Priority of Protecting Digital Critical Infrastructure Will Grow in 2021

Chuck Brooks, President of Brooks Consulting International

In 2021 we will be facing a new and more sophisticated array of physical security and cybersecurity challenges that pose significant risk to global critical infrastructure (CI). A difficult challenge will be keeping up with the increasing sophistication of cyber threats and the expanding digital attack surfaces.

Last year, The 2020 World Economic Forum’s Global Risks Report listed cyberattacks on critical infrastructure as a top concern. WEF noted that “attacks on critical infrastructure have become the new normal across sectors such as energy, healthcare, and transportation.”

Global Cybersecurity Critical Infrastructure Attacks
In the past decade, there have been many cybersecurity attacks focused on breaching CI. There have been thousands of cyber attacks and several have been successful information technology (IT) operation technology (OT), and industrial control system (ICS) infrastructures.The new reality is that almost all of our critical infrastructures operate in a digital environment that is internet accessible. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers across all digital infrastructures.

The threats are growing along with the attack surfaces associated with CI. The types of cyber threats include phishing scams, bots, ransomware, and malware and exploiting software holes. The global threat actors are many including terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states.

Globally, a variety of industries related to CI have been targets of attack, including healthcare, financial and transportation. The energy sector has been a top focus of attacks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. According to a Ponemon Institute report, three-quarters of energy companies and utilities have experienced at least one recent data breach. A major reason for why the sector has become more vulnerables is that Adversaries have gained a deeper knowledge of control systems and how they can be attacked and can employ weaponized malware against power stations and other energy related CI assets.

Also expanded connectivity has added to an expanded attack surface that includes IT, OT, ICS, system vulnerabilities and the Internet of Industrial Things (IIoT). Corporate networks, onshore wells, offshore platforms, and oil and gas pipelines all constitute the energy critical infrastructure. Moreover, In the case of energy infrastructure, many of the OT systems involve legacy systems over 25 years old (no security built in) and are in the early stages of digital transformation. Because of legacy equipment, there is often a visibility problem of the lack of telemetry data on many OT systems and devices.

There have been some frightening episodes involving critical energy infrastructure. In 2014, a computer in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was subjected to malware, but possibly by accident. And in 2015, South Korean hackers targeted Korea Hydro and Nuclear Power Company, but luckily to no avail. Most cyber experts believe that North Korea was behind the attempted cyberattack. These incursions are a wake-up call as there is a very real and growing fear that a future cyberattack on a nuclear plant could risk a core meltdown.

Non-nuclear power plants have also been subjected to intrusions and breaches. A hack in Ukraine was held up as a prime example. In December 2015, hackers breached the IT systems of the electricity distribution company Kyivoblenergo in Ukraine, causing a three-hour power outage.

In 2017, Hackers used Triton, a specialized malware to compromise critical safety systems at Schneider Electric. The malware is still being used to target industrial systems. According to Israel Barak, CISO at Cybereason, ;most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures.”

For a detailed list of attacks, please see Significant Cyber Incidents Since 2006 by The Center for Strategic and International Studies (CSIS):

Cyber Vulnerabilities of Critical Infrastructure Systems
The World Energy Council says countries must raise their game in combating cyberattacks on nuclear and other energy infrastructures. They note that the frequency, sophistication and costs of data breaches are increasing. The expanding cybersecurity focus on energy infrastructure by both the public and private sectors is certainly a welcome development. See:
An economic impact of a breach can be calamitous to critical infrastructure. A cyber-breach is not a static threat and is always evolving in tactics and capabilities. Many organizations do not know if an attack has occurred. Hackers often seek out unsecured ports and systems on industrial systems connected to the internet. IT/OT/ICS supply chains in CI can be particularly vulnerable as they cross pollinate and offer attackers many points of entry and older Legacy OT systems were not designed to protect against cyber-attacks. Protecting critical systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. And a lack of trained skilled workforce is a continual issue in IT, OT, ISC cybersecurity.

The U.S. Approach To Protecting Critical Infrastructure
With all the IT, OT, ICS cybersecurity risks and challenges, protecting CI is not an easy task for any country, especially democratic societies that are by their nature open and accessible. In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent) and regulated by the public sector.

Created as a civilian counter-terrorism agency back in 2003, The Department of Homeland Seceurity (DHS) has become the lead U.S. agency on the civilian side of government for cybersecurity. Also, the DHS role has significantly evolved in correlation with the growing and complex threat to critical infrastructure. Largely because of that responsibility and cybersecurity threat to CI and the need to coordinate with the private sector, the Department of Homeland Security (DHS) embarked on creating the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 as an operational component.
CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide” A fundamental aspect of that role for CISA is to protect 16 critical infrastructure sectors deemed so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. They are:
Chemical Sector,Commercial Facilities Sector,Communications Sector, Critical Manufacturing Sector, Dams Sector, Defense Industrial Base Sector, Emergency Services Sector, Energy Sector, Financial Services Sector,Food and Agriculture Sector,Government Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector, Nuclear Reactors, Materials, and Waste Sector, Transportation Systems Sector, and Water and Wastewater Systems Sector --

The DHS CISA model is a good one for any country to emulate, particularly from a risk management perspective.

A Cybersecurity Strategy & Framework to Defense Against Cyber-Attacks
A CI cybersecurity strategy to meet growing challenges needs to be both comprehensive and adaptive. As in physical security, cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience. Meeting the challenges also requires public/private cooperation on sharing threat information, best practices, incident response, and emerging technology solutions to help mitigate attacks.

Defined by the most basic elements in a cybersecurity strategy & framework for cybersecurity CI should be constitute:
• Security by Design: SCADA networks and IT networks for industrial systems, and need to be designed, updated and hardened to meet growing cybersecurity threats. Security by design requires building agile systems with operational cyber-fusion to be able to monitor, recognize, and respond to emerging threats. Segmenting of vulnerable networks and remote connectivity should be a priority. Security by design can also identify system and operational dependencies up front of the process to remove risk.
• Layered vigilance: Vulnerability Assessments need to be instilled up front in the process. This should include mapping of the control systems, communication flows, and all connected devices in the network should be prioritized. Encryption of data flowing from sensors and segmentation of OT and IT should be included in a layer. The vigilance should incorporate best practices for industry cybersecurity standards and processes, including NIST, IEC 62443,ISO 2700, and the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for Industrial Controls Systems (ICS) framework, .and others according to verticals. Also, identity access management and control tools are vital considerations.
• Situational Awareness: there is a need to continually surveil, analyze and game the critical infrastructure cyberthreat landscape. There is no substitute for good intelligence.
• Information sharing: The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. Cooperation within industries and with government (Public/Private /Partnerships) are a proven model to follow. Preparation and commitment from both government and industry leadership is critical to help thwart threats.
• Readiness and incident response: There is a high chance of being breached and if so operational capabilities need to be maintained for CI. What works in Cybersecurity IT may pose risk to OT cybersecurity where patching may not be an option. There are many available CI readiness monitoring tools to test and validate in a SOC visual command center.
• Incident response. Protecting industrial control systems used by utilities from both physical and cybersecurity threats is a component of the dynamic threat environment and response matrix that constitutes their security environments. Real-time on-the-scene intelligence and operational alarms to relay critical information to the appropriate response personnel are an essential part of that response matrix. The ability to disconnect CI from the internet and continue to operate should be a part of any incident response. Assigned roles and training on how to respond to a breach need to be incorporated into incident response planning.
• Resilience: This also requires strategy, training (table top exercises) for a coordinated response in the event of a breach, and a plan for communicating and enabling recovery. Management, legal, and public affairs need to be prepared.

For a more in depth look at protecting OT systems from cyber-attacks see:

NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems

Protecting critical infrastructure will have enormous security challenges as we adapt to the technological and cultural changes taking place in 2021. Every country, governmental jurisdiction, industry, company and individual has their own unique CI threat landscape to address. A security strategy based on the pillars of vigilance, readiness and resilience needs to be actualized against those threats. This is not only critical for risk management and incident response, but it is an imperative for mitigating harm in an increasingly connected and precarious world.

About the author: Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and evangelist for Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech Experts to Follow on LinkedIn.” Chuck was named as a 2020 top leader and influencer in “Who’s Who in Cybersecurity” by Onalytica. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was named by The Potomac Officers Club and Executive Mosaic and GovCon as at “One of The Top Five Executives to Watch in GovCon Cybersecurity. Chuck is a two-time Presidential appointee who was an original member of the Department of Homeland Security. Chuck has been a featured speaker at numerous conferences and events including presenting before the G20 country meeting on energy cybersecurity.