Why ransomware is such a threat to critical infrastructure
A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation’s critical infrastructure and the ease with which their systems can be breached.
Little more than a decade ago, what was considered critical infrastructure was largely limited to air traffic control and generation and transmission of energy, and security regulations have been tightly focused on these areas. Today, however, there’s a growing acknowledgment that infrastructure encompasses much more, from stormwater systems to garbage processors, telecom providers, hospitals, financial services, pipelines, and more.
Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.
Ransomware relies on phishing scams or holes in security it can exploit, including both digital and human vulnerabilities. The attacker then holds the data hostage until a ransom is paid.
As cyberthreats increase in sophistication, we can expect the threat presented by ransomware to evolve, and the actions taken to protect the nation’s critical infrastructure must evolve as well.
While there’s no centralized national agency overseeing all critical infrastructure in the U.S., we have a great model of what the energy industry did with the critical infrastructure protection (CIP) standards that guide utilities. We can apply that model to a broader definition of what constitutes critical infrastructure.
Many of the precautions mandated by CIP, like isolating critical systems from the internet and replacing single-factor, password-based authentication with multi-factor credentials including digital certificates based on public key infrastructure (PKI), could make other types of infrastructure just as secure and resilient as CIP-protected systems are.
It will take regulatory action, though. Municipalities and other critical infrastructure organizations are unlikely to take significant action to strengthen encryption and security unless there’s a mandate forcing them to do so.
It’s also going to take time. The CIP regulatory standards that are in place today didn’t happen overnight, and attacks continued during the years it took to implement them. It’s likely that the same will hold true for other infrastructure agencies, many of which have traditionally been operating with comparatively low security standards.
In the meantime, infrastructure agencies must take steps to mitigate these serious risks. Here’s how to get started.
Identify your most critical systems
Understand which systems you need to continue providing service and how resilient they are.
Assess which ones are disproportionately at risk
Many of these legacy infrastructure industries rely on highly specialized computers running on very old operating systems—systems that aren’t always patched and maintained as they should be. Create a roadmap for updating or replacing the older, neglected systems that are much more vulnerable to ransomware.
Assume that you will be attacked
Have a plan to reduce your exposure and then remediate it, increasing protections for critical systems. Ask yourself, how would you recover those systems if you were under attack? Where can you start adding additional security protections today? Effective precautions include:
- Segmenting your network, putting critical data and systems behind a firewall and limiting access to only those employees whose jobs require access
- Encrypting files, emails and databases, for example by using PKI certificates—if you’re hit by an attack, you may not know whether data has been extracted, but you can be confident that if the attackers did extract it, they won’t be able to read it
- Leveraging certificate-based identities, tokens and multi-factor authentication to ensure that the people connecting to systems are who they say they are.
Be open to outside guidance
Securing the country’s critical infrastructure will require regulatory oversight, but it took years to develop and implement the energy industry CIP security protocols. In the interim, leverage key learnings from energy and other similar industries and apply comparable controls to ensure that your agency is resilient in the case of an attack.
We know that ransomware will continue to evolve. While the U.S. government is now redoubling efforts to address the threat it presents, infrastructure agencies can’t afford to wait for a specialized security protocols to be handed down from the top.
By taking steps to identify and remediate vulnerabilities in their systems—including updating software, ensuring that their most critical functions are sufficiently insulated from cyberattacks and encrypting data—infrastructure agencies can work quickly to make their systems just as secure as those covered by CIP.