Critical infrastructure has always been a primary target of threat actors and different governments, for many reasons, including its impact on a nation's economy and resources and for financial gain. In June 2023, according to the U.S. Cybersecurity and Infrastructure Security Agency, the Department of Energy, entities, and several other U.S. federal government agencies were breached in a global cyber-attack by Russian-linked hackers. The cybercriminals targeted a vulnerability in specific software widely used by the agencies. Today many sectors rely on control systems such as Supervisory Control and Data Acquisition (SCADA) and Programmable Logic Controllers (PLC) to control and monitor edge devices and mitigate safety concerns. However, these systems introduce new vulnerabilities that IT operations (IT Ops) must monitor and build their cybersecurity program around.
As has been made clear in many incident reports and by the FBI, in 2022, one-third of cyber-attacks targeted critical infrastructure. The frequency and severity of ransomware attacks on critical infrastructure are rising, leading to significant service disruptions and potential major safety risks. The rise in the number of attacks from threat actors can be attributed to several factors, including (not limited to) financial gain, political agendas, known industrial control vulnerabilities, insider threats and lack of cybersecurity awareness. Unfortunately, some control system manufacturers have established cybersecurity programs and device hardening standards too late and are trying to catch up to the latest frameworks and best practices. At the same time, ransomware attacks have become more sophisticated, with threat actors adopting advanced techniques to gain unauthorized access to critical infrastructure control systems.
There are several significant threats related to critical infrastructure that cannot be ignored.
- The lack of cybersecurity planning, such as encryption, user privilege, password management, multi-factor authentication (MFA), and network segmentation enables a vulnerable environment ripe for a successful cyber-attack.
- Many critical infrastructure entities, including education systems, public health facilities, and water treatment plants, may have outdated software and legacy systems that no longer receive security updates and vulnerability patches.
- Insider threats from disgruntled employees, contractors, vendors, or individuals with access to critical systems can pose a significant risk to the integrity and security of these infrastructures.
- Insufficient cybersecurity awareness among employees and staff can result in unintentional security breaches, such as phishing attacks and social engineering. Every organization risks encountering employees who may act carelessly or seek workarounds to established policies and procedures
- A lack of vendor management, controls, and policies in place, especially for vendors with access to critical infrastructure networks may result in organizations lacking unawareness of their vendors' weak or nonexistent security policies.
- The COVID-19 pandemic shifted some of the workforce to a remote work model, which exposed critical infrastructure systems to new risks. As with every other sector, organizations were not properly prepared, from a security perspective, for this sudden transition in their employees' work environments.
- Some critical infrastructure entities may face advanced persistent threats from nation-state actors with specific geopolitical motivations, such as China, Russia, North Korea, and Iran.
- IoT devices are heavily used today in critical infrastructure, bringing new attack surfaces and potential vulnerabilities that threat actors may exploit. For example, devices used for monitoring critical infrastructure can become entry points for threat actors.
Consider a Holistic Approach
While implementing technologies is beneficial, adopting a holistic approach to cybersecurity that combines advanced technologies with robust policies, employee training, and proactive threat hunting is essential. As the cybersecurity landscape continually evolves, it is crucial to stay informed about the latest developments and threats to maintain an effective defense against cyber-attacks and ransomware.
There are many technologies, standards, and approaches critical infrastructure security teams should consider.
- Integrate endpoint detection and response (EDR) solutions to provide real-time monitoring and response capabilities at the endpoint level. They can detect and respond to advanced threats, including ransomware on individual devices, helping to contain attacks and prevent their spread within the network.
- Implement zero trust architecture to help mitigate and eliminate risks. Zero trust is an approach to cybersecurity that assumes no implicit trust in any user or device, both inside and outside the network perimeter. It requires strict policies, whitelisting, least privilege access, and monitoring tools to prevent any threats/attacks.
- Deploy next-generation firewalls (NGFW) that combine traditional firewall functionalities with additional crucial features such as intrusion detection and prevention, application awareness, and deep packet inspection. Most new firewalls are NGFW and provide visibility, control over network traffic, and log management. All the combined information will help detect and block any potential malicious activities.
- Follow the Center for Internet Security (CIS) Benchmarks and best practices to harden network devices and Linux and Microsoft servers. CIS Benchmarks are global standards developed by security subject matter experts to improve cybersecurity.
- Implement proper zoning and network segmentation based on data sensitivity, operation functionality, and accessibility.
- Conduct a physical assessment and detailed inventory to identify existing systems, topology, applications, and objectives to help create the baseline of all potential threats.
- Deploy company-wide multifactor authentication (MFA) for all users. MFA adds an extra layer of security by requiring users to provide multiple forms of authentication, such as a password, biometrics, or a hardware token, which will reduce the risk of any unauthorized access.
- Ensure physical security measures and technologies are in place to prevent unauthorized access to sensitive areas and equipment. Physical security is an essential factor in cybersecurity.
Artificial intelligence (AI) and machine learning (ML) technologies are being used in critical infrastructure to analyze vast amounts of data, create alerts, and mitigate any safety risks. They are also used to identify patterns indicative of cyber threats. These technologies can enhance threat detection, behavioral analysis, and anomaly detection, leading to quicker response times and improved incident management. However, it’s essential to carefully plan and have controls in place before deployment of AI and ML as they could potentially expose your network if not implemented properly. To mitigate that risk, implement a passive AI cyber vulnerability scanning appliance that will monitor the network against any vulnerabilities and run AI red teaming quarterly or yearly.
Policy Over Technology
Many companies suffered ransomware attacks in the past few years due to weak security measures. The cost and damage were severe enough for leadership in the industry to recognize the importance of having a cybersecurity program, and many of those leaders are now striving to keep pace with the latest technologies and cybersecurity frameworks. Cybercriminals easily exploit weak security configurations, know vulnerabilities, and other controls to gain access.
On May 7, 2021, Colonial Pipeline suffered a ransomware attack and was forced to shut down all pipeline operations to contain the attack. Under FBI supervision, the company paid 75 bitcoin, the amount that the hacking group asked for, around $4.3-4.4 million USD at that time. Attackers accessed the Colonial Pipeline network through an exposed password for a virtual private network account, said Charles Carmakal, senior vice president and chief technology officer at cybersecurity firm Mandiant, during a hearing before a House Committee on Homeland Security.
In addition to technological advancements and developments, organizations need to implement a comprehensive set of protocols, policies, and procedures to effectively reduce the threat of ransomware, data breaches, and cyber-attacks. These measures should address various aspects of cybersecurity and create a robust defense against potential threats.
An Information Security policy that outlines the organization’s commitment to information security, its objectives, and the responsibilities of employees will further safeguard data and systems.
- Define acceptable uses of company resources, including computers, networks, and internet access, to prevent risky behaviors that might lead to security incidents.
- Implement strong access controls and define who can access specific systems, data, and resources. Use the principle of least privilege to grant employees the minimum access required to perform their duties. Categorize data based on its sensitivity and specify appropriate handling procedures for each category, ensuring that critical data receives heightened protection.
- Establish guidelines for creating and managing passwords, including complexity requirements, regular password changes, and restrictions on password reuse.
- Ensure timely application of security patches and updates to operating systems, software, and firmware to mitigate known vulnerabilities.
- Implement a comprehensive backup and disaster recovery strategy with regular backups, testing of the restore process, and secure storage to recover data in case of a ransomware attack or data breach.
- Segregate networks to limit the lateral movement of attackers in the event of a breach.
- Develop a detailed incident response plan that outlines the steps to be taken during a security incident, including roles, responsibilities, and communication protocols.
- Create training programs that include education around cyber resilience, as traditional cybersecurity measures are no longer effective in protecting organizations against attacks. Conduct regular training, including attack simulations for employees to raise awareness about attacks, such as phishing, social engineering, and other common attack vectors.
· Regularly conduct security assessments, vulnerability scans, and penetration testing to identify and address weaknesses in the organization’s defenses.
- Define requirements for data encryption, both in transit and at rest, to protect sensitive information from unauthorized access.
- Ensure that the organization complies with relevant cybersecurity regulations and standards applicable to its industry, such as the National Institute of Standards and Technology (NIST) Computer Security Resource Center. NIST defines cyber resilience as "the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources."
- Adapt vendor management policies and controls, including security requirements. Many critical infrastructure firms rely on vendors to support their mission and have access to networks and resources. A tight vendor management policy is crucial to eliminate any potential threat from an outside source. Conduct regular assessments of their security practices if they can access sensitive data or systems.
Developing and implementing these protocols, policies, and procedures helps establish a strong security posture and creates a culture of cybersecurity awareness within the organization. However, it’s essential to regularly review and update these measures as the threat landscape evolves and new challenges emerge.
Security Ultimately Comes Down to Leadership
It’s important to have the leadership in place when building and maintaining a cybersecurity program. A successful program requires buy-in from everyone and starts at the top with C-suite engagement and ownership. Utilizing the latest technologies with proper vetting and monitoring systems combined with established policies benefits the business; however, a chief information security officer (CISO) can drive the information security policy and build security and incident response teams that keep systems safe. The CISO provides ongoing support and monitoring; ensures the company stays proactive in identifying and addressing security risks; and develops business continuity and disaster recovery plans to minimize downtime, ensuring the company can recover from an attack swiftly.
Due to recent events, many companies are seeking outside cybersecurity consultants to help enhance their internal teams’ knowledge and abilities. Consultants bring extensive expertise and lessons learned in dealing with various cyber threats, including ransomware attacks. They can assist in developing a comprehensive threat mitigation and recovery strategy tailored to a company's specific needs and industry requirements.
Leveraging a third party to conduct thorough security audits and risk assessments is valuable for identifying weaknesses and vulnerabilities in the company's systems and processes. Many cybersecurity awareness companies provide training and educational sessions for the organization’s team and vendors, increasing their cyber awareness, critical thinking, and knowledge of cybersecurity lessons learned and best practices. Also, many companies engage an outside cybersecurity consultant to demonstrate and verify the company's commitment to cybersecurity to stakeholders, customers, and partners to build confidence and trust in the organization's security practices.
Although hiring a consultant comes with an upfront cost, in the long term this investment can prevent substantial financial losses resulting from data breaches and ransomware attacks. Consultants can also help identify inefficiencies and redundancy in cybersecurity programs, reducing unnecessary expenditures and focusing resources where they will be most effective in reducing risk.
Overall, the value of seeking an outside cybersecurity consultant lies in their ability to bring specialized expertise, swift response, and tailored solutions to enhance the internal team's capabilities in mitigating cyber threats. This proactive approach can help the company avoid potential future attacks, protect sensitive data, and maintain its reputation in the marketplace.