Is now finally the time to secure critical infrastructure?
October 13, 202112:11 pm
4 min read
This content is provided by LookingGlass.
Securing critical infrastructure has been talked about for years, but major attacks against SolarWinds and Colonial Pipeline have increased greatly the focus on how to do so. If it’s been a known concern, why are we still grappling with it?
Partly because it’s such a complex issue. Critical infrastructure encompasses many sectors and systems. And very little of it is owned by the government, meaning private sector companies are largely left to figure out how to implement cybersecurity best practices or standards and recommendations like the National Institute of Standards and Technology’s cybersecurity framework.
Another part of the challenge in securing critical infrastructure is that malicious actors have not only improved their methods with technology innovations but have seized upon digital transformation initiatives—including the increasingly connected nature of business and operations—and the COVID-19 pandemic to, in many ways, hide among the bits and bytes.
And finally, there is the issue of funding and resources. When you speak to subject matter experts, cybersecurity is both notoriously underfunded and under-resourced, at least across most of critical infrastructure and local, state, and federal government.
That’s what makes the recent White House Executive Order on Improving the Nation’s Cybersecurity, the follow-on National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, and the Infrastructure Investment and Jobs Act (still to be passed by the House of Representatives) so important.
“All of this has been helpful. The EO and memorandum provide direction to both public sector agencies and key critical infrastructure sectors, while the infrastructure bill provides funding specifically to improve the cybersecurity posture across both the public and private sectors,” said Mary Yang, chief marketing officer at LookingGlass. “Though the cyberattacks earlier this year have been bad, they have led to a focus on critical infrastructure, and that spotlight has highlighted the need for additional funding and resourcing. With the infrastructure bill, there’s a billion dollars for state and local governments to improve their cybersecurity and that could include the critical infrastructure within their purview. When you look at cybersecurity for critical infrastructure like waste and water treatment, so much of that happens at the local level.”
The idea is to give more of these smaller organizations that fall beneath the critical infrastructure umbrella the ability to improve their cybersecurity, in order to avoid things like the recent Oldsmar water treatment plant hack in Florida. The plant didn’t have its own internet domain, but it did have remote access and monitoring services implemented.
“I would not want to say that every critical infrastructure sector should close down the ability to remotely access a facility’s systems. Across the utilities space, there’s a reason for that access,” Yang said. “Cybersecurity needs to be flexible enough to support operations, so if you’re a critical infrastructure organization that needs to be able to remotely access a system or network, then you should understand the risks associated with that. Though the water treatment plant in Oldsmar didn’t have its own internet domain, which may have given them some assurance that they couldn’t be “seen” by an adversary on the internet, they opened up remote access and enabled online payments. That all contributes to a growing attack surface. So your organization should implement stronger compensating security controls to reduce the risk.”
And with the pandemic, these kinds of setups and services are becoming more common. As more employees work from home, the attack surface for these organizations is expanding. Coupled with a strong focus on IT modernization, many smaller organizations simply may not realize the risk they’re accepting.
Multifactor authentication is one of the security controls that critical infrastructure organizations can implement to improve their cybersecurity posture. Another would be continuously monitoring the attack surface for vulnerabilities. Tools exist to do this non-invasively to help proactively identify vulnerabilities an attacker could potentially exploit.
“An adversary’s view of your organization’s digital footprint is important but gaining insight into the attack surface of your supply chain and the collective cyber risk from the critical infrastructure sector you belong to can give you greater situational awareness,” Yang said. “It can also provide context for boards or federal agencies in terms of presenting your organization’s cyber risk posture as compared with the sector’s overall cyber risk – think of it as a kind of benchmarking. President Biden’s critical infrastructure memo specifically calls out the need to have baseline cybersecurity goals, and though this is important, we think driving towards what a baseline looks like in comparison with a set of peers is going to provide greater insight and context, which will be helpful as we work to improve cybersecurity for critical infrastructure sectors.”