Summary: Although organizations and federal agencies recognize the importance of critical infrastructure to the national economy and the potential impact of a successful cyberattack, the US Government Accountability Office has identified many security gaps that are rooted primarily in the lack of coordination and collaboration. How can cybersecurity professionals help alleviate and secure critical infrastructure?
Recent attacks on the Irish Health Service Executive (HSE), Colonial Pipeline, and JBS Food serve as a warning of the significant threat posed by ransomware to the essential systems, networks, and assets that support a country’s society and economy. These critical national infrastructure components include educational institutions, public health facilities, energy grids, transportation systems, and water treatment plants.
These threats can also prove to be existential ones. St. Margaret’s Health Hospital in Spring Valley, Illinois, announced on June 12, 2023, that it would shut down because of the financial spiral caused by a devastating cyberattack in 2021.
“Will attackers adapt faster than we can evolve?”
The risk of security breaches in critical infrastructure has increased significantly in recent years. Integrating digital technology into older systems has made these facilities more vulnerable to attacks. The threat landscape constantly changes, and malicious actors have recognized the potential financial benefits of targeting these industries. These attacks are becoming more sophisticated, with state-sponsored and independent hackers shifting their focus from IT to operational technology (OT) environments. The 2022 Microsoft Digital Defense Report reveals that cyberattacks on businesses in IT, finance, transportation, and communication infrastructures accounted for 40% of all incidents in 2022, up from 20% in 2021.
Ian Bramson, global head of industrial cybersecurity at ABS Group, says that the real question for governments and cybersecurity professionals is, “Will attackers adapt faster than we can evolve?”
57% of GAO recommendations have not been implemented
Even though the discussions between operators of facilities and federal bodies on protecting critical national infrastructure have intensified, the US Government Accountability Office (GAO) sounds the alarm. “We’ve made 106 public recommendations in this area since 2010. Nearly 57% of those recommendations had not been implemented as of December 2022,” reads a recent report. “Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”
Which are the sectors that are primarily at risk, according to GAO?
The growing connectivity of industrial control systems (ICS) poses a significant risk to the distribution systems of the US grid, making them increasingly vulnerable to cyberattacks. As sensitive processes and physical functions become exposed to the internet, malicious actors use various methods to access these systems, potentially disrupting operations.
These methods include:
- Spearphishing emails that contain links or attachments with harmful code to infiltrate the corporate network.
- Exploiting insecure VPN connections to gain unauthorized access to ICS systems and networks.
- Compromising IoT devices attached to ICS systems with direct internet access.
- Attacking the ICS supply chain to manipulate hardware or software components before reaching the end industry.
While the Department of Energy (DOE) has developed plans to mitigate these threats, the plans have not addressed the supply chain vulnerabilities. Therefore, GAO has identified a security gap that could compromise the security, safety, and reliability of the US electric distribution systems.
K-12 schools have experienced significant educational impact due to cybersecurity incidents like ransomware attacks. Officials from state and local entities report that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time ranged from 2 to 9 months. Even though the National Infrastructure Protection Plan established the Department of Education as the agency responsible for coordinating all actions with CISA and FBI to develop a cybersecurity plan, the federal agencies had no interaction with each other. As a result, the cybersecurity needs of the education sector have not been addressed, and schools remain largely unprotected against emerging cyber threats.
The communications sector is a crucial part of the US economy, but it is vulnerable to physical, cyber, and human threats that could disrupt local, regional, and national networks. Despite its significance, CISA has yet to evaluate the effectiveness of its programs and services that help ensure the security and resilience of the communications sector. Such an assessment would enable CISA to identify which programs and services are most beneficial in supporting the sector’s security and resilience.
Oil and Gas
The safety and security of offshore oil and gas infrastructure face an ever-increasing threat from cybercriminals, vulnerabilities, and potential impacts. Unfortunately, the previous initiatives by the Bureau of Safety and Environmental Enforcement failed to produce any concrete action and didn’t include a cybersecurity strategy. To address this issue, the Bureau hired a cybersecurity specialist to lead the risk-mitigation effort in 2022. However, the initiative was put on hold until the specialist had sufficient knowledge of the relevant issues. Developing and implementing an appropriate strategy promptly is crucial to ensure the safety and security of offshore oil and gas infrastructure.
Coordination and collaboration are lacking
Reading GAO’s recommendations, it is apparent that there is a lack of coordination between responsible entities and federal agencies. For example, GAO recommends that:
- “DOE coordinates with the Department of Homeland Security (DHS), states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks.”
- “Education establishes a collaborative mechanism, such as an applicable government coordinating council, to coordinate cybersecurity efforts.”
Lack of coordination is also evident when addressing ransomware attacks. Although CISA, FBI, and Secret Service coordinated and demonstrated coordination on a joint ransomware website, guidance, and alerts, they faced challenges related to awareness, outreach, and communication. As a result, GAO recommends that CISA improves the coordination and sharing of threat information with respective stakeholders.
Lack of coordination and collaboration may indicate a lack of perspective and understanding of the threat landscape. A possible cause is that cybersecurity professionals fail to speak the business language and flood the boardroom with too much technical information. Unfortunately, this is information that executives do not understand, lacking, thus, the capacity to reach informed decisions.
Present leadership with a compelling narrative
To get leadership involved in OT and IT cybersecurity, it’s crucial to tell a compelling story. Cybersecurity professionals should explain cyber concepts in a way that’s easy to understand. For instance, on the OT side, it’s essential to clarify that the threat to OT goes beyond stealing data. Threat actors aim to disrupt operations, which can impact facilities’ physical security, employee safety, and local communities.
It’s also important to show how cyberattacks can affect a company’s revenue and business risk. For instance, a cyber leader at a power station may want to emphasize how a cyberattack can affect a facility’s ability to generate and distribute power safely. Additionally, it is crucial to demonstrate the measures taken to detect and respond to incidents. By doing so, cyber professionals can show how their actions and policies can minimize the impact of an attack.
By simplifying cybersecurity concepts, board-level leaders can better understand the right questions to ask, leading to productive conversations with cyber specialists.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.