Cyber attacks on critical infrastructure show advanced tactics and new capabilities

In this Help Net Security interview, Marty Edwards, Deputy CTO OT/IoT at Tenable, discusses the impact of geopolitical tensions on cyber attacks targeting critical infrastructure.

Edwards highlights the need for collaborative efforts between policymakers, government agencies, and the private sector to strengthen cybersecurity across critical infrastructure sectors. He emphasizes investment in personnel, technology, and proactive measures.

How have recent political unrest and geopolitical tensions influenced the frequency and nature of cyber attacks on critical infrastructure?

Heightened geopolitical tensions have prompted the U.S. government to issue several warnings about nation-state threats targeting critical infrastructure, which is something that should cause all of us to sit up and pay attention. In my experience, the government does not make attributions lightly, so when they issue a warning or provide information about a threat actor linked to a specific country, it means they have significant evidence to support it that the public should know about.

However, I’m less concerned about a nation-state level attack that gets sensationalist media coverage. I’m more concerned about criminal ransomware getting into these environments and shutting them down. That’s low-hanging fruit and we should be able to alleviate those concerns through cybersecurity fundamentals.

How has the sophistication of cyberattacks against the industrial sector evolved? What new capabilities do cyber groups now possess?

The sophistication of cyberattacks targeting the industrial sector has evolved significantly in recent years, driven by various factors. The interconnectedness of critical infrastructure assets, devices, and systems with third parties throughout the software supply chain has made identifying attack paths more complex than ever before. This interconnectedness creates numerous potential entry points for attackers to exploit.

Additionally, cyber adversaries now possess a range of new tactics. They understand the importance of compromising a single external-facing asset or exploiting misconfigured identities to gain unfettered access to critical systems. Recent attacks on entities like Colonial Pipeline and water treatment plants demonstrate the potential for malicious actors to cause real-world impacts with just a few clicks.

Ransomware criminals are increasingly targeting industries that rely heavily on operational systems, knowing that downtime can result in significant financial losses. Ransomware-as-a-Service (RaaS) has further fueled the proliferation of ransomware attacks, making these attacks more accessible to a wider range of threat actors. It’s important to note that criminal ransomware operators don’t typically use the zero-days that make headlines, or cyberwarfare-level capabilities; they exploit known vulnerabilities that have been unpatched for years. Attackers aim to use the minimum amount of resources, and zero-days are expensive.

Unfortunately, these threats are further exacerbated by complacency across organizations and a lack of commitment to invest in this space. ICS security budgets are shrinking, with many organizations lacking dedicated cybersecurity budgets altogether. This trend is concerning, given the increasing frequency and severity of cyberattacks targeting critical infrastructure. Securing OT environments is paramount, and organizations must prioritize cybersecurity investments to effectively defend against evolving cyber threats.

How effective are the current measures to secure the relationship between IT and OT systems in critical infrastructure?

The effectiveness of current measures varies. While some progress has been made, there are still significant challenges that need to be addressed.

The traditional approach of isolating critical infrastructure from the outside world is no longer viable, and there remains a concerning gap between adversaries’ understanding of facility assets and defenders’ capabilities to secure them. While critical infrastructure sectors are maturing in their cybersecurity practices, many organizations still operate with a reactive mindset, only addressing cyber threats after they occur. This approach is costly and unsustainable, as the impact of cyber incidents can be significantly higher (by the millions) than proactive prevention measures.

Recent initiatives, such as executive orders on port cybersecurity, demonstrate progress toward better cybersecurity standards. Granting more authority to these entities can help mitigate cyber risks, but it’s crucial to ensure that resources are allocated effectively and that roles and responsibilities are clearly defined and harmonized with existing cyber policies and regulations.

One of the challenges lies in the oversight of OT environments, which are often overlooked despite hosting numerous underprotected systems. And inadequate cyber hygiene practices, such as default passwords and lack of authentication security, pose significant risks to critical infrastructure, particularly in sectors like water facilities.

What recommendations would you give policymakers and government agencies to strengthen cybersecurity across critical infrastructure sectors?

There needs to be a concerted effort to invest in building out personnel and governance structures. Without a CISO or dedicated cybersecurity roles, it becomes challenging to effectively manage and implement security measures. It’s also important to establish dedicated teams whose primary focus is on securing critical infrastructure systems, to help ensure cybersecurity efforts receive the attention and resources they require without competing with other operational priorities.

Secondly, we must use technology to gain visibility into critical infrastructure environments. While technology solutions exist to provide this visibility, there is often a hesitancy to implement them. Policymakers should encourage and support organizations in adopting technologies that can enhance security posture and detect threats within these environments.

Addressing the cybersecurity skills gap is also paramount. Policymakers should prioritize the recognition of cybersecurity roles as essential and allocate resources to support training and recruitment efforts. Every organization that operates critical infrastructure should have dedicated cybersecurity personnel to protect against evolving threats.

Lastly, tackling ransomware requires a joint public-private effort. Government agencies should collaborate with the industry to identify critical infrastructure sectors of national importance and develop tailored strategies to protect them. It’s crucial for both sectors to be actively involved in the conversation, ensuring that strategies are actionable, sustainable, and reflect the unique needs of each country or region. By fostering collaboration and alignment between government and industry stakeholders, policymakers can effectively enhance cybersecurity across critical infrastructure sectors.