Focusing on Cyber Resilience Over Traditional Cybersecurity is Crucial for Protecting Critical Infrastructure
Critical infrastructure is increasingly being attacked by nation-states seeking strategic, political, or military advantages, making cyber resilience more important than ever.
The Volt Typhoon group, which has ties to the Chinese Communist Party, is gaining access to critical U.S. infrastructure not for monetary gain but to position itself for lateral movement to strategic assets and operational technology, disrupting functions during a kinetic attack or other geopolitical scenario.
Just as nations have established deterrents to prevent large-scale military conflicts, such as the nuclear triad strategy that uses three types of weapons to deter nuclear attacks, cyber defenders must implement measures to combat cyberattacks on critical infrastructure.
Compliance-focused cybersecurity is not enough to stop threat actors who are lying in wait to initiate destructive attacks. One way to deter groups like Volt Typhoon from attacking is to enhance the cyber resilience of critical infrastructure organizations, minimizing the effects of a potential attack. If a downed system recovers quickly, the attackers' results will be less devastating and effective, and they will most likely be retaliated against.
In this scenario, the side that is more cyber resilient will be the dominant side. Building a robust ability to withstand and recover from cyberattacks sends a powerful signal to potential attackers that the cost of launching an attack will outweigh any potential gain.
In recent years, adversaries have become increasingly bold in accessing IT and operational technology supporting the nation's critical infrastructure, as evidenced by numerous high-profile breaches. Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in the communications, energy, transportation systems, and water and wastewater systems sectors in the U.S. and its territories, including Guam.
A strategic shift in critical infrastructure cybersecurity requires recovery preparedness.
Threat actors live and operate in a gray space, exploiting gaps in technology, processes, compliance, regulation, contracts/SLAs, and skill sets to undermine existing protection approaches and measures. The adversary only needs to succeed once to breach a system, whereas cyber defenders must consistently prevent all potential breaches. This asymmetry highlights the constant vigilance required in cybersecurity defense strategies.
However, the approach of attempting to prevent attacks entirely is no longer realistic. Critical infrastructure defenders must shift from trying to prevent an attack 100 percent of the time to learning how to securely recover their organization’s data when it is breached as quickly and reliably as possible. They must anticipate attacks, withstand attacks, and securely recover data for operational continuity. Currently, those requirements are excluded from most regulations or compliance mandates, and adversaries know they can be successful if and when they desire.
The risks are significant in the current cyber climate, given the severity and sophistication of attacks from groups like Volt Typhoon. Unlike many kinetic attacks, where there might be geographic separation between adversaries, cyberattacks put nation-state actors at their target’s front door. While reducing the attack surface and building more secure software will take years, the U.S. government and critical infrastructure sector cannot afford to wait. The fastest way is to build the ability to withstand and recover quickly.
This raises the question: how can organizations achieve a high level of cyber resilience, perhaps through strategies like data backup and recovery, that will limit adversaries’ ability to severely disrupt operations and services?
Patch management is vital but not entirely effective.
Patch management is a vital component of cyber hygiene. Still, complex IT environments, lack of visibility into all devices, incompatibility issues with some patches, inadequate testing processes, and the need for manual intervention in certain situations hinder the effectiveness and timeliness of patch management in stemming data breaches. The large number of framework vulnerabilities that emerge each year can overwhelm IT departments trying to stay updated with patching. Plus, older software or operating systems reach their end of life, and no new patches exist.
At the same time, adversaries can reverse engineer patches to understand how vulnerabilities are being fixed. This process allows them to find new ways to exploit systems or develop ways to bypass the patch. Adversaries are skilled at doing that more quickly than most organizations can deploy patches, and they are highly motivated. While organizations may find patches necessary, they do not effectively deter adversaries.
Automation, immutable backups, and rapid recovery can help build cyber resilience.
Automation can help build cyber resilience by assisting security operations teams in rapidly detecting and responding to threats. Potential challenges to building cyber resilience through automation include integration complexities with existing infrastructure and the need for skilled personnel to manage and fine-tune automation tools.
However, many smaller organizations may lack these skill sets. Despite these challenges, from an automation perspective, IT and security teams within critical infrastructure organizations should apply automation tools to test the cyber resilience of their environments. This will allow continuous monitoring, rapid response to potential threats, and efficient cyberattack recovery.
Many organizations invest in backup security primarily to address natural disasters, often overlooking the need for resilience against cyberattacks.
Security operations teams can ensure cyber resilience and protect critical infrastructures by integrating strategies such as immutable backups, advanced threat detection, rapid recovery capabilities, and granular access controls, each contributing uniquely to a comprehensive defense against cyber threats. These capabilities enable organizations to swiftly restore essential data even if their systems are compromised by a cyberattack, minimizing downtime and operational impact.
Applying immutable backups means that once the data is created and stored, it cannot be modified or deleted by attackers, even if ransomware infiltrates the system or an administrator account is compromised. This process safeguards the last known clean data for recovery. Threat detection, including the use of machine learning capabilities, can continuously monitor backups for suspicious activity, identifying potential threats like ransomware or unauthorized access early on.
If an organization has robust backup and recovery capabilities, complemented by a user-friendly interface, it can minimize downtime and facilitate quick operational recovery after an attack. Furthermore, role-based access controls ensure that only authorized personnel can access sensitive data within backups, limiting the potential damage from insider threats.
Government cyber frameworks remain critical for resilience and protection.
Critical infrastructure organizations can strengthen cyber resilience by following a framework like the National Institute of Standards and Technology Cybersecurity Framework (CSF) 2.0.
To protect critical infrastructure from groups like Volt Typhoon, the primary NIST CSF 2.0 controls focus on the Identity, Protect, Detect, and Respond functions. There is an emphasis on robust asset management, network segmentation, advanced threat detection, anomaly monitoring, incident response planning, and immediate containment strategies for suspicious activity, particularly in operational technology (OT) environments.
NIST CSF 2.0 ensures backup integrity and validates recovery to a known, good state. For example, CSF 2.0 strongly emphasizes robust backup and recovery processes by providing detailed guidance on creating, protecting, maintaining, testing, and verifying backup data. These measures ensure organizations can quickly restore operations after a cyber incident. It highlights the importance of creating backups and regularly assessing their functionality and verifying their integrity before deployment in a recovery scenario.
Recovery planning emphasizes developing thorough incident recovery plans that include data restoration strategies, communication protocols, and incident analysis to learn from past events.
With strong cyber resilience, critical infrastructure stays operational, preserving essential services during cyber crises.
Cyber resilience enhances an organization’s ability to withstand and quickly recover from cyber incidents, indirectly reducing the likelihood of being targeted by making it harder for attackers to achieve their goals. When attackers understand that an organization can quickly recover from an attack, they might be less likely to target it due to the anticipated difficulty in achieving their objectives.
This does not mean that cybercriminals like Volt Typhoon will stop targeting critical infrastructure to disrupt operations. Some U.S. law enforcement and intelligence agencies have observed that deterring nation-state groups from their cyber operations is challenging.
However, critical infrastructure organizations can complicate cyber threats by developing a cyber resilience strategy that applies frameworks like the NIST Cybersecurity Framework, immutable backup and recovery plans, strong user authentication, and threat monitoring to keep communities safe and enhance national security.
