What will it take to secure critical infrastructure?
Securing critical infrastructure is complicated because of the vast network of facilities and management systems. Threats targeting this sector can have dire consequences, and when attacks do happen, they’re often accompanied by a media storm. This generates interest among concerned citizens, which prompts a reaction from politicians, who are spurred into action to ensure the necessary cyber protections are implemented to calm the concerned citizens — the electorate.
The 2021 ransomware attack on Colonial Pipeline, which caused long lines at gas stations, followed this very timeline and served as a much-needed wake-up call to protect critical infrastructure services against cyberattacks. The attack prompted action at the highest levels of US government, causing the president to expedite an executive order aimed at strengthening US cybersecurity defenses. The executive order, in brief, requires disclosure of incidents, creates a federal playbook for incidents, mandates cybersecurity upgrades, creates a review board, and, importantly, encourages an ethos of cyber-intelligence sharing between government agencies and the private sector.
Wake-Up Call
The emphasis on cybersecurity due to the increased threats to critical infrastructure — including cybercriminals attempting to monetize their efforts, terrorism, and the conflict in Ukraine — is unprecedented. In the current budget proposal, the Cybersecurity and Infrastructure Security Agency (CISA) will receive $2.93 billion, $417.1 million more than it requested. There are numerous grants available to critical infrastructure organizations to assist funding the much-needed improvements to cybersecurity; in April 2022, CISA and FEMA began rolling out the first $1 billion from the Rescue Act to help state and local entities improve cybersecurity. Testifying before the House Homeland Security Subcommittee, Jen Easterly, director of the CISA, used the cyberattack on the Oldsmar, Fla., water utility plant as an example of an attack on critical infrastructure to justify the original request.
Enormous would be an underestimate of the task of upgrading the cybersecurity of water supply and wastewater systems in the US. According to American Water, there are 53,000 water supply and sanitation providers in the US. The Environmental Protection Agency (EPA) calculates this differently, and lists 148,000 public water systems (not companies).
If, like me, you live in a rural community, the company supplying your water is likely a small local business providing a critical infrastructure service. On Feb. 5, 2021, the water treatment system servicing Oldsmar City suffered a cyber incident: A poorly secured remote-access solution based on TeamViewer was accessed by a perpetrator, who adjusted the amount of sodium hydroxide in the water from 100 parts per million to 11,000 parts per million. Fortunately, a city water-plant operator noticed the increase and reversed it, stopping the attack and the potential poisoning of thousands of people. It was later disclosed that the system accessed wasn’t protected by two-factor authentication and was protected by a weak, shared password. There really is no excuse.
To read the complete article, visit Dark Reading.
The thing most entities won’t do, to secure their systems, is to require that there be no connection of any type, between the Internet and the critical network. Firewall makers want you to think that they can prevent attackers from getting from the internet to the critical networks, and make Billions selling that idea, but an unplugged path, from the Internet to the regular network, is the best defense!!