Critical infrastructure security: Condition critical
Cyberattacks against critical infrastructure (CI) — energy, water, transportation, food, healthcare, financial services, and more — are not a new thing.
But there are increasing signs that they are becoming a more common and aggressive thing — perhaps even on the level of a “cyber Pearl Harbor” attack by a hostile nation state. Senior government officials have warned of that for decades.
Among the more recent indications are
- The U.S. Cybersecurity and Infrastructure Agency (CISA) issued multiple security advisories June 22, warning organizations to check for vulnerabilities recently disclosed by researchers at Forescout. The vulnerabilities affect operational technology (OT) systems that should be — but aren’t always — isolated from the internet.
- CNBC reported last week that hackers are increasingly targeting container ships and freight planes. “The reality is that an airplane or vessel, like any digital system, can be hacked,” David Emm, a principal security researcher at cybersecurity firm Kaspersky, told CNBC.
- ZDNet reported last week that among predictions from analyst firm Gartner for the rest of 2022 is that hackers will “weaponize” OT environments to cause human casualties. Gartner noted that attacks on what is “often the brains behind industrial systems in factories or power grids,” have already become more common and more disruptive.
- A recent report from the Norwegian firm DNV titled “The Cyber Priority,” based on a survey of 940 professionals working in the power, renewables, and oil and gas sectors, found that 85% believe a cyberattack on the industry is likely to cause operational shutdowns and damage to energy assets and critical infrastructure in the next two years. Nearly three quarters of respondents — 74% — said they expect an attack to harm the environment while 57% anticipate it will cause loss of life.
Some experts say the U.S. is not ready for attacks like these.
Donald Davidson, director of cyber supply chain risks management programs at Synopsys, said CI risks continue to grow because “we’re slow to adopt a cybersecurity mindset for OT/cyber physical systems. We find more vulnerabilities all the time and we’re slow to correct or mitigate them.”
“It’s not as simple as software, which you can patch,” he added, noting that addressing OT security means updating hardware. “We all keep legacy hardware too long,” he said.
Which means that a lack of readiness isn’t a new thing either. The 2021 ransomware attacks on Colonial Pipeline, the main fuel supply line to the U.S. East Coast, and JBS Foods, which disrupted the meat supply and sent prices soaring, made that painfully clear.
Jonathan Knudsen, head of global research within the Synopsys Cybersecurity Research Center, said the overall state of security in critical infrastructure is “probably the same as the overall state of security in every other sector and industry — not great, sometimes shockingly poor, improving slowly.”
Indeed, there is obvious room for improvement. According to the DNV report, less than a third (31%) of respondents said they know exactly what to do if confronted with a potential cyber risk or threat, and “despite the emerging threats, less than half (44%) of the industry’s C-suite sees the need for urgent improvements to prevent a serious attack on their business.”
Perhaps that’s in part because executives have been hearing warnings about potentially catastrophic attacks on CI systems for so long that they’ve tuned them out. It was 2012, after all, when then defense secretary Leon Panetta warned of an impending cyber Pearl Harbor attack, and nothing at that scale has happened in the decade since.
But that doesn’t mean it won’t, of course, especially given the instability in a world with a major war going on.
Karim Hijazi, chief executive officer of cyberintelligence firm Prevailion, told TheStreet after the Russian attack on Ukraine that, “We’re on the threshold of a really dangerous situation, where a dramatic escalation in cyberwarfare by Russia could occur at any time.”
Energy professionals have apparently taken note; 67% of the respondents to DNV said recent cyberattacks on the industry have driven their organizations to make major changes to their security strategies and systems.
But they may not be covering all the bases — specifically the OT base. Brian Contos, CSO
of Phosphorous Cybersecurity, wrote recently in Dark Reading that OT devices aren’t monitored as closely as information technology (IT) devices.
“More than 80% of organizations can’t identify the majority of IoT and OT devices in their networks,” he wrote. “There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?”
Davidson agrees. “Most think of cybersecurity in ICT [information and communications technology] as IT only,” he said. “But OT is the “backbone of industrial control systems [ICS] and critical infrastructure SCADA [supervisory control and data acquisition] systems.”
“Most OT owners have long tried to exclude OT from all cybersecurity innovations for IT,” he added. “We have to put IT/OT in the same requirements box when it comes to cybersecurity.”
Joe Weiss, managing partner at Applied Control Solutions and a control systems expert, has been warning about the lack of OT security for decades.
Weiss wrote last year on his Unfettered blog that he had documented almost 100 control system water/wastewater cyber incidents throughout the U.S. and internationally, although “not all cases could be identified as cyber-related.”
A much more recent event was the June 8 explosion at Freeport LNG’s liquefaction plant and export terminal on Quintana Island, Texas. The damage was serious enough that the facility is not expected to resume major operations until late this year.
Motive, means, opportunity
The Washington Examiner reported that the explosion was followed by a spike in already high European gas prices “and has reinforced Russia’s ability to hold gas supplies to Europe at risk in retaliation for the European Union sanctions imposed on Russia over the war in Ukraine.”
Freeport LNG told the Examiner in a statement that the cause of the explosion was too much pressure in a transfer pipeline and that “a cyberattack was ruled out as the cause within days of the incident. “But the paper also reported that the FBI is investigating and that two liquefied natural gas (LNG) pipeline experts who asked for anonymity to avoid business retaliation said “piping from a storage tank to a terminal, as in this explosion, should have extensive safeguards to prevent overpressure events.”
Knudsen said it’s premature to attribute the explosion to a cyberattack. But he also said “it‘s not a far-fetched theory. Nation states with cyber skills are no doubt prowling around and inside the critical infrastructure networks of their adversaries, building capabilities that might be used depending on geopolitical circumstances.”
Davidson also said he has no information that Russia attacked Freeport, but that “both China and Russia have penetrated lots of networks and critical infrastructure in the U.S. — hardware and software, IT and OT.”
And Weiss, in a more recent post, said although the company ruled out a cyberattack as the cause, there was “motive, means, and opportunity for this to have been done maliciously.”
Weiss noted that in mid February, right before the Russian invasion of Ukraine, “hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters […]”
“The attacks targeted companies involved with the production of LNG and were the first stage of an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity Inc., which discovered the operation,” Weiss wrote.
Whatever the cause, the damage is significant, as is its effect on the European economy.
Get organized, do the basics
So the obvious question is: What should CI industry sectors be doing to mitigate the risks of cyberattacks that can have devastating physical and economic consequences?
One way to start would be for those overseeing CI to get better organized. Glenn Gerstell, senior adviser at the Center for Strategic and International Studies and former general counsel of the National Security Agency and Central Security Service, wrote in the New York Times in March that the U.S. government’s oversight of cybersecurity is too fragmented and not coordinated.
In an op ed partially titled “America isn’t ready for what’s coming,” Gerstell wrote that “government agencies handle cyber regulation and threats in the sectors they oversee — an inefficient and ineffective way to address an issue that cuts across our entire economy.”
In recent months, he noted, multiple federal agencies have issued their own, separate security requirements for the specific sectors they oversee.
“And on Capitol Hill, there are approximately 80 committees and subcommittees that claim jurisdiction over various aspects of cyber regulation. These scattered efforts are unlikely to reduce, let alone stop, cybercrime,” he wrote.
Knudsen said improving the security of the nation’s critical infrastructure won’t take anything unusual — that it requires doing well-established fundamentals like building security into software and then keeping it secure.
“Software is software, regardless of where it is deployed and what it does,” he said. “It’s easy to place undue emphasis on getting it to work, but the real goal should be getting it to work safely and securely.”
“Imagine if airplane manufacturers focused solely on making something that flies. Safety is baked into every phase of how airplanes are made. Similarly, security must be baked into every part of how software is made.”
“Another impediment to security is the maxim ‘if it ain’t broke, don’t fix it.’ With software, if it ain’t broke, it will be very soon,” he said. “Updating and patching are important, especially in a demanding, real-time, safety-critical environment such as critical infrastructure.”
“Software is the critical infrastructure for our critical infrastructure. It must be secured and protected accordingly.”
Davidson said the security effort needs to cover both software and hardware, and that the effort needs to be global. “The U.S. can’t do it all — we have to work with allies to build more security into our hardware and software process and products. We need to develop standards to measure assurance and adopt assurance levels for infrastructure sectors,” he said.
Because in the case of critical infrastructure, software and hardware risks are not simply business risks — they create economic and physical risks to the nation.