Cyber attacks against critical national infrastructure are escalating. The ransomware hit on Colonial Pipeline was a clanging wake-up call for the public, but cybersecurity experts have been sounding the alarm for years.
In this interview with Help Net Security, threat expert Joe Slowik, Senior Manager at Gigamon, discusses the challenges involved in securing critical infrastructure, the rise in attacks, as well as the evolution of the threat landscape.
Attacks targeting critical infrastructure continue to rise in frequency and effectiveness. What are the most significant risks that security teams have to deal with?
The most frequently-discussed aspect of critical infrastructure events are availability impacts: stopping or interrupting a process or organization. While these are inconvenient and, depending on the process, concerning, more worrying still are integrity-focused impacts. These items represent fundamental, and potentially subtle, modifications to processes such as observed in the 2017 Triton event or the 2016 Ukraine event that could lead to hazardous or even dangerous conditions.
In these cases, asset operators are unable to ensure the fundamental safety and operational reliability of a process, enabling potentially disastrous outcomes. While these events are rare (encompassing incidents such as those mentioned above and the Stuxnet event), they represent the greatest risk if successfully executed by a sufficiently-skilled attacker.
What makes securing critical infrastructure systems so difficult? How does their security compare to those of other IT systems?
Critical infrastructure systems face twin burdens of often having fewer resources to invest in cybersecurity, and the very critical nature of their operations, which attract adversaries and focus attention on any disruptions.
When combined with the increasing connectivity of these resources and assets, organizations find themselves in a tough spot where they are targeted more often by adversaries ranging from criminal elements to state-directed entities. Low margins for error, high visibility (when systems fail or are compromised), and poor resourcing combine to make a complex defensive picture.
What’s your take on the Biden Administration’s efforts to safeguard the U.S. critical infrastructure?
Overall, current efforts appear to move the sector in the right direction by increasing focus and making resources available for defense. Where matters get tricky is the distinction between government-directed efforts and privately-owned infrastructure operators.
Ultimately, government action short of legal mandates or similar actions will only go so far in addressing issues absent actions from critical infrastructure asset owners and operators. Finding the right mix of requirements and incentives to properly engage asset owners and operators remains an open question, as they must balance security concerns with daily operational requirements and business needs.
What critical infrastructure sectors are the most at risk today? How do you expect the threat landscape to evolve in the next few years?
Understanding “risk” as a combination of impact and probability, while also keeping resourcing in mind for defensive purposes, the water and wastewater sectors present the most concerning sectors at present. While electric, oil and gas, and medical environments feature a number of high-profile events and risks, each of these is relatively well understood and features decent resources to invest in security capabilities, at least for “larger” entities.
Water and wastewater sectors, on the other hand, are typically small, local, municipally-owned and –operated entities with limited (if any) budget for security controls and enhancements. Furthermore, the sector appears to be noticed as such by adversaries, with multiple probing events taking place in Israel and the United States over the past two years.
What advice would you give to emergency teams responsible for on-the-ground response to critical infrastructure emergencies? What do they need to do in order to maximize their efficiency?
First and foremost, emergency responders and personnel must keep focus on primary goals of ensuring safety and reliability in critical infrastructure systems. While outages and disruptions can be painful and produce undesirable “follow-on” impacts, critical infrastructure defenders and responders must understand that adversaries increasingly are able, and in some cases willing, to subvert fundamental system integrity for malicious ends.
Restoring systems without identifying such alterations or compromises threatens truly hazardous circumstances that could lead to longer-term physical damage, environmental impacts, or even harm to personnel. When reviewing cyber resiliency and recovery, critical infrastructure operators should review existing requirements and guidance for engineering controls and physical system recovery.
By applying these existing lessons, including root cause analysis and maintaining plant safety as primary motivating items, asset owners and operators can ensure continued, reliable operation of critical infrastructure systems even after a cyber incident.