet connection. Each machine’s security policies need to be held elsewhere so that if the network is compromised, the attacker does not gain access to the system’s ‘crown jewels.’
These three areas—using multifactor authentication, strengthening passwords and separating OS and networking VMs—are all standard, basic security protocols that are known to help mitigate a cyberattack. The U.S. Senate passed a cybersecurity bill in late 2020, which was a promising step forward. The initial intent, however, was simply to mandate these requirements for all connected systems being acquired by the government. These recent attacks would suggest that these criteria need to be addressed (and validated to make sure they are in place) prior to systems being deployed for a significantly broader set of use cases.
An Unconnected System Might be Better
If I may be a Luddite for a minute, some companies might want to consider removing internet connectivity from systems altogether, especially if the benefits of connectivity are outweighed by the potential risks. In the case of an exposed water treatment plant in Florida, the internet was being used to enable remote management of the system. While we have all been largely remote due to the COVID-19 pandemic, I’m not convinced this was a better solution than having an individual visit the facility. My thinking is, “Just because it can be connected, doesn’t mean it should.”
Holding Companies Accountable
The last—and potentially most controversial—suggestion I have is that companies should be held accountable for creating and deploying poorly secured systems. In the fallout from Enron Corp.’s accounting fraud scandal, CFOs faced significant personal penalties if their company’s books were up to the standard rules and regulations. CEOs of companies should potentially face punitive charges if their IoT systems, for example, are found wanting. While I do not believe that the government should normally be inserted into industry affairs as a general rule, it seems it is in the public’s best interest to have some way to ensure our critical infrastructure is secure—from the electricity grid to water supply and treatment systems to the food supply chain—and not vulnerable to hacks and ransomware attacks. There are enough basic security principles that simply have to be in place. If businesses do not implement them, there should be repercussions, just like when automobile manufacturers face recalls when fundamental faults are discovered in vehicles that we are relying on to transport us safely and securely.
Will the cybersecurity of a location ever be as important as physical security? As more hospitals, critical infrastructure and urban centers come under cyberattack, there may be no other choice but to make it a priority. The sooner business leaders invest in cybersecurity protections and prepare for the next cyberattack, the better off they’ll be.