As recent world events have shown us, critical infrastructure is frequently in the cross hairs of global cyber warfare.
In August, the U.S. Cybersecurity and Infrastructure Security Agency warned that China is focusing on “destructive cyberattacks on U.S. critical infrastructure.” Russian hackers have sought to disrupt satellite communications, cause denial of service attacks against financial websites and knock out power throughout Ukraine, while compromising U.S. Defense Industrial Base contractor networks.
In response, CISA is working with Sector Risk Management Agencies, or SRMAs, to develop specific goals for each CI sector. There are 16 total sectors, and CISA will begin this process with four of them: energy; financial services; IT; and chemical.
Prior to the initiative, the FBI’s Internet Crime Complaint Center reported that it received 870 complaints in 2022 about ransomware attacks on CI organizations. Of the four sectors that will take part in goal development first, IT was targeted the most with 107 incidents, followed by financial services (88), energy (15) and chemical (9).
‘What If’ scenarios loom large
Here’s a snapshot of what we’re seeing within each of the four sectors, along with a sense of the conceivable magnitude for reality-based scenarios:
IT. The IT sector may be the most vulnerable because it relies on networked devices more than any other sector. Unfortunately, cyber criminals have extended periods to do damage within this environment, with the median dwell time now at 16 days. With more than two weeks to spare, attackers can disrupt a vast range of systems that support nearly everything that make our modern lives possible.
Financial Services. Obviously, a successful hit here can rattle worldwide financial markets, trigger bank-run panics and/or keep citizens from making needed transactions. Assessing the fragility of the situation depends upon the size of the institution. A global banking organization will have a large and highly capable security team and tools to safeguard its digital assets, however, a rural credit union may not.
Energy. Threats here bring much potential for catastrophic outcomes, especially if timing is on the adversaries’ side. Exploitation of power grid vulnerabilities during an election, for example, might disrupt voting in a key district. On the hottest day of the year, it could cause many hospitalizations and even deaths. Again, we’re seeing that size matters here. The smaller the energy organization, the more difficult it is to defend.
Chemical. It makes sense that the chemical sector would encounter the least number of attacks of the four, as it is less ubiquitous as IT, financial services and energy. As a collective society, we need to deal with all three of those on a daily or near-daily basis. This isn’t the case for the chemical sector. Still, the doomsday scenarios are plentiful – such as launching a breach which exposes operating systems for hazardous materials.
Best practices for protection
The stakes are clearly high. That’s why – if they haven’t already – organizations should apply the National Institute of Standards and Technology Cybersecurity Framework’s five core functions: identify, protect, detect, respond and recover.
But it isn’t enough for CI sectors to defend themselves on the modern battleground landscape. Here are three best practices to strongly consider:
Implement attack surface management. ASM enables near-real time visibility and context to detect and understand developments/activity within an entire cyber ecosystem, and then proactively incorporate policies and practices to secure it all. This proves especially challenging for CI organizations, because they heavily depend upon operational technology (OT) systems and equipment that are increasingly internet connected and, thus, publicly exposed at least in part.
Build threat models. It’s not enough to know where everything is and what it does – CI security teams must create canvasses which capture the global threat landscape. Which adversarial nation state is targeting which friendly nations? What regions are they most interested in? What time of the year – or even day – are they likely to launch an attack? How will any of these developments impact our assets and operations?
Include the oversight of geographically remote operations into the plan. By its very nature, CI is geographically widespread as organizations conduct businesses from state-to-state, coast-to-coast or even internationally. CI organizations need remote employees/contractors and services to function, and internet connectivity ties it all together. Security teams must assess and oversee widely dispersed operations to implement ASM, so they know where everything is and whether measures are in place to send immediate alerts should threats occur – no matter where they are.
Armed with Knowledge
The adversary wants to win badly here. They realize a compromised system or piece of equipment associated with a utility, financial network, chemical plant, etc. could unleash massive disorder, distracting the U.S. and allowing them to pursue their goals unchallenged.” With each asset they identify and catalog at the level of detail described here, defenders will go into battle that much more prepared to counter such threats – wherever they exist.
Matt Lembright is Director of Federal Applications at Censys