Security Matrix — Critical Infrastructure
Information Technology (IT) Sector
The Information Technology (IT) Sector produces and provides, “high-assurance IT products and services for governments, critical infrastructure sectors, commercial businesses, and private citizens around the globe” (CISA). The Presidential Policy Directive 21 (PPD-21) declares the IT sector to be critical infrastructure of the United States. By nature, the IT Sector is interconnected to the Communications Sector, which allows government and private companies to stay connected. Consequently, this creates a large attack surface and makes it vulnerable to cyberattacks. The IT sector is dynamic and complex due to its sizable number of information systems and devices connected around the globe. The Department of Homeland Security (DHS) has an ongoing collaboration between the government and private sector. Their goal is, “To achieve a sustained reduction in the impact of incidents on the Sector’s critical functions” (CISA). To achieve this goal, 3 strategies have been implemented: IT Sector Products and Services Risk Management Strategy, IT Sector Incident Management Strategy, and IT Sector Internet Routing Risk Management Strategy. (DHS) The sector is made up of not only physical assets but also virtual networks as well as networks that provide critical service to both private and government sectors. The IT sector has 6 critical functions that it provides: (CISA)
1. IT product and services
2. Incident management capabilities
3. Domain name resolution services (DNS)
4. Identify management and associated trust support services
5. Internet-based content, information, and communication services
6. Internet routing, access, and connection services
There must be a joint effort and open communication among government and private entities to minimize threats, gather intelligence, increase awareness, ensure effective incident response, and mitigate damages. Ultimately, we must all work together to ensure the safety of our IT infrastructure.
Organizations
National Infrastructure Protection Plan (NIPP) is a sector partnership model that encourages the public and private sectors to collaborate on their respective infrastructure protection activities. The partnerships are comprised of Federal, State, local, tribal, and territorial government entities. Department of Homeland Security (DHS) is assigned specifically to oversee the IT sector. (CISA)
Department of Homeland Security (DHS)
The DHS employs a risk-informed, all-hazards approach to safeguarding critical infrastructure in cyberspace. It works in domestic and international partnerships to collectively protect cyber threats. The collective approach is to prevent, protect against, mitigate, respond to, investigate, and recover from cyber incidents. (DHS)
Cyber security & Infrastructure Security Agency (CISA)
CISA’s mission is to reduce the risk of cybersecurity and communication challenges as the Nation’s flagship cyber defense, incident response, and operational integration center. (CISA) CISA serves as a national center for cyber and communications, technical knowledge, and operational integration. The organization operates 24/7 to raise awareness, analysis, and provide incident response. It helps ensure information is shared among both private and government sectors by informing of vulnerabilities, intrusions, incidents, mitigation, and recovery actions. (CISA)
Assets
The IT sector is made up of physical assets including hardware-like servers, desktops, laptops etc., supervisory control and data acquisition (SCADA) systems, software, and information technology systems and services. The assets are dynamic, and the number of assets is increasing as data and services are shifted to cloud-based environments. Listed below are two assets, and they are rated on criticality scale of High, Medium, or Low and likelihood of occurring.
SCADA
Criticality: HIGH — Likelihood: MEDIUM
Supervisory control and data acquisition (SCADA) systems are crucial for industrial organizations to help maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtown. (Automation Inductive) The SCADA systems have several components like programmable logic controllers (PLCs) that communicate with other sensors, machines, and devices. The critical infrastructure heavily depends on SCADA systems to function. Examples include transportation, traffic lights, water distribution, and power plants. (Automation Inductive) The information systems are consistently under attack by advance persistent threat (APT) and other threat actors. The protection of these assets is a crucial part of the mission to secure the IT sector.
DNS
Criticality: HIGH — Likelihood: LOW
The Domain Name System (DNS), also known as the phonebook of the internet, is responsible for containing all the IP addresses and connecting them to the domain. The translation of the IP addresses to the domain allows web browsers to load internet resources. (Taylor) DNS is one of the major components of the backbone of the internet. DNS is a critical asset, and the protection is crucial to the security mission to ensure the integrity, availability, and accessibility of the internet and its resources. The protection of these assets is crucial in the mission to secure the IT sector.
Security Regulations
The cybersecurity landscape is growing and becoming increasingly hard to regulate, understand and control. It is crucial to ensure individuals are protected and safe. The topic of privacy among individuals, governments, and business entities is complex and requires government policy to be implemented for people, businesses, and nations.
Electronic Communications Privacy Act of 1986 (ECPA)
The original privacy act has been amended to include information gathering of current technologies. Information can be gathered by the U.S. government such as GPS tracking via cellphones, emails, social media messages and more with a subpoena. (Norton) The ECPA is a means to persecute and convict guilty individuals and entities of intellectual property theft, fraud, and espionage.
General Data Protection Regulation (GDPR)
GDPR is a privacy law that is currently in use in the European Union. The United States is impacted by this law by international business relations and government involvement. The law is put into place to protect users’ data from being collected without their knowledge. The GDPR provides the protocols for how businesses and other organizations handle the information related to the individuals who interact with them. (GDPR) GDPR defines personal data, accountability standards, consent types, interpreting, and processing the data. (GDPR)
Intelligence Sources
There are numerous intelligence-gathering entities that collaborate with both the government and the private sector. Their purpose is to collect, process, and analyze data to understand a threat actor’s motives, targets, and attack behavior. (FireEye) This is to create a better security posture to prevent, detect, and deter threats from criminal groups, hackers, and nation-states.
Mandiant offers software as a service (SaaS) platform. The tools track known threats and provide security practitioners visibility and information to prevent, detect, and deter threats. The company focuses on investigations, threat hunting, incident response, and adversary research. (FireEye) FireEye was responsible for detecting the SolarWinds attack in March 2019 and provided its expertise to find the problem and help mitigate the damages.
Department of Homeland Security (DHS)
The office of Intelligence and Analysis (I&A) is a component of the DHS. It manages department-wide processes for coordinating and executing the intelligence cycle at both the federal and local levels. (DHS) Their focus is threat identification, mitigation, and response. The department provides threat intelligence to other agencies in federal and local governments.
Frameworks
National Institute of Standards and Technology (NIST)
The Cybersecurity Enhancement Act of 2014 updated the role of NIST to include identifying and developing cybersecurity risk frameworks. Their responsibility is to “prioritize, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks” (NIST).
IT Sector Risk Assessment Approach
IT sector methodology applies a top-down function-based approach that considers the sector’s ability to support the economy and national security as part of the risk assessment’s national-level scope. The steps are listed below: (NIST)
Step 1: Scope Assessment
Step 2: Assess Threats
Step 3: Assess Vulnerabilities
Step 4: Assess Consequences
Step 5: Create Risk Profile
Vulnerabilities
The IT infrastructure is interconnected with government and private entities. The attack surface is large and allows for a wide number of vulnerabilities. (Constantin)
Preventative & Detective Controls
Intrusion Preventive System (IPS)
The IPS is a preventative control that provides another layer of protection to analyze internet traffic. IPS is placed inline (in the direct communication path between source and destination), and actively analyzes and takes automated actions on all traffic flows that enter the network. (Palo) The device/software alert administrator of threats drop malicious internet packets, and block internet traffic by different criteria such as IP address, Mac address, and domain name.
Antivirus Protection
Antivirus has several features to help detect malicious software on IT systems such as signature-based detection to detect current known threats. (Norton) These tools are used for endpoint security down to the individual user level on desktops, laptops, and cell phones.
Incident Response
National Cyber Incident Response Plan (NCIRP)
The NCIRP is a national approach to cyber incidents, highlighting the important role that the private sector, state and local governments, and federal agencies play in responding to incidents and how those activities all fit together. (CISA) This plan works in unison with the NIST framework to provide best security practices and incident response. Examples include secure design, secure architecture, and secure coding techniques. (NIST)
Security Operations Center (SOC) Audit Checklist
The Audit Checklist evaluates your current security posture and will evaluate your SOC’s processes and technology to fit a specific industry. Examples include healthcare data and complying with HIPAA, PII, PCI laws, and proper storage of data. (CISA) The US-CERT and the DHS are two agencies that are responsible for incident response for the IT sector.
Recent Incidents
SolarWinds Supply Chain Attack: March 2019
SolarWinds provides software as a service (SaaS) and generates a gross revenue of ~$938 million as of 2019. (Wikipedia) One of SolarWinds’ provided services, the product suite Orion, was compromised as early as March 2019 and was detected till December of 2020. (Pam, Baker) Updates were pushed out to 18,000 customers, and those who installed the updates were compromised by malware-allowed access to the system through a remote-access-trojan (RAT). (Alderson) The SolarWinds supply-chain hack is extremely sophisticated and complex. The estimated recovery cost of the data breach is $100B due to the fact that it compromised federal agencies and private companies. (Ratnam)
Colonia Pipeline: May 6, 2021
The Colonia Pipeline provides roughly 45% of the east coast petroleum products. The company transfers over 100 million gallons of fuel each day. (Osborne) On May 6, 2021, the DarkSide group attacked and gained access to the IT systems. The following day, they launched a ransomware attack and encrypted over 100GB of data shutting down the pipeline. The group demanded ~$5 million in ransom. The pipeline was reopened on May 12, 2021. This attack is the most successful cyberattack on a critical component of a country’s infrastructure to date. (Osborne)
Florida Water System: February 5, 2021
The water treatment plant in Oldsmar, Florida was compromised, and the intruder boosted the level of sodium hydroxide — or lye — in the water supply to 100 times higher than normal. (Bergal) When the attacker exited the system, the engineers lowered the solidum level back to normal. There are safeguards in place that would have prohibited the water from being released. (Bergal) The attack alerted state and federal governments of how vulnerable these systems are to attacks and how wide the current security gaps are on IT systems.
Works Cited
Automation, Inductive. “What Is SCADA?” Inductive Automation, Inductive Automation, 12 Sept. 2018, inductiveautomation.com/resources/article/what-is-scada.
Baker, Pam. “Breaking Stories & Updates.” CSO. IDG Communications, 4 June 2021. Web. 11 Sept. 2021.
Bergal, Jenni. “Florida Hack EXPOSES Danger to Water Systems.” The Pew Charitable Trusts, PEW, 21 Mar. 2021, www.pewtrusts.org/research-and-analysis/blogs/stateline/2021/03/10/florida-hack-exposes-danger-to-water-systems.
Brandom, Russell. “SolarWinds Hides List of High-profile Customers after Devastating Hack.” The Verge. The Verge, 15 Dec. 2020. Web. 11 Sept. 2021.
CISA. “Cyber Security & Infrastructure Security Agency.” Cybersecurity and Infrastructure Security Agency CISA, www.cisa.gov/.
Constantin, Lucian. “33 Hardware and Firmware Vulnerabilities: A Guide to the Threats.” CSO Online, CSO, 7 Jan. 2021, www.csoonline.com/article/3410046/hardware-and-firmware-vulnerabilities-a-guide-to-the-threats.html?page=2.
DHS. “Protecting Critical Infrastructure by Securing Information Technology.” Department of Homeland Security, 21 Sept. 2018, www.dhs.gov/blog/2011/07/22/protecting-critical-infrastructure-securing-information-technology.
FireEye. “Mandiant Intel Grid.” FireEye, FireEye, 2021, www.fireeye.com/mandiant/intel-grid.html.
GDPR. “GDPR — User-Friendly Guide to General Data Protection Regulation.” GDPR EU, GDPR, 21 Dec. 2020, www.gdpreu.org/.
NASA. “NASA.gov.” NASA, NASA, 2016, www.hq.nasa.gov/security/it_threats_vulnerabilities.htm.
NIST. “Framework for Improving Critical Infrastructure Cybersecurity.” NIST.gov, NIST.gov, 6 Apr. 2018, nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
Norton. “What Are Some of the Laws Regarding Internet and Data Security?” What Are Some of the Laws Regarding Internet and Data Security?, Norton, 2021, us.norton.com/internetsecurity-privacy-laws-regarding-internet-data-security.html.
Osborne, Charlie. “Colonial Pipeline Attack: Everything You Need to Know.” ZDNet, ZDNet, 13 May 2021, www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/.
Palo Alto Networks. “What Is an Intrusion Prevention System?” Palo Alto Networks, Palo Alto Networks, 2021, www.paloaltonetworks.com/cyberpedia/what-is-an-intrusion-prevention-system-ips.
Ratnam, Gopal. “SolarWinds Hack Recovery May Cost Upward of $100B.” GovTech. GovTech, 21 Apr. 2021. Web. 12 Sept. 2021.
Taylor Rebekah. “Four Major DNS Attack Types and How to Mitigate Them.” BlueCat Networks, BlueCat Networks, 13 Aug. 2021, bluecatnetworks.com/blog/four-major-dns-attack-types-and-how-to-mitigate-them
Wikipedia, Wikipedia. “SolarWinds.” Wikipedia. Wikimedia Foundation, 04 Sept. 2021. Web. 11 Sept. 2021.
