For decades, security experts have been warning that critical infrastructure in the United States is at risk of cyber attacks. However, despite the seemingly endless conversations, constant debates, and escalating concerns, the modernization process is slow and protection work is still lagging.
When a colony pipeline leak occurs, this is predictable and frightening. Beginning on May 7, the ransomware attack shut down the pipeline for six days, which led to soaring oil prices and shortages in certain areas. But the next attack may be more destructive: the entire country may not have electricity or the Internet, the water filtration system may not be online, or the delivery of natural gas may be interrupted during the winter. These can be life-threatening.
The core of the problem is the aging of operating infrastructure and industrial control systems, while the digital age lacks security. With organizations covering connected IT systems and Internet of Things (IoT) devices, the situation has become a nightmare. In many cases, these pipelines and facilities provide hundreds or even thousands of potential entry points for attackers.
The pain worsens: Approximately 85% of the infrastructure in the United States is operated by private companies, and there are virtually no cyber security regulations.
Joe Nocera, head of the PwC Network and Privacy Innovation Institute, said: “Many of the systems used are not designed for an era that links operations and IT technology.”
Risks come true
The threat to critical infrastructure is huge, and the problem is getting worse. According to data from IBM Security X-Force, attacks on the energy industry have doubled in the past year. Part of the problem is that many operating systems and industrial controls are more than 25 years old. The irony is that as long as they are not connected to IT systems, they are actually very secure.
These systems are designed to provide ultra-high availability, and they are extremely expensive and complex to update or swap out.
Mark Carrigan, chief operating officer of the Hexagon PPM division, said: “It may cost billions of dollars to completely replace the obsolete operating infrastructure with modern equipment.”
Taking these industrial and operational controls offline (even for a short period of time) can cause huge troubles. Therefore, many infrastructure-based companies are not eager to adopt more modern systems.
“You cannot easily transfer from one system to another. You must carefully check the configuration of the control system and completely redesign the equipment,” Carrigan added.
It includes everything from valves and flow control to sensors and connected business systems. For example, in the case of a violation of the colony pipeline, the attacker reportedly entered the company through the billing system. The company shut down operations because it was unable to charge customers.
Indeed, “business and operational connections are now highly interconnected,” said Tim Erlin, Tripwire’s vice president of products. Tripwire is a company that provides threat detection and asset visibility systems.
As a result, he said, there may be many vulnerabilities and vulnerabilities-even if many of these components are not directly connected to the Internet. For example, hundreds of devices and sensors may be installed per mile of pipeline. The network attacker only needs to find a device that is easy for the worm to enter the network. At the same time, they may find an entry point through phishing or using compromised employee credentials.
Erlin said: “This is more complicated than the old industrial system.” “The real problem is that these mixed environments of old and new systems increase risk.”
Although these environments are very complex, the notion that critical infrastructure cannot be protected falls between misleading and falsehood. Nocera pointed out that other industries (such as banking) have found ways to connect old operating technologies (such as ATM) so that they can be used with IT equipment and maintain a high degree of flexibility.
He said: “In terms of integration and protection technology, banks are usually 15 years ahead of these infrastructure companies.”
The starting point for improving security within critical infrastructures is to realize that building a stronger fortress does not necessarily shut out cyber attackers, Carrigan said. Threat intelligence, next-generation firewalls, and more advanced asset discovery, configuration and management tools are all useful, but they cannot stop people from clicking bad links or prevent IoT manufacturers from introducing entry points.
Similarly, certain malware detection software can prevent ransomware gangs from encrypting known types of malware, but they cannot guarantee that new, previously undetected ransomware implants cannot successfully encrypt files. Even a system without an air gap cannot be guaranteed, because sometimes data needs to be moved from one system to another, and malware can sneak in.
Strong zero trust, multi-layer defense (including ubiquitous multi-factor authentication (MFA)) is essential. However, it is also necessary to expect an attacker to enter the system, Carrigan said.
Therefore, the company must also better perform network segmentation and set configuration restore points, especially on the operating system. In addition, it is crucial to have reliable backups residing on multiple interconnected systems, and contingency plans for how to respond to attacks.
Help from legislators
Security experts say that action is also needed on the political front. Congress may play a role in establishing basic cybersecurity regulations and may provide tax incentives for critical infrastructure companies to upgrade their systems and comply with the desired level of security. They said that the executive order issued by President Biden on May 12 requires government agencies to use multi-factor authentication and adopt a zero-trust model, which is the beginning.
It will set the tone for the private sector. However, Biden’s $2 trillion infrastructure proposal and the Republican Party’s anti-plan have no language specifically targeting cyber attacks.
Finally, there are no simple answers or simple solutions. The most advanced industrial control measures that increase operational reliability and efficiency to close to 100% still have potential safety hazards. Ironically, Carrigan said that eventually the system may need to be reconsidered, and in the most critical systems, electric and pneumatic controls are used.
Carrigan said: “We have seen some companies use non-connected electrical systems as the last line of defense.” “If something goes wrong, it can be controlled with a wrench and screwdriver.”
Samuel Greengard (Samuel Greengard) writes articles about business, technology and network security for numerous magazines and websites. He is the author of the books “Internet of Things” and “Virtual Reality” (Massachusetts Institute of Technology Press).View the complete bio