After cybercriminals hacked the U.S.’s largest gas pipeline, shutting it down for days and putting energy markets and consumers on edge, one thing was certain: The nation’s critical infrastructure—and the technologies that secure it and make it run—is dangerously broken.
The ransomware attack on Colonial Pipeline, which forced the company to shut down its 5,500 miles of pipeline for several days, triggered a spike in gas prices, led 17 states to declare a state of emergency, and led people in the Southeast into panic-buying gas.
President Biden recently issued a much-anticipated executive order to strengthen the federal government’s cybersecurity defenses. It included new security standards for federal software vendors and the creation of a federal cyber-incident review board.
The Colonial Pipeline attack is just the latest to target U.S. utilities, hospitals, and local and federal government. The problem, says Matthew Masterson, a policy fellow with the Stanford Internet Observatory and former senior adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), is that these entities are easy targets.
“The systems and software that support our nation’s critical infrastructure need an upgrade in many places,” says Masterson. His advice: “Whether it’s business systems at the state and federal level, servers at small businesses that support law enforcement, or software supporting hospitals, now is the time to invest.”
The systems and software that support our nation’s critical infrastructure need an upgrade in many places.
IT security experts see these gaps in digital infrastructure as widening. That leaves more room for cybercriminals to enter these critical systems, exfiltrate or change information, and hijack or lock down operations. More than a disruption of daily life, these breaches can have serious and even life-and-death consequences.
Consider these recent attacks. In April, hackers hit the Washington, D.C., Police Department with a ransomware attack, threatening to release the identities of undercover informants. In February, hackers struck a Florida water-treatment plant and tried to poison the water supply. Over the past two years, hackers have hit at least eight cities, including Atlanta, Baltimore, and New Orleans, locking down services and facilities and costing millions of dollars to fix.
“The broad and destructive deployment of ransomware across state, county, and city has served as a wake-up call to invest in cybersecurity infrastructure,” Masterson says, noting that many of communities lack the resources for digital upgrades or have kicked the ball down the road in favor of other spending projects.
Criminals are moving downstream to hit infrastructure in small towns.
Cybercriminals, on the other hand, are following the ball and moving downstream to hit infrastructure in small towns. And they know an easy victim when they find one. Hackers will hit these places “multiple times, knowing they will likely get paid over and over again,” says Masterson. Fortunately, there are steps CIOs can take today to prevent or lessen tomorrow’s attacks.
Fix the skills gap
Digital technologies have bestowed many benefits on the nation’s infrastructure. Software has increased the reliability of energy delivery through automated load balancing. Artificial intelligence has enhanced the performance of hydroelectric dams. Automation has increased productivity and let critical workers, from healthcare to manufacturing, focus on higher-level tasks that increase employee job satisfaction and boost business outcomes.
But digitization comes with a price. Jim McKenney, technical director at IT security advisory firm NCC Group, says that as automation increases, the workers needed to manage large, complex, and mission-critical systems get left behind. “The knowledge and skills needed to perform basic tasks, such as troubleshooting or maintaining infrastructure regardless of technology, are being eliminated by the promise of digital transformation,” says McKenney.
It’s no secret the U.S. is hobbled by a cybersecurity skills gap that will see 500,000 tech jobs go unfilled this year, says the Aspen Institute. While recruiting for these jobs is robust at four-year colleges, more mature security-first organizations are looking beyond and tapping “new collar” workers who possess foundational skills and training them as future cybertalent.
Many are also looking to diversify their ranks, turning to groups like Black Girls Code, The Diana Initiative, and the Executive Women’s Forum to identify and nurture a diverse group of skilled workers. Some are looking at the other end of the corporate ladder and hiring older workers who have cycled out of their professions and can be reskilled. Investing in apprenticeships and mentoring programs can bring those less typical workers quickly up to speed.
Whenever bad stuff happens, there’s a saying: Follow the money. With cyberattacks, it should be: Follow the lack of money. Too often, IT and security projects take a back seat to other initiatives that everyone can see and agree on. “Funding is always an issue,” says attorney Michael Bahar, former deputy legal adviser to the National Security Council at the White House and co-leader of the global cybersecurity and data privacy practice for Eversheds Sutherland.
Many CIOs and CISOs are coming off of a year of unprecedented wins in providing for and securing remote workforces. But many also face reduced budgets, especially in government and infrastructure agencies. To pull ahead of bad actors, organizations must find ways to invest in those initiatives and technologies that will safeguard their digital infrastructure. Chief among those projects: sinking dollars into managing assets across hybrid public-and-private cloud platforms.
Funding for IT and security is always an issue.
Infrastructure on the whole suffers from a lack of visibility, and navigating multiple cloud platforms complicates an already hazy picture: Organizations can’t protect what they can’t see. They can gain clarity with endpoint detection and response platforms as well as monitoring capabilities.
However, says Bahar, cybersecurity need not always be expensive or require a new line item. Enterprises that manage critical infrastructure—whether energy, healthcare, banking, or water—must spend time conducting their own risk and vulnerability assessments. That includes assessing the vendors they use as well as engaging in meaningful cyberthreat information sharing.
“Oftentimes,” he adds, “the solution to high-tech problems is very low-tech.” As an example, Bahar notes how hackers have been known to target the lights in energy control rooms to disrupt operations. The inexpensive solution: battery-operated flashlights so control room workers are not (literally and figuratively) in the dark.
Practice good IT hygiene
Research shows that a lack of cyberhygiene leaves 90% of businesses vulnerable to hacks. By establishing digital hygiene practices, like moving off outdated systems and regularly patching software, infrastructure operators can lower their risk of breach.
Other essentials include creating strong user passwords, using multifactor authentication, and adopting a zero-trust model, where every device must verify its authenticity each time it tries to connect to your network.
It’s also crucial to gain visibility and control over your network, which includes the thousands of devices and endpoints—from PCs to virtual machines in the cloud—that connect to your system. Masterson recommends accurate performance monitoring and configuration management of all endpoints. He also suggests “ensuring network segmentation and investing in response capability.” He’s seen the failure to do these things up close. When his CISA teams provided penetration testing to state and local entities, he says, “these were the types of challenges we were seeing exploited.”
Invest in relationships, not just technology
The U.S. digital infrastructure consists of some of the most cutting-edge technologies in the world. Unfortunately, says cyber attorney Bahar, they are “vulnerable and the implications monumental.”
For that reason, he and others believe CIOs in the public and private sectors must work together, something President Biden’s executive order on cybersecurity aims to achieve, to help identify software vulnerabilities early and as quickly as possible. Only in that way can they help ward off the kind of disruption to vital systems like the Colonial Pipeline.
“Joint efforts between civilian organizations, government agencies, and the cybersecurity industry are needed,” says Om Moolchandani, CISO and head of research at cloud-security company Accurics. Only by achieving that, he says, can we avoid breaches to energy grids, schools, water-treatment facilities, and other critical infrastructure.