Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
Industrial Cyber Attacks
Medical
Regulation, Standards and Compliance
Risk & Compliance
Secure Remote Access
Supply Chain Security
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

Critical infrastructure protection more vital than ever, though organizations still lack an understanding of its importance

March 11, 2023
Jeffrey Macre, industrial security solutions architect at Darktrace

As interconnected critical infrastructure networks crisscross national borders and global supply chains, becoming increasingly complex while turning into distributed, large-scale cyber-physical systems. Cyber-physical attacks are increasing in number, scope, and sophistication, making it difficult to predict their total impact, making critical infrastructure protection more vital than ever. Evolving threat landscape, geopolitical implications, and recent cyber attacks remind stakeholders that critical infrastructure protection is more imperative than ever, though organizations still don’t realize its significance and thus, remain unprepared to tackle cyber risks.

Securing the nation’s most essential services is a challenge that demands ongoing collaboration and coordination across relevant government departments, the public-private sector, relevant training, and shared knowledge, apart from the adoption of advanced critical infrastructure protection technologies and procedures. 

Critical infrastructure protection works towards protecting the infrastructure of organizations in critical industries and safeguarding these critical environments from cyber threats, natural disasters, and terrorist threats. These installations must use a robust framework that can anticipate and mitigate disaster across their entire critical infrastructure environment. Critical infrastructure protection also strives to help organizations prepare for and respond to serious incidents involving critical infrastructure environments while securing their environments from growing threats and attacks.

While it has been largely accepted that incidents in critical infrastructure environments are inevitable, the potential damage and fallout can be lessened through rapid detection, while also building appropriate response and recovery capabilities. Additionally, regulatory measures continue to evolve in response to the heightened threats posed to critical infrastructure companies. 

Industrial Cyber reached out to industry experts across the critical infrastructure sectors to throw light on the typical elements that contribute to critical infrastructure protection to deliver a multi-faceted approach that secures both the physical and virtual infrastructure systems in the prevailing threat landscape. They also provide detail on how organizations have adjusted their critical infrastructure protection plan when dealing with rising threats and attacks.

“Let me begin by saying that I think a commitment to security should come from the top of the organization – directly from the Board and C-Suite – and distilled throughout. Security teams should have support from the organization’s leadership,” Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center (Health-ISAC), told Industrial Cyber. 

Denise Anderson, president and CEO of the Health-ISAC
Denise Anderson, president and CEO of the Health-ISAC

Anderson pointed to basic elements as knowing the organization, understanding the threats and their impacts, being very aware of the threats, implementing basic cyber and physical hygiene, developing plans for every potential hazard, and then communicating the plans and exercising them regularly. In addition, building relationships and sharing information are also valuable in protecting critical infrastructure.

“Knowing the organization includes knowing and documenting all assets, both cyber and physical, within the enterprise and tracking and protecting against vulnerabilities,” Anderson said. “This is not easy to do when there are tens of thousands of devices being used, some of which can be ‘Shadow IT.’ Teams should also know what ‘normal’ looks like. For example, teams need to understand what the normal website traffic patterns are so that anomalies can be quickly detected and addressed.”

She also pointed out that understanding threats and their impacts will help companies with their security posture once they understand what threat actors are targeting, their tactics, techniques, and procedures (TTPs), and how operations can be affected. Also key is being aware of what the threat actors are doing and their motivations.

“Implementing basic cyber and physical hygiene should be the foundation of any security program. When it comes to cyber, implementing practices, policies, and tools around multi-factor authentication; identity and access management; least privilege; DMARC; data loss, endpoint, and application protection; patching; firewalls; segmentation; and data back-up can go a long way in protecting an organization,” according to Anderson. “Developing incident response plans for every hazard is so important. Plans should involve all stakeholders for input and should look at basic things like who makes key decisions, who should be on the incident response team, and external and internal communications. The plans should be communicated, tested, and exercised regularly.”

Anderson also highlighted building relationships should not be done as an incident unfolds. Security leaders should take the time to develop connections with Law Enforcement, applicable government agencies, suppliers, customers, and peers through organizations like Information Sharing and Analysis Centers (ISACs). “They should make sure to build vital internal relationships as well. I would be remiss to not mention information sharing. Incidents have proven time and time again that information sharing and collaboration work,” she added.

“In an ideal world critical infrastructure firms would be able to do all of these things, but in reality, not all companies do whether it’s due to lack of leadership awareness and/or support, resources and/or finances,” Anderson added. “Unfortunately, many organizations don’t do these things until an incident happens and millions of dollars, reputation, and other things are lost. When lives are affected, the stakes are even higher.”

Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC
Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC

Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC, told Industrial Cyber that if we had to break this down into some basic elements, they would include – knowing ‘your’ assets and which ones are most critical; knowing ‘your’ risks – particularly the ones that impact your most critical assets; performing a consequence/impact analysis; and prioritizing threat protection for the most high-impact consequences – which could/should involve Idaho National Lab’s (INL) consequence-driven, cyber-informed engineering (CCE) to engineer out as much of the risk as possible.

Walker added that it truly depends on the size, which usually is directly proportional to the availability of resources of the organization and whether they are currently or will soon be mandated to be capable and adjust or enhancing protections.

Addressing the energy sector, a U.S. Department of Energy (DOE) spokesperson told Industrial Cyber that standards for the bulk electric system developed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC) focus on maintaining the reliability of the system from both natural and man-made hazards, which result in an operational contingency for system operators to address. 

“The suite of NERC standards, while segmented into different operational areas (Critical Infrastructure Protection, Transmission Planning, etc.), are designed to provide overlapping consideration of how hazards can impact system performance in the near-real time horizon and longer-term planning horizon,” the spokesperson added. “We also suggest engaging an electric utility subject to the NERC standards, which can provide ‘on the ground’ experience on implementation.”

Ayman Al Issa, senior expert at McKinsey & Co
Ayman Al Issa, senior expert at McKinsey & Co

“Organizations should establish both strategic and tactical plans to be agile in dealing with critical infrastructure protection,” Ayman Al Issa, senior expert at McKinsey & Company, told Industrial Cyber. “The OT/IoT/IIoT environments are complex in nature, but not so complex to protect. Prioritization is a keyword here. Start with what should be done first and then continue the protection nitty gritty journey.”

Al Issa suggests starting with the architecture and segmentation and surrounding the industrial control system entry points from all types of networks/systems. This can be achieved by the deployment of security zones and controls like firewalls that should be well-configured, well-hardened, and securely managed and administered. 

He also urges increased cyber visibility within the OT networks by deploying solutions that work on network traffic capturing and analysis. These two controls are quick wins and relatively feasible to be implemented around industrial control systems in different critical infrastructures. “Then start the long-term nitty gritty journey of protecting the internal control systems (e.g., network segmentations within the OT environment, secure access, secure remote access services, malware protection, etc.),” he added. 

Identifying mistakes that organizations could fall into, Al Issa said, trying to fix everything once without a realistic prioritization plan, and underestimating the importance of configuring the systems well and continuous reviews of the configurations. “If a firewall is not configured well, it will turn into a firepass and ruin the security efforts. Industry continues to see vulnerabilities in firewalls separating OT from IT, including design, configuration, operating system version or rules,” he added. 

Hence, Al Issa puts forward that organizations should start with implementing the controls that can reduce the highest risks and are feasible to be implemented in a short time with low efforts and then move to the ones that could need long-term exertions and dependencies.

Jeffrey Macre, industrial security solutions architect at Darktrace
Jeffrey Macre, industrial security solutions architect at Darktrace

“Because critical infrastructure systems are often located in remote areas (electrical substations, water lift/pumping stations, etc.), protecting both cyber and physical access is critical. I believe, if you can touch a device, you can hack it,” Jeffrey Macre, industrial security solutions architect at cybersecurity AI firm Darktrace, told Industrial Cyber. “Hackers can take various actions to manipulate a device or its cyber security simply by opening it up. Essentially, if you can touch the device, you can disrupt it with even the most unsophisticated approach. For example, merely disconnecting the device or even hitting it with a hammer can render it non-functional,” he added.

Macre pointed out that recent physical attacks on electrical substations in North Carolina and Washington state have shown the drastic impact these attacks can have. “In cases like these, thousands of people lose power for days as equipment replacement may be held up, and backups are not always available – resulting in more complicated and delayed restoration efforts. When we think of critical infrastructure protection, we must factor both physical and cyber into our overall approach to ensure the continued operation of these vital systems,” he added.

Rising geopolitical tensions, deployment of ‘reusable cross-industry capability’ in ICS environments, and a spike in state-sponsored cyber-attacks have led to increased vulnerability across critical infrastructure environments. The experts analyze these factors’ effects on existing critical infrastructure protection plans across the various sectors. They also address how organizations can deliver critical infrastructure protection while enhancing the security and resilience of these environments.

“I think there are four main reasons we have seen an increase in attacks – both nation-state and criminal – in the ICS environment,” Anderson said. “First, manufacturing systems are run on hardware and software that are not easily replaced and therefore may no longer be supported, and hence, are vulnerable. If patches do exist, it is hard to take manufacturing processes, which often run 24/7, down. Fixes may also ‘break’ the systems when they start back up. Threat actors know and take advantage of this and search for and exploit known vulnerabilities.”

Anderson added that manufacturing and business systems are often run by separate teams who may or may not collaborate. Often the business systems are connected to the internet, and they can be the gateway to get to the ICS systems.

“Third, criminals have recognized that because manufacturing processes cannot be stopped, exploiting them for a ransom is extremely lucrative,” according to Anderson. “Fourth, nation-state actors, who are often in bed with the criminals, have keyed into political rhetoric around how vital critical infrastructure is and therefore, threaten to disrupt critical infrastructure organizations to gain leverage.”

Anderson added that in order to protect critical infrastructure from these threat actors, owners and operators need to reduce the threat surface – patch vulnerabilities, instill basic hygiene practices, etc. “However, they also need to be very mindful of what is going on in the geopolitical space. They should always be looking at what is going on and how it could impact them.”

Detailing a recent example of this in the healthcare sector, Anderson said that on Jan. 25 this year, “when the United States and Germany and other countries announced they were going to send tanks to Ukraine, I guarantee you that no hospital ever thought that announcement would have an impact on their organization. But, on January 28th, when a Russian hacktivist group threatened to ‘demolish the networks of medical institutions in the US and Europe in retaliation, we saw Distributed Denial of Service (DDoS) attacks on hospital websites in several countries. I know of one organization that wasn’t aware of the DDoS threat and thought it had an issue with its firewall,” she added. 

The hospital’s team spent days trying to troubleshoot the ‘problem,’ Anderson said. “When Health-ISAC provided them with information (they were not a member), the hospital was able to immediately address the situation. Our members, of course, were aware of what was going on and were sharing mitigation strategies as well as TTPs and other information. Health-ISAC also shared information with other critical infrastructure sector ISACs. This is the true value of belonging to a community like an ISAC, having situational awareness, ground truth, and learning from others,” she added.

Walker believes there are asset owners that have been securing their systems all along and are already in a defensible position against the changing landscape. “They likely don’t have much more to do beyond a sanity check/penetration test to verify/validate that they satisfy the recommended protections and observed adversary behaviors. Don’t get me wrong, there is always work to do – like thinking like the adversary and thinking of worst-case scenarios.” 

“But I don’t think any immediate overhauls or additional major investments are needed in those instances – they may already have all the shiny things they need and just need to tweak/tune them,” she added. 

Walker highlighted that asset owners who may not have been following along and keeping their protections current, still may not have to buy the next shiny thing and may find that addressing the basics/fundamentals will go a long way toward bolstering their defenses. 

“That said, with the exception of the ‘reusable cross-industry capability’ weaponizing existing functionality in ICS environments, most of the threat actors/groups are using the same tactics and techniques because the same tactics keep working (think social engineering and technical vulnerability exploitation),” Walker pointed out. “So, if asset owners focus on protecting their critical assets (and people) against those common behaviors, they should be in a good defensible position. But it is still vital to pay attention to the reports for those actors/groups that may truly demonstrate new and/or sophisticated tradecraft.”

The DOE spokesperson said that the agency’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) works closely with electric industry owners and operators to provide the latest threat insights and mitigation approaches from across the inter-agency and U.S. intelligence community to best inform changes in operational procedures to mitigate and/or remediate potential impacts to assets, systems, and networks. 

Macre said that seeing these advancements in malware development targeted at ICS environments is concerning and is a primary reason the OT community needs to leverage more emerging technology to help defend against the constant evolution of the threat landscape. “New technologies like artificial intelligence and anomaly detection are far more beneficial for cybersecurity teams than older behavioral or heuristic-based detection. Leveraging new anomaly-based detection technologies can drastically improve the ability to detect and respond to evolving threats that we are facing in ICS environments,” he added.

Al Issa said that Dragos’ recent ICS/OT cybersecurity report (2022 Review) has shown an 87 percent increase in ransomware incidents with 72 percent of the incidents in Europe and North America (40 percent in North America (NA), 32 percent in Europe, and 28 percent in the other continents. “The sectors affected included manufacturing, food & beverage, energy, oil & gas, etc. The percentages of affected sectors vary that could be affected by the different cyber maturities across the sectors,” he added.

He also called upon organizations to focus on protecting the main gates first and then proceed with protecting the OT networks/systems from within. “However, there is no bulletproof cybersecurity and organizations should be prepared to respond to attacks with a well-orchestrated cyber resilience and incident response plan that is built from the eyes of the ‘continuity of operations’ in industrial plants. This should include developing specific cybersecurity IR playbooks for each plant, complemented with test scenarios, wargaming, plant staff training on cybersecurity, IR communication plan, etc.,” Al Issa added.

Last December, GAO provided necessary actions to better secure Internet-connected devices across the three sectors of energy, healthcare and public health, and transportation systems. The experts evaluated the capability of asset owners and operators to bring about critical infrastructure protection across their environments while fending off adversarial threats and attacks.

Anderson outlined that in healthcare, while there is manufacturing, one unique feature concerns medical devices, which are classified as IoT. “This is a very complex space that is not easily secured for a variety of reasons. Healthcare Delivery Organizations (HDOs) can have tens of thousands – if not hundreds of thousands – of medical devices in their environment interfacing with myriad Medical Device Manufacturers (MDMs) with different levels of security. Often these devices are secured or overseen by disparate teams with separate reporting structures,” she added.

“I’m proud to say that Health-ISAC and our sister organization the Cyber Security Working Group of the Health Sector Coordinating Council (SCC), have made great strides in collaboration with the FDA, which regulates the MDMs,” according to Anderson. 

She underlines that like with ICS, “medical devices are expensive to replace – think an MRI machine – and are difficult to patch for several reasons including being in operation 24/7. There are many legacy devices in use that are no longer supported. There has also been contentious finger-pointing around whether HDOs or MDMs are responsible for keeping the devices safe. FDA has published several guidances, as well as Health-ISAC and the Health SCC. In fact, the SCC just published a guide on legacy device management.”

Anderson pointed to another area that “we have worked hard on is in the realm of coordinated disclosure around vulnerabilities as they arise. The Health-ISAC has been involved with many coordinated disclosures as well as pre-public disclosures of vulnerabilities. We have acted as a one-stop-shop where HDOs can go to find out information when a vulnerability like Log4j becomes public. Owners and operators should also be cognizant of what roles other ICS – like HVAC or camera systems – play in making a company vulnerable to attack,” she added.

Walker assesses that capability and defensibility typically depend on the size, which usually is directly proportional to the availability of resources, of the organization and whether they are currently mandated to do so.

The DOE spokesperson said that the department is working aggressively to implement the Bipartisan Infrastructure Law (BIL) statutory provisions, “which are intended to support and enhance existing cybersecurity protections across the energy sector. Examples of provisions in the BIL that will contribute to greater capabilities of owners and operators to protect their systems are those that emphasize enhancing the cybersecurity maturity of small Rural and Municipal Cooperatives, as well as provisions focused on developing a pipeline of students and staff from which utilities can recruit to achieve tomorrow’s energy security objectives.”

“While owners and operators of critical infrastructures could be mindful to protect their internet-connected devices by protecting the surroundings of the control system and increasing visibility, they usually are tied up with support contracts by automation vendors that will prevent them from proceeding with their plans without the approval and certification of security solutions by the automation vendors,” Al Issa said. “However, the good part of the story is that the majority of automation vendors started to provide certified security solutions and even monitoring capabilities that make the journey of protection easier.”

Al Issa added that the complications happen when there is a variety of industrial systems from different automation vendors in the same plant with each offering different solutions to the owners and operators. “This situation emphasizes the importance of automation vendors coordinating and collaborating on providing common multiple cybersecurity solutions that make it easier for the owners and operators to implement and manage.”

Macre said that in some cases, capabilities can be limited as the demand for skilled cybersecurity workers increases amid a shortage of those professionals. “However, the good news is that we have never had so much access to and availability of resources for education, guidance, and training from great organizations like CISA, NIST, etc,” he highlighted.

The experts also looked into the role played by risk assessment and risk management in delivering critical infrastructure protection across these sectors. They further look over the capability of these organizations to deliver visibility and threat detection across their environments.

“I would argue that Enterprise Risk Management (ERM) is the most important thing an organization can do to protect itself,” Anderson said. “It should look across the enterprise to determine what the ‘crown jewels’ are. What is it that the company does? Then it should determine what is absolutely essential to produce those crown jewels and for what period of time. It should build its security plan out from there. It also includes determining a certain level of acceptable risk. It is important to note that cyber is just one component of enterprise risk.”

Unfortunately, Anderson said that she doesn’t think many organizations employ ERM. “It takes a very mature organization with very mature leadership to develop and support an ERM program.”

“Risk assessment and risk management play a vital role in critical infrastructure protection. If organizations don’t assess and manage risk, they have no idea how to prioritize defense and resources,” Walker said. 

When it comes to less capable organizations, Walker wishes to encourage/challenge the cyber mature organizations to reach out and take them under their wings. “In my presentations, I typically borrow the State Farm Insurance tagline, ‘be a good neighbor.’ Essentially, be a mentor and help them increase their cyber defenses. This isn’t corporate America, this is THE critical infrastructure of the United States. We aren’t competitors, we are compatriots, and (pardon the cliché) we are stronger together,” she added.

The DOE spokesperson said that risk assessment and management of identified risks are critical components of a rigorous and comprehensive risk analysis program effort, both within the sector and across the critical infrastructure community.

“Within the electric power sector, a comprehensive program of effort will often assess not only the threats and hazards of the company or facility under examination but also assess how performance issues with vendors or key input providers can affect operational performance of the asset or facility through a thorough examination of dependencies and interdependencies,” the spokesperson added. “A comprehensive program of effort does not end with assessment, but instead is a continuous cycle of management of prioritized risks to limit or mitigate their potential impact to the company or facility.”

Furthermore, the DOE spokesperson said that “the Department supports the industry by developing tools, methods, and technologies to assist and improve risk assessment activities by owners and operators, with an example program being the Cybersecurity Capability Maturity Model (C2M2). C2M2 is a free tool to help organizations evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on information technology (IT) and operations technology (OT) assets and environments.”

“Risk management and risk assessments are important to understand how well the plants are secured, what are the gaps and what should be done. However, risk assessments should cover the organization’s OT cybersecurity strategy maturity and each plant’s cybersecurity maturity,” Al Issa pointed out. “The difference between the two is that the former focuses on the organization’s cyber security capabilities maturity while the latter focuses on the plant’s control system’s cybersecurity maturity. Conducting risk assessments in the plants should not stop at reviewing the documentation and architecture, but should include site visits and a full review of the security controls and configurations of systems in the industrial plants.”

It is important to engage assessment experts that can understand what security controls could fit in the OT/IoT/IIoT environments and what others could fit into IT environments, according to Al Issa. “Here it is important to mention that the term ‘convergence between IT and OT networks’ is misunderstood as connecting the two environments as one. The two environments have different characteristics that can’t make them be fully integrated without security controls/conduits in between that should care of protecting the industrial critical infrastructure even from the IT networks and systems.” 

“The realistic answer is that the deployment of threat detection capabilities within OT environments is one of the most feasible tasks. Network traffic capture and analysis solutions are very common in the market and also mature. The way they work is simply by configuring the plant switches port mirroring features. What if I have an old switch, simply ask the automation vendor to replace it,” Al Issa said. “This task is much easier than installing an antivirus version in an engineering workstation that is not certified by the automation vendor,” he added.

“Understanding your risks is critical, but knowing how much risk your organization can accept is the real goal. There is no way to eliminate risk completely, so risk assessments remain vital to this process. However, I believe we have a problem in the industry because we focus too much on assessments,” Macre said. “Not all organizations have extensive cybersecurity budgets, and dollars spent on assessments means fewer resources to implement necessary solutions to mitigate these risks.”

He added that in many cases, organizations would benefit more by deploying tools that can help identify assets, detect anomalous activity within their network, and ultimately assist with responding and stopping these anomalous network actions. “A tool like this can provide visibility into their environment that can have a much greater value than a high-level assessment,” Macre concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems