Lessons from Critical Infrastructure Attack Vectors: The Need for Cyber Resilient Infrastructure

Antiquated infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our cell towers, pipelines, water treatment facilities and power grids remain continually exposed and vulnerable to exploitation.

It has been confirmed that the Colonial Pipeline breach was a result of poor password security, and we now know the company was taken offline as a result of early attempts to contain the ransomware impacting their corporate networks.

Colonial Pipeline paid approximately 75 bitcoin to Darkside (nearly $5 million), of which the U.S. Justice Department recovered roughly 64 bitcoin (nearly $2.3M) from a virtual wallet. Based on Darkside’s own statements and analyses of its past behavior, experts believe the purpose of the attack was to obtain money and that it wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. As the trend continues upward of organizations continuing to pay, ransomware will continue to grow, further fueling the ransomware pandemic.

This cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center, which is responsible for supplying several sites in the Western U.S., was considered a near miss. Fortunately, the risk was minimized.

Earlier this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.

Industrial IoT and the control systems embedded within are becoming more advanced, yet purpose-built security architecture still lags, exposing risks in automation and mean time to resolve for SecOps. Without a pervasive security architecture, there is extensive guesswork. For example, Colonial Pipeline has claimed a platform gap may have existed between a control system and the corporate network responsible for simplifying the billing process, causing concern the attack would spread to operational systems.

What can we do to bring about a hardening of U.S. infrastructure cybersecurity? Four immediate methods come to mind:

Incentivize cybersecurity investment. Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies that happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.

Actively promote that investment. Policy analysts who have studied this issue urge government, at whatever level, to ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, which were previously under less pressure than a public utility to account for compromises, should be invited in.

Make smarter ICSs more secure. IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. Unfortunately, they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery, and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.

Don’t forget to secure corporate networks, too. Just because the computer in the lobby of corporate HQ can’t crank up the sodium-hydroxide level in the drinking water doesn’t mean it’s not worthy of antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. With phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.

For the time being, major damages and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack, but we need to act deliberately now in order to avoid relying on the same luck in the future.