Building Resilience Into Cyber-Physical Systems Has Never Been This Mission-Critical
Our nation’s critical infrastructure is increasingly brittle and under attack. Take the recent report that the drinking water of millions of Americans is at risk due to technical vulnerabilities. Threat actors have learned that the most lucrative ransomware payouts come from organizations that are vulnerable to penetration thanks to weak legacy security systems; large and established enough to afford a hefty payout; and crucial enough for society’s functioning that getting systems back online, no matter the cost, is the ultimate imperative.
Unfortunately, much of our critical national infrastructure—railways, wind farms, water treatment plants, oil and gas pipelines and many others—sits at the intersection of these three risk factors. As many of these formerly analog systems become increasingly digitized, the cyber-physical attack surface is increasing exponentially. In this new status quo, existing security strategies have become inadequate—nearly obsolete.
A new paradigm is desperately needed. Simply look to the August cyberattack on US energy company Halliburton for a clear illustration of the stakes involved. This attack, believed to be the work of the notorious RansomHub gang, resulted not only in stolen data but also $35 million in expenses reported. But Halliburton is only one such incident in a long string of attacks on critical energy providers with vulnerable systems. While the effects appear to be relatively limited thus far, the fallout from the 2021 Colonial Pipeline ransomware attack is a stark reminder of how much worse the situation could have been.
Drawing from my previous experience as an Air Force officer and my current role as Senior Vice President for Security of a cyber risk company, I see this issue from a unique vantage point. While the TSA proposes new pipeline and railroad cybersecurity rules in an attempt to fortify defenses from the top, I have some bigger-picture suggestions for how companies can proactively address today’s critical infrastructure risks.
Clarity of Sight: Seeing Clearly Amidst Complexity
We cannot protect what we cannot see clearly. This is a simple concept, yet we still have scores of critical infrastructure owners and operators lacking a clear map of their systems. Many of our clients at Resilience are shocked to uncover some unknown vulnerability in their security postures. Given how actively critical infrastructure is being assessed by adversaries, it’s likely that threat actors were already aware of vulnerabilities in these systems.
According to the principles of airpower, taking control of the skies is imperative to preventing enemy forces from achieving their objectives. By ensuring continuous visibility over critical territory, air forces can safeguard key operations on the ground. It is unacceptable for our adversaries to dominate the airspace under any circumstances. Whether safeguarding a hospital’s operations or securing a national power grid, our ability to mitigate risks hinges on oversight of all operations and a comprehensive understanding of our collective vulnerabilities from all directions. This is why we cannot have only a hypothesis of the ground truth—we must have an actual ground truth.
Alignment and Effort: Harnessing Collective Wisdom
In my time as a Cyber Policy Advisor for the Office of the Secretary of Defense, I quickly learned that meticulous and continuous coordination at the operational level is paramount to safety. It’s no surprise that I advocate for similar strategic alignment in cybersecurity. Initiatives such as the Cyber Safety Review Board (CSRB), championed by the Department of Homeland Security (DHS), highlight the potential for collective learning and resilience-building across public and private sectors.
However, it’s crucial that the pace of this knowledge sharing and dissemination must match—or, ideally, outpace—the rapid evolution of cyber threats and attack strategies. It takes years to investigate a plane crash. We must move faster in cyber resilience. The OODA loop is the acronym used to describe the assessment that pilots continuously make: Observe, orient, decide and act. We must do this kind of assessment at scale and at speed.
Expectations vs Realities: Managing Risk With Pragmatism
In our quest for cyber resilience, we sometimes—mistakenly—fixate on hypothetical doomsday scenarios. While this apocalyptic and fear-based thinking can be an instinctual response to the threats we face, it is not realistic or helpful. Instead, we must champion the progress, even incremental, that is achievable through focused, pragmatic measures—like cyber insurance.
By reframing discussions around tangible outcomes such as financial stability and public safety, we can cultivate a clearer sense of priorities. Regulatory frameworks may eventually align incentives towards better cybersecurity practices, but in the interim, transferring risk via a measure like cyber insurance offers a potent mechanism to enhance visibility into risk mitigation strategies and implement better cyber hygiene accordingly. By quantifying potential losses and incentivizing proactive security measures, cyber insurance can catalyze a necessary, and overdue cultural shift towards resilience-oriented practices—and a safer world.
Looking Ahead: Charting a New Course
We stand at a pivotal moment in American critical infrastructure cybersecurity. As hackers threaten to sabotage our vital systems for ransom, the financial damages ensued from incidents like Halliburton oblige us to stay alert and act proactively. In addition, if we place cyber resilience at the center of our strategies, we just might be able to turn the tide—preventing catastrophic fallout from inevitable attacks that come our way.