AI
Attacks and Vulnerabilities
Critical infrastructure
Features
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure Remote Access
SOC & Incident Response
Supply Chain Security
System Design & Architecture
Technology & Solutions
The Skills Gap - Training & Development
Threat Landscape
Vulnerabilities

US critical infrastructure sector faces cyber threats surge in 2023, calls for urgent action, enhanced measures

December 10, 2023
US critical infrastructure sector faces cyber threats surge in 2023, calls for urgent action, enhanced measures

Rising cybersecurity threats and attacks in the critical infrastructure sector increased in 2023, particularly in the healthcare and water sectors. Cybersecurity advancements have integrated artificial intelligence and machine learning technologies to improve threat detection and enhance the resilience of these sectors. Technologies, such as advanced encryption, machine learning algorithms for anomaly detection, and multi-factor authentication, have strengthened defenses against these evolving cyber threats.

The healthcare sector, in particular, has become a prime target for malicious actors seeking to exploit vulnerabilities in digital systems. Increasing reliance on interconnected technologies within the healthcare industry makes it susceptible to ransomware attacks, data breaches, and disruptions to medical services. Likewise, the water sector faces a rising tide of cyber threats, jeopardizing the integrity of water supply systems. These attacks can compromise the safety of drinking water and disrupt essential services. Hackers recently exploited a Unitronics programmable logic controller (PLC) used in the water and wastewater systems (WWS) sector.

The interconnected nature of these sectors underscores the need for robust cybersecurity measures. Governments and organizations must prioritize investment in advanced threat detection, incident response capabilities, and employee training to mitigate these evolving risks. As reliance on digital infrastructure deepens, safeguarding critical sectors becomes paramount to ensuring public health, safety, and the overall resilience of essential services.

The U.S. administration has been responsive to the escalating threat landscape and is working to improve cybersecurity posture and foster a more secure cyberspace. In March, the National Cybersecurity Strategy was published which is structured around five pillars. These include defending critical infrastructure; disrupting and dismantling threat actors; shaping market forces to drive security and resilience; investing in a resilient future; and forging international partnerships to pursue shared goals. 

A roadmap in July followed this called the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and continued coordination to realize the administration’s March National Cybersecurity Strategy. The plan details over 65 high-impact federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in an increasingly digital economy. 

The Biden-Harris administration unveiled in August the National Cyber Workforce and Education Strategy (NCWES) designed to tackle both immediate and long-term cyber workforce needs. The strategy’s primary goal is to address the hundreds of thousands of cyber job vacancies, ensuring that the nation is well-prepared for the digital economy and empowering Americans to actively participate in the digital ecosystem. The Office of the National Cyber Director (ONCD) is spearheading the coordination and implementation of this strategy, which is already in progress.

In November, the International Counter Ransomware Initiative (CRI) brought together 50 member countries for their third meeting in Washington. The main objective of this year’s gathering was to strengthen capabilities in disrupting attackers and their infrastructure, promote enhanced cybersecurity through information sharing, and take decisive action against ransomware actors.

In January 2023, six dedicated work streams were launched, including information-sharing, situational awareness, and cyber-crisis response; cybersecurity of critical infrastructure and incident reporting requirements; and cybersecurity of hardware and software. Feeding into the EU-US cyber dialogue is the EU-US cooperation on quantum computing under the EU-US Trade and Technology Council (TTC), which also enables cooperation in the area of digital identity.

The government is also focusing on strengthening its cybersecurity posture and building resilience. Last month, the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Emergency Management Agency (FEMA) announced a ‘Shields Ready’ campaign to encourage the critical infrastructure community to focus on strengthening resilience. The campaign complements CISA’s Shields Up campaign, launched last February, which encourages critical infrastructure stakeholders to take specific, time-sensitive actions that reduce risk in response to specific threat intelligence during cyberattacks, physical security threats, or natural disasters in response to specific threat intelligence.

Industrial Cyber reached out to experts in the healthcare and water sectors to tackle the cybersecurity challenges specific to their industries. 

Cybersecurity Incidents in Healthcare Sector Surge in 2023, Prompting Action

Denise Anderson, president and CEO of the H-ISAC
Denise Anderson, president and CEO of the H-ISAC

Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center (Health-ISAC), analyzes the significant lessons learned from cybersecurity incidents in the healthcare and public health (HPH) sector in 2023, and their impact on discussions regarding regulatory frameworks. She also explores the response of asset owners and operators in this field to emerging technologies.

“2023 has been a record year for ransomware attacks with over 1,800 reported in the first six months of the year alone. That’s not even counting the aftermath of the CL0P ransomware gang and the MOVEit attack, which as of November 20th, claimed 650+ organizations as victims, most of which occurred after June,” Anderson told Industrial Cyber. 

According to the Health and Human Services (HHS) Office for Civil Rights (OCR), over four years from 2018 to 2022 there has been a 93 percent increase in large breaches with a 278 percent increase in large breaches as a result of ransomware. That’s just what is reported to them.

Anderson added that with these attacks, vulnerabilities and third-party connections led to most of the compromises. “Key takeaways are that organizations must be ever vigilant about their attack surface, stay on top of patching, and segment their networks. Monitoring third parties and connections to them is also a must.”

Another key takeaway Anderson highlighted was from the Killnet distributed denial of service (DDoS) attacks in January and February of this year to always be mindful of the geopolitical landscape. “Who would have thought an announcement that the US and EU were sending tanks to Ukraine would have resulted in attacks on hospitals in the EU and US? We’re seeing some similar activity with the situation in Israel. Cyber knows no borders and critical infrastructure is increasingly becoming the victim,” she added.

She also noted that a “good enterprise risk management program with a focus on resilience – know your assets, your risk appetite, protect assets based on risk and resilience, have situational awareness of threat actors, actor motivations and actor campaigns and then deploying a solid incident response plan – will help. Of course, information sharing plays a big role.”

Anderson evaluated the impact of current regulations on cybersecurity practices within the HPH sector, as well as their evolution in response to emerging threats. Additionally, she examined the measures taken by asset owners and operators in the HPH sector to enhance compliance.

“Regulation is always behind reality and in the case of cyber, where threats evolve quickly, regulation has been way behind. I’ve been saying ransomware and operational threats are a major concern in healthcare before the first public attack on a hospital in 2016,” Anderson said. 

It has only been within the last few years after ransomware has become rampant, that regulation has come into play and in the case of ransomware and mandatory reporting with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), requirements from the Securities and Exchange Commission (SEC) and the Network and Information Security Directive (NIS2) in Europe, to name a few, it is becoming a burden versus a help to many of the organizations who are victims. 

“I personally think some of the proposed legislation and efforts will actually hinder cybersecurity. If you hire five people, four will be for compliance and one will be for security,” according to Anderson. “Time spent on reporting an incident will result in time taken away from responding to it. Not to mention the trend to come after Chief Information Security Officers (CISOs) personally. This will make CISOs think twice about taking a job where they are sorely needed. There is still a lot of work to be done and some of the regulation still needs to be worked out such as what defines an ‘incident’.”

Anderson added that certainly there has been a lot of work done by both the public and private sectors to provide tools, guidance, and frameworks to implement or enhance cybersecurity programs. 

“The Health Industry Cybersecurity Practices (HICP) published by our sister organization the Health Sector Coordinating Council Cyber Working Group (HSCC CWG) in conjunction with HHS, is a valuable guidance document for practitioners and this week HHS announced several initiatives they are taking to enhance cybersecurity for healthcare including publishing voluntary cybersecurity performance goals to help institutions plan and prioritize implementation of high impact cybersecurity practices,” according to Anderson. “They are going to seek incentives to encourage adoption and will explore ways to enforce action. This will have an impact on the sector and driving organizations to comply.”

The reality is, however, the world of healthcare is extremely complex and with the advent of artificial intelligence, it will become even more so, Anderson evaluated. “I think it’s safe to say that those of us in cybersecurity do not need to worry about job security.”

Looking ahead, Anderson analyzed the gaps or vulnerabilities that still exist in the cybersecurity landscape of the HPH sector, and strategies that are being considered to address them. She also addressed whether there are global collaborations or initiatives in place to address cybersecurity challenges collectively across this domain.

“As we’ve seen with the MOVEit attack, vulnerabilities are being exploited and are not going to go away,” Anderson said. “In the medical device arena, Health-ISAC just announced last month we are partnering with Cybeats to create the Health-ISAC Software Bill of Materials (SBOM) Studio, which will allow medical device manufacturers to upload and share SBOMs and will create a free central repository for healthcare delivery organizations to receive information.” 

She also added that the health sector has “led the charge in Responsible Disclosure and now SBOMs and the unique environment in Health-ISAC, where we bring manufacturers and delivery organizations together to collaborate and coordinate has contributed significantly to these efforts. Initially, the initiative will focus on medical devices, but it can and will be expanded to general Information Technology in the future.”

Anderson also pointed out that the HSCC CWG along with FDA and Health-ISAC are also working on creating guidance for delivery organizations on what to do when they learn of vulnerabilities in their environments. These are just some of the efforts we are doing in this space.

As we approach 2024, Anderson explores the anticipated cybersecurity priorities and challenges for the HPH sector, and how asset owners and operators are preparing for them. 

“I think 2024 is going to bring more of the same as far as attacks, vulnerabilities, and third-party/supply chains are concerned. It is going to be compounded by new regulations coming into play and emerging technology such as artificial intelligence,” Anderson evaluated. “Putting into place an enterprise risk management program and basic cybersecurity practices will at a minimum, build a ‘moat’ around most organizations.” 

That said, she said that she thinks “what’s needed most is the education of Boards and C-Suites around the need to adopt a mindset where the focus is on resilience and on investing in what is needed to be resilient. Too many times, CEOs wait until an organization is impacted to act and that is too late.”

Insights into Water Sector – Key Takeaways 

Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC
Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC

Jennifer Lyn Walker, director of infrastructure cyber defense for WaterISAC, threw light on the key takeaways from the cybersecurity incidents in 2023 within the water sector, and how they have influenced discussions around regulatory frameworks. She also looks into the response to emerging technologies by asset owners and operators across the domain. 

“Key takeaways regarding cybersecurity incidents within the water and wastewater systems sector in 2023 indicate the continuous need for addressing the basics/fundamentals,” Walker told Industrial Cyber. “Whether it’s commodity threats such as business email compromise and ransomware, or incidents impacting OT, such as remotely exploiting a default password on a PLC – these incidents are a reminder that WWS utilities (regardless of size) are just as at risk from cyber threats as everyone.”

Addressing the recent cyberattack on the Municipal Water Authority of Aliquippa carried out by the Iranian-backed hacker group CyberAv3ngers, Walker said that it “reminds us that we aren’t necessarily targets for who/where we are, but for what we have (data and devices) and how accessible (insecure) it is.”

In her analysis of the impact of existing regulations on cybersecurity practices in the water sector, Walker explores how these practices have evolved in response to emerging threats. Additionally, she examines the measures that asset owners and operators in the water sector are adopting to ensure greater compliance.

“I think the initial EPA memo helped elevate the conversation and importance of cybersecurity for the WWS sector,” Walker said. “However, despite the withdrawal of the memo, some states are forging ahead with their own cybersecurity requirements.”

Looking ahead, Walker looks into the gaps or vulnerabilities that still exist in the cybersecurity landscape of the water sector, and strategies are being considered to address them. She also throws light on the global collaborations or initiatives in place to address cybersecurity challenges collectively across this domain.

Walker said that several new initiatives are being undertaken and piloted to help with cybersecurity and resilience in the WWS sector – including (but not limited to) CSC 2.0, Dragos OT-CERT, Cyber Readiness Institute, and MITRE.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems