Critical infrastructure cyber risk is extremely high.
Why is critical infrastructure the least understood yet biggest problem facing cybersecurity and national defense officials? Critical infrastructure is the backbone of our modern society. It provides electricity, water, transportation, and communication to people all over the world. But what is critical infrastructure? Critical infrastructure is a subset of national infrastructure which is essential for life, health and economic prosperity. For example, a power substation may be considered critical infrastructure because it converts power from one source to another.
Critical infrastructure can be broadly classified into three categories:
- A. Critical Infrastructures (cities, utilities, water)
- B. Cyber critical infrastructures (digital networks, communications systems)
- C. Physical Critical Infrastructure (water supply and sanitation facilities)
These are generally owned and managed by the public sector through public private partnerships where a company might manage or even own an asset, while the government will regulate it and control it.
The U.S. Department of Homeland Security has identified these sectors that make up the critical infrastructure set:
- Dams and Waterways
- Emergency Services
- Food and Agriculture
- Government Facilities and Services
- Information Technology (IT) Systems and Services
- Critical manufacturing industries
- Government facilities
- Healthcare facilities (including hospitals)
- Homeland security
The term was first used in a report by the President’s Commission on Critical Infrastructure Protection in 1997. The commission defined critical infrastructure as “those assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.” In the executive order, the president directs all federal departments and agencies to identify critical infrastructure.
Critical infrastructure is the backbone of our society. Without it, we would not have electricity, water, transportation, or communication. It is also a major target for cyberattacks and threats to national security. So, who should be responsible for protecting this vital infrastructure? The United States Department of Homeland Security is in charge at the federal level. In addition, state and local governments have their own cybersecurity efforts.
Many people don’t know that critical infrastructure includes almost every aspect of life in modern society. This includes power plants, banks, air traffic control systems, hospitals and emergency response centers. You can find it everywhere – from your local library to your home or office. computer to the grocery store. It’s also worth noting that critical infrastructure includes a wide range of “public” as well as “private” systems, so it is important not just to identify vulnerabilities in computer systems, but also in our buildings and transportation infrastructure.
Cyberattacks on critical infrastructure are becoming more common and more sophisticated every day. Some of these attacks include gaining access to the system by infecting computers with malware and using phishing emails that look like they are coming from someone in the company.
In the United States as well as other countries, some of these attacks have included shutting down parts of the power grid and oil-refining plants. Hospitals, airports, schools, and water utilities have all been hit in recent months. Part of that may be attributed to the ongoing war by Russia against Ukraine. But a lot of it is an ongoing 24 hour attack cycle. This ongoing 24 hour attack cycle is quite familiar cyber and intelligence operators, and seen in SOCs around the world. But most people who are not cybersecurity experts do not realize how prevalent this state of cyberwar/informationwar is.
There is a move towards forcing notification requirements for critical infrastructure organizations so that they can protect their networks from cyberattacks. Some are already fully compliant, while others may take months or years to be able to accurately report. In the future, there are likely to be more cyberattacks that shut down parts of critical infrastructure and cause physical damage.
Cyberattacks on Critical Infrastructure organizations are becoming more common. There is a always group of people who are interested in hacking and breaking into systems. More and more often it is a hostile foreign nation state or a private company acting on their behalf. If there is a way to make hacking harder, this will decrease the chance of them getting what they want.
While there is no simple, foolproof way to tell if an attack on the infrastructure has been detected, the FBI said it is planning to release public guidelines that will help companies determine whether they should notify the FBI. The FBI also said that it would be willing to share information with other law enforcement agencies, so they can share the information with their partners and informants. The FBI noted that there may not always be a threat to life, citing past examples when attacks on infrastructure have led to no injury or death. Sometimes signal of trouble it is actually the up arrow pointing down or vice versa.
There are many definitions of critical infrastructure, but the U.S. Department of Homeland Security defines it as “systems and assets so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”
Critical infrastructure is not just limited to physical structures like power plants and water treatment facilities. It also includes digital systems that are operated by companies or governments. These systems can be anything from an airport’s flight control system to a city’s electrical grid. .The importance of a digital infrastructure on society cannot be underestimated.
Even if an infrastructure is not classified as “critical”, cyberattacks on these systems can cause disruptions for millions of people. In recent years, security has become a top priority for governments and private businesses. There are many threats to critical infrastructures, such as hacking into a national power grid or stealing confidential information from an airport’s control systems. Governments and private companies have taken steps to mitigate these risks, but still have a long way to go.
For example, many governments now require companies to report any breaches within 60 days, in addition to taking other measures such as encryption. and scanning for malware.What are the risks of not reporting an external breach? By not reporting, organizations risk massive financial and reputational risk losses. For example, if an organization knows that it is likely to be breached in the next year and does nothing about it, that organization could lose tremendous amounts of money and reputation loss risk. Same goes for the organization that *knows* it was breached but does not report the breach to authorities or the public.
The previous lack of public investment in cybersecurity has led to an increase in cyberattacks on critical infrastructure systems. and the consequences of such attacks have severe economic, social and political effects. The Federal Government has taken recent steps in 2022 to change the landscape and increase the funding for programs. To this end, there are now grant programs for State and Local Governments for obtain funding to harden cyber resources.
One of the more common forms of attack on critical infrastructure is called a SCADA attack, which stands for Supervisory Control and Data Acquisition. SCADA and ICS, which stands for Industrial Control System, account for a large majority of cyber intrusions and breaches into critical infrastructure assets such as power plants and water treatment facilities. Cyber security specialists know that the vast majority of targeted SCADA attacks come from China and North Korea, with a large percent coming from China alone. Since industrial control system devices are often analog or outdated, they’re easier to infiltrate than systems used by large tech companies like Microsoft or Amazon.
That’s because these older systems don’t use strong authentication protocols such as two-factor authentication, or use strong encryption, making them easier to break into. Manufacturers are starting to take note of the potential security risks and are beginning to use encryption and authentication protocols, like two-factor authentication, or multi-factor authentication to keep control systems secure when in use, but it’s important that these newer systems are also secure during production and through the supply chain delivery.
Companies should also be sure their vendors have taken similar precautions with both the software and hardware running their networks. Remember the huge Target hack from a few years ago? That was due to a 3rd party vendor not having the same level of security as Target did, but still had access to the network. It’s also important to remember that any time your company moves a control system from one location to another, they should be securely wiping the old login information, as well as anything else that might contain sensitive information. Make sure your employees are trained up on network security. It’s not enough for companies to just have the proper security measures in place if the people who use them aren’t educated about how to make sure they’re being used securely.