As we have seen with increasing regularity, cybersecurity breaches, regardless of the industry, can have serious business and individual consequences.
However, the effects of a retail enterprise breach pale in comparison to the potential catastrophic results of a cybersecurity breach involving Critical Infrastructure (CI). Critical Infrastructure is, by name and definition, critical to our lives and sustainability—it includes the systems, such as nuclear reactors, dams, public water systems, healthcare, agriculture, and energy, upon which our lives, health, and safety depend.
A malicious attacker intent on corrupting or controlling these systems could do damage to large population centers that is orders of magnitude greater than stealing social security numbers or money.
So, who protects our CI? Of the 16 different sectors that provide CI, the vast majority are in the private sector. Protecting these physical and data assets is done in partnership between private sector entities and the government, and only in a few sectors does the government have any direct regulatory powers.
In 2014, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” and also, as a part of its mandate, the National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF) 1.0, and the NIST Roadmap for Improving Critical Infrastructure Cybersecurity. In 2017, a draft version of the revised NIST framework, version 1.1, was circulated for public comment.
The NIST framework, while positively regarded, is also voluntary and costly to implement. While some sectors are keeping pace with their own cyber security evolutions at a more aggressive rate, others are lagging woefully behind.
At the end of the day, a stark reality remains: private entities must still take proactive ownership for their own cyber security program to reduce risks to consumers.
It’s easy to see why CI cybersecurity may seem like a different challenge, as we are keenly aware of the dire consequences of what failure would mean. Yet, it is an important exercise to consider the commonalities that CI sectors share with enterprises to show what must be done to improve CI cybersecurity.
Like all public and private sector organizations, CI entities have increasingly digitized their business models and become reliant on interconnected networks and complex IT infrastructures for efficiency and cost controls. CI companies have seeped out of the safety zone of their private perimeters, venturing into public clouds and hybrid WANs. They have vendor supply chains that must be carefully vetted and managed. As in every organization, IT complexity and employee insider risks increase threat vectors, which need more sophisticated security management.
CI has also seen a steep trajectory of increased cyber-attacks. Upon further analysis, we see that while these attacks are targeted and specific to the intended victims, attacks on CI organizations are not custom-built. Instead, they are typically the same types of attack modalities that plague industries across the board, which could be defended with the same kinds of security best practices. Some of these include:
Ukraine Power Grid, 2016: Hackers attacked three Ukrainian power companies, taking 30 substations offline, leaving 230,000 citizens without power. The attack vector was believed to begin with social engineering and spear phishing, as well as the BlackEnergy Trojan malware.
WannaCry, 2017: The WannaCry ransomware attack struck globally in May 2017, targeting computers running unpatched Microsoft Windows operating systems by encrypting data and demanding ransom in Bitcoin. Hospitals and other CI entities were particularly hard hit. WannaCry propagated using EternalBlue, a leaked NSA exploit for Windows' Server Message Block (SMB) protocol. Microsoft had discovered the vulnerability and issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, in addition to Windows Vista (which had recently ended support).
NIST is considered by many to be a strong security framework - if followed, applied, and adequately funded to help CI organization identify and mitigate security threats. Managing to regulatory or compliance alone doesn’t necessarily protect the organization and its assets—enterprise or CI systems—against every type of potential threat.
If the organization has the internal expertise to adequately manage to a security framework to meet their full security needs—NIST or otherwise—that is a strong beginning. Regular security risk assessments, penetration tests, and hunt operations can help identify security weaknesses that may still exist.
For those organizations that don’t have the internal expertise or need assistance figuring out how to prioritize security spend based on risk, getting help by a qualified third-party organization can help to lay out a roadmap for evolving the security program and regularly test your security risk and response readiness.
Critical Infrastructure is unique—it sustains our lives, security, and communications, and its protection is essential. Yet from a strictly cyber security perspective, its challenges are comparable to those facing all other industries. The time, focus, and expertise (internally or externally sourced) must be applied to the full spectrum of risks we see both today and could potentially anticipate in the future.