A wrench and a screwdriver: Critical infrastructure’s last, best lines of defense?

For decades, security experts have warned that America’s critical infrastructure is at risk for cyberattacks. Yet, despite seemingly endless conversations, ongoing debate, and escalating concerns, modernization is slow and protections continue to lag.

When the Colonial Pipeline breach took place, it was as predictable as it was frightening. The ransomware attack shut down the pipeline for six days starting on May 7, and it led to a spike in oil prices along with shortages in some areas. But the next attack could be even more devastating: Large swaths of the nation could be left without electricity or Internet access, water filtration systems could go offline, or natural gas deliveries could be disrupted during winter. Any of these could put lives at risk.

At the heart of the problem is aging operational infrastructure and industrial controls that lack security required for the digital age. As organizations have overlaid connected IT systems and Internet of Things (IoT) devices, the situation has become nothing short of a nightmare. In many cases, these pipelines and facilities have hundreds or even thousands of potential entry points for attackers.

Heaping on additional pain: approximately 85% of US infrastructure is operated by private companies, with virtually no cybersecurity regulations in place.

“Many of the systems in use weren’t designed for an era where operational and IT technology would be linked,” states Joe Nocera, Leader of PwC’s Cyber and Privacy Innovation Institute.

Risks Get Real
The threat to critical infrastructure is substantial — and the problem is growing worse. According to IBM Security X-Force, attacks on the energy sector have doubled over the last year. Part of the problem is that many operational systems and industrial controls are more than a quarter century old. Ironically, they’re actually quite secure— as long as they aren’t connected to IT systems.

These systems were designed to deliver ultra-high availability, and they are extremely expensive and complicated to update or swap out.

“It can cost a company billions of dollars to completely replace aging operational infrastructure with modern equipment,” says Mark Carrigan, chief operating officer at the PPM Division of Hexagon, a firm that specializes in building out industrial projects and embedding security controls.

Taking these industrial and operational controls offline — even for a short while — can create enormous headaches. As a result, many infrastructure-based companies aren’t in any hurry to move forward with more modern systems.

To read the complete article, visit Dark Reading.