The Cyber War on our Critical Infrastructure and How to Win

Already in 2021, cyber-attacks have increased by 102%. Cyber-criminals have been a serious issue for America for some time now, and while SMBs were the traditional targets, that is no longer the case.

In the last couple of months, we have seen an uptick in cyber-attacks on critical infrastructure organizations. Since May, there have been reported attacks on our gas supply with the Colonial Pipeline ransomware hack, our meat food supply with the JBS USA ransomware attack and our public transportation with the New York City Metro ransomware attack. Cyber-criminals new targets of choice are the companies that keep America going, and their weapon of choice is ransomware. 

The malicious nature of ransomware attacks make critical infrastructure organizations a prime target. Gaining control of a company’s systems and halting operations until a ransom is paid is akin to the old school mafia’s ‘protection payments,’ and while most companies can take a small loss to properly tackle these threats without paying the ransom, critical infrastructure organizations cannot afford even a minute of downtime. This was shown when JBS USA made an $11m ransomware payment and Colonial Pipeline paid its extorters $4.4m. While these amounts have been reported as recovered by the Department of Justice (DOJ), they demonstrate the desperation these companies experience when falling victim to a cyber-attack.

The US government has become proactive in tackling this growing national threat by pushing policy to combat cyber-attackswarning firms against making ransomware payments, and most recently agreeing to work with the UK to tackle cybercrimes. This raises the question “Is this enough?” 

The critical infrastructure sector lacks the necessary resources to truly put up a fight against sophisticated cyber-gangs such as DarkSide (who were responsible for the Colonial Pipeline hack). Earlier this year, the American Society of Civil Engineers (ASCE) gave the country’s critical infrastructure a C rate or an average rate. Additionally, there is still a huge investment gap for this sector, which increased recently from $2.1trn to $2.59trn. If these issues are not solved quickly, the next attack on our critical infrastructure could bring our country to a standstill.

Aside from the government reducing the investment gap for the critical infrastructure sector and putting more policy focus on cyber-attacks, there are some pivotal steps that critical

infrastructure organizations can take to better defend themselves. The first is to separate their business from their control systems. Many companies choose to merge their IT-based business systems with their operating technology (OT) systems. This creates an easy path for total control if a hacker can gain access to one system. Additionally, most OT systems were implemented decades ago and have had little to no updates; this means that they cannot run the latest and most efficient cybersecurity tools. Critical infrastructure organizations should look to update their systems and create a gap between them to better defend against cyber-attacks or to at least isolate an attack should it gain control.

Additionally, critical infrastructure organizations need to focus on their employees; 85% of cyber breaches involve some type of human error. Therefore, the first line of defense is to train and educate staff members. The training should consist of helping employees identify malicious content such as emails or websites. It should also help to establish a zero-trust policy where the entire company adopts an assumption that any device on a network could be compromised. Additionally, it means giving employees minimal access to the network and only making sections that are necessary to their job available. 

The reactions to recent cyber-attacks on our critical infrastructure mean that cyber-criminals are going to continue targeting them. Currently, the cybersecurity measures, for arguably the most critical sectors of our country, are abysmal. More needs to be done to ensure that we are well equipped to tackle this growing form of terrorism. However, the responsibility does not only fall on the government; companies within the critical infrastructure sector need to ensure that they are doing all they can to protect themselves from this growing threat — our country depends on it.

What’s Hot on Infosecurity Magazine?