In recent times, infrastructure security has been a topic of preeminent importance globally. With the stresses of international conflict, supply chain shortages, a global pandemic, and an increased reliance on remote work, the resilience of our national infrastructure has been put to the test. Our critical infrastructure is what supports our way of life, and it is constantly under threat. NIST defines critical infrastructure as any, “system or asset, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Generally, this includes infrastructure that supports human life such as the electrical grid, power distribution stations, water and sewage operations, gas pipelines, and travel infrastructure, but it also applies to systems of national importance such as communication systems. An outage in any one of these systems can cause considerable damage or cause excessive hardship to local populations as well as harming national security.
What are the risks?
In most cases, the biggest critical infrastructure risk is a loss of availability. A loss of power can mean a loss of heat for a neighborhood, a downed power line can prevent emergency calls from reaching emergency dispatchers, and a burst water main can leave thousands without access to clean water. In February of last year, Texas endured a winter storm that put unheard of strain on the Texas power grid that resulted in weeks of rolling blackouts throughout the state, all during a time when they needed the heat the most. These blackouts left hundreds of thousands of homes without heat or electricity during some of the coldest days Texas had seen in years, resulting in the loss of over 200 lives. The disruption of public services in non-adversarial climates may only be an inconvenience to those impacted, but it can be catastrophic if it hits the wrong place at the wrong time. During extreme weather conditions, especially in the height of summer or the depths of winter, loss of electricity, water, or gas can become deadly.
This Texas blackout wasn’t caused by a malicious hacker or a foreign APT, but it is a grim reminder of how bad the consequences can be when critical infrastructure fails. Following the Russian annex of Crimea in 2014, Ukraine has been heavily targeted by Russian APT groups for exploitation. In 2015 and 2016, the Ukrainian government attributed a series of cyberattacks to the Russian Federation that resulted in power outages for tens of thousands of homes. According to a publication by the University of Washington, the foreign actors were able to gain access to the SCADA systems over 30 substations across the western Ivano-Frankivsk region and the capital city Kiev. After gaining access to the substations, the hackers were able to disrupt power to over 200,000 households. For a more in-depth analysis and a deeper look into this attack, check out our earlier blog post on the history of cyber warfare.
How we can better protect our infrastructure
Because of the ongoing invasion of Ukraine, CISA has established the Shields Up initiative to help organizations prepare to defend against foreign cyberattacks, many of which target critical infrastructure. Shields Up aims to improve the national readiness of organizations by supplying businesses with free tools, guidance, and services to better protect their critical assets. These tools may have limited impact, however, since there is no requirement for most organizations to implement additional security measures. The most challenging part of protecting critical infrastructure is in securing the underlying systems that keep the wheels turning. Many of these public services rely on comparatively old industrial control systems that can be tricky to secure in the best of times. Securing legacy systems can be a tricky endeavor due to their dependence on software and systems that have long been end-of-life, but security principles can be universally applied to mitigate the risks. The single biggest thing that can be done to secure legacy systems is to employ strong access control processes. With cohesive identity management and sufficient access controls that restrict unauthorized access, these attackers need to go to far greater lengths to gain access. Employ multi-factor authentication wherever possible, enforce strong password requirements, and make sure that your employees are sufficiently knowledgeable about social engineering attacks to at least reduce the likelihood of compromise.
Implementing Cybersecurity Performance Management (CPM) provides organizations the needed framework to baseline and monitor key performance areas to ensure continuous visibility and a shared lexicon to the degree performance impacts risk, maturity, compliance, and ROI. The ability to see your cybersecurity performance in real time is critical to protect legacy systems that may be vulnerable to modern-day exploits. Knowing what your crown jewel assets are and how well you’re protecting them is critical in protecting your most important assets, and when the availability of your systems can be life-or-death for some of your customers, it’s absolutely essential.