America’s critical infrastructure includes 16 diverse though often interconnected sectors: energy, water and wastewater, transportation, dams, communications, chemical, commercial facilities, critical manufacturing, the defense industrial base, emergency services, food and agriculture, government facilities, healthcare and public health, information technology, financial services, and nuclear reactors, utilities, and waste.
The Department of Homeland Security, which is responsible for coordinating critical infrastructure security, defines these sectors as “the essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health.”
In today’s complex digital landscape, critical infrastructure, particularly the sectors that directly impact Americans’ daily lives (like power, water, transportation, communications, healthcare, and the defense industry that safeguards national security) are more vulnerable than ever to cyber exploitation and attack.
Adding to that vulnerability is the reality that many of the organizations under the critical infrastructure sector umbrella lack the right cyber tools and know-how to protect their systems and data from increasingly sophisticated attack vectors.
While critical infrastructure faces vulnerabilities that expand far beyond the cyber sphere, including technical failure and natural disaster, in recent years cyber threats have grown from “potential” and “future” problems to imminent concerns. In 2018, for example, one security firm detected malicious cyber objects on more than a fifth of the American industrial automation systems it observed. Worldwide, the same firm found that 43% of industrial control system computers were targeted by malware, phishing, or other cyber threats.
The recent uptick in cyberattacks on industrial control assets, which include supervisory control and data acquisition (SCADA) systems, come as little surprise when we consider the wide net of actors harboring deep-seated motivations for hitting America where it hurts – and where the impact can be felt far beyond a few downed machines.
This whitepaper explores the reasons why America’s critical infrastructure sectors pose such an attractive target for cyberattack, which actors have clear motivations to carry out such attacks (and what vectors they are most likely to use), the growing government awareness and response to this issue, and some practical steps organizations (both public and private) can take today to keep critical systems and data safe.
From the power grid that keeps your electricity and heat on to the water treatment plant that keeps your faucet flowing, critical infrastructure plays a vital role in the daily lives of every American.
As such, a successful cyberattack on US critical infrastructure could have alarming, far-reaching, and long-lasting consequences. The Department of Homeland Security makes that point clear, stating that these sixteen sectors are “so vital” to our nation “that their incapacity or destruction would have a debilitating impact on [America’s] physical or economic security or public health or safety.”
The growing threats to supervisory control and data acquisition (SCADA) and industrial control systems – the machines designed to gather, monitor, and process real-time data to keep key utilities running smoothly – are cause for particular concern. Think about it. If the SCADA systems running an American city’s power grid or managing its water treatment go down as the result of a cyberattack, even for just a few hours, what then?
That city’s residents are inevitably affected – some lives might even be in danger, especially among vulnerable populations like the sick and elderly. But the attack would likely also have ripple effects far beyond that city’s geographic limits, particularly as critical infrastructure networks become increasingly integrated. And though many SCADA and industrial control systems are air gapped (meaning they sit in isolated networks hardened to outbound connections), that does not mean they are immune to cyberattack. This is especially true when systems rely on ill-fitted software tools designed with high-connectivity in mind, rather than air gapped network security requirements.
Simply put, any downtime or interference with these systems could be devastating. Compounding the potential for such an attack is the fact that assets tasked with keeping critical services running often rely on older, outdated, and unpatched software and hardware, leaving them unnecessarily exposed to infiltration and exploitation.
As high impact targets remain vulnerable to attack (and public awareness of such vulnerabilities continues to mount), malign actors are taking note.
Nation state actors and their proxies, global terrorist organizations, cyber criminals, and rogue hackers alike all stand to gain something from successfully attacking or infiltrating critical infrastructure sectors and the vital services they provide.
Motivating factors for these actors run the gamut. Nation states and their proxies, for example, may seek to inflict lasting economic damage, sow discord within American democracy, or affect our military’s ability to ensure our national defense. In the past, nation states have proven hesitant to physically target America’s critical infrastructure due to fears of large-scale retaliation. That is likely to change in the coming years as the cyber domain provides an increasingly contested environment for conducting attacks without clear-cut attribution.
A global terrorist group’s motivation for such a cyberattack, on the other hand, would no doubt revolve around spreading panic, death, and destruction. The interconnectedness of America’s critical infrastructure sectors makes this an even more tantalizing prospect for such groups. And in contrast to those seeking political ends, cyber criminals may simply want to make money from a ransomware payment or gain bragging rights within the hacker community.
The Threat Vectors
With such diverse actors eyeing critical infrastructure vulnerabilities, it is no surprise the list of cyberattack vectors runs equally long. In the past, cyber infiltrations have seemed the result of random opportunity-based attacks (i.e., hackers hunting for any opening across many networks) – like this one on a US power grid back in 2019. In 2020 and beyond though, we should expect targeted attacks to become more and more frequent, whether they make the headlines or not. These are most likely to come in the form of malware, ransomware, and distributed denial of service (DDoS) attacks.
As effective as the right cyberattack may be on its own, there is even greater risk of devastating downtime from an attack that combines both cyber and physical elements. What if, for example, a nation state gained physical access to a power plant or water treatment center via an insider threat or espionage activities? With broader access to internal networks, critical assets (like SCADA or industrial control systems), and sabotage opportunities, the impact of any planted malware or bug could be exponentially more destructive than that of a purely remote cyberattack.
With these threats in mind, the US government’s efforts to shore up critical infrastructure are expanding. Beyond the Department of Homeland Security’s initiatives to broaden public and private sector partnership on this front, other federal entities, like the Department of Defense, are also paying close attention.
In October 2019, for example, the Defense Department’s Under Secretary for Research and Engineering laid out the terms of reference for a task force aimed at better understanding how cyberattacks on critical infrastructure might affect America’s “ability to project force, to ensure the capability to deploy, distribute, and sustain forces and logistics, and to have confidence in critical command and control elements.” The Department’s supply chain- focused Cybersecurity Maturation Model Certification – slated to go into effect in 2020 – is another step in the right direction.
The Department is also looking beyond its industrial base to spearhead collaboration amongst disparate critical infrastructure stakeholders – both public and private. The Army Cyber Institute’s Jack Voltaic exercises, for example, bring together key players across multiple critical infrastructure sectors in a bottom-up approach to cyber resiliency.
The Defense Department’s focus on securing its vast supply chain and building productive relationships with non-defense organizations is just as critical as the infrastructure itself – but the challenge extends far beyond the efforts of any one or two agencies alone. In recognition of that reality, the President’s National Infrastructure Advisory Council developed a draft report in 2019 highlighting the necessity of better cybersecurity across governmental supply chains, not just the defense industrial base. Alongside several concrete recommendations, including one aimed at securing the supply chain of critical cyber components specifically, the draft report vocalizes a dire warning: “escalating cyber risks to America’s critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security.”
In short, this is not a threat the US government can or is taking lightly.
TOP 5 TIPS FOR BETTER SAFEGUARDING CRITICAL ASSETS & DATA
Now that you have some insight into the threat landscape – and what is being done at the federal level to avoid a crisis – it is time to take action and implement change within your own critical infrastructure organization. These tips provide proactive steps you can take now to mitigate the impact of a cyberattack on your mission critical systems and data, or even prevent an attack from occurring at all.
1. Adopt reliable backup and disaster recovery tools and procedures.
First and foremost, set up a regular backup schedule for your critical assets, like SCADA and industrial control systems, and their data. This may sound obvious but, shockingly enough, many organizations responsible for keeping America’s critical infrastructure running skimp on this easy and affordable step. The tool you choose should have bare metal restore and bootable media capabilities so that if (more like when) a critical system goes down, whether from attack or hardware failure, you can easily get back up-and-running without suffering devastating downtime or lapses in critical constituent services.
Once you have a reliable backup tool in place, implement clear disaster recovery policies for your organization and practice the corresponding procedures. That way, once disaster strikes, your IT team will know exactly how to handle the situation without confusion – or losing precious time.
2. Regularly patch and test your critical systems.
Regularly patching and testing critical infrastructure’s SCADA and industrial control systems is key for keeping them safe with the latest bug and vulnerability fixes. Performing these necessary tasks, however, can be daunting. What if the patch goes sideways and knocks a mission critical system offline?
Having a reliable backup and disaster recovery tool, as described in tip one, will help lend peace of mind to this necessary process. Should a patch or update unexpectedly leave your system down-for- the-count, you will be able to quickly and easily restore the latest backup of your operating system.
3. Implement a zero trust architecture.
As this whitepaper makes clear, the stakes are high for protecting America’s critical infrastructure. Part of that protection lies in adopting a network architecture that reflects the seriousness of the threat landscape. Network segmentation and least privilege access, both hallmarks of the zero trust approach, are key for any organization responsible for keeping critical services operational. Having such policies in place helps shrink your organization’s attack surface, as well as limit the impact should a breach or attack occur.
Zero trust architectures are not a one-size-fits-all approach; organizations must consider the structure and policies that best match their unique security needs. At our company, Acronis SCS, we have implemented a robust zero trust architecture and are more than willing to offer advice or guidance to others seeking to do the same. We encourage you to reach out to us if we can be a helpful resource (and you can read more about our approach here.)
4. Enlist the help of your “human firewalls.”
If your organization implements a zero trust architecture, that will minimize the risk and consequences of any breach. That does not mean, however, the role humans play in keeping critical infrastructure networks, systems, and data safe can or should be pushed to the wayside. After all, human-based errors have a causal role in more than a fifth of all breaches.
Phishing is one of the most common points of entry for those seeking access to industrial control systems. Robust cyber awareness training will help keep your “human firewalls” vigilant against these
threats. And as more and more organizations adopt bring-your-own-device (BYOD) policies or provide corporate-owned laptops and phones to their employees, any training material should include mobile-focused safety tips.
5. Last but not least, share information.
That might sound counterintuitive when we are talking about security, but sharing information about the different cyber threat vectors you encounter in your networks – or the tools you have found most effective for stopping such incursions – will undoubtedly help other organizations within critical infrastructure sectors better protect themselves.
It is time both private and public sector players throw any aversion to cooperation out the window. With stakes this high, there should be no embarrassment about acknowledging an attack has occurred, seeking help in its aftermath, or offering your insight to others.
CONCLUSION: NO ROOM FOR COMPLACENCY
With stakes so high, there is no time to waste when it comes to better protecting America’s critical infrastructure. As the public sector awakens to the vulnerabilities of such infrastructure and continues to implement change accordingly, the private sector must also do its part. Afterall, more than 80% of the nation’s critical infrastructure is owned by private companies.
Spurring real and lasting change will require a team effort – one that can and must start now.
CONSIDERING ACRONIS SCS FOR YOUR BACKUP NEEDS
Acronis SCS is an American cyber protection and edge data security company dedicated to delivering products that meet the unique requirements of the US public sector. That includes providing easy-to- use, affordable, secure, and resilient backup and disaster recovery software to organizations responsible for keeping America’s critical infrastructure up-and-running.
Our hardened solution, Acronis SCS Cyber Backup 12.5 Hardened Edition, is specifically tailored to meet the needs of our country’s most sensitive environments and vital services, like water and power plant SCADA systems, and is the only full disk image backup and disaster recovery point solution certified by the US Department of Defense Information Network Approved Products List. This game- changing software – designed for ‘no internet,’ air gapped networks – minimizes downtime for mission critical assets in the event of attack or hardware failure. With the Hardened Edition, users can immediately restore an image of a working version of a device and capture reliable backups prior to applying system security updates and patches. For non-hardened environments, users can enjoy the same operational assurance with Acronis SCS Cyber Backup 12.5. Both software solutions cover servers, virtual machines, applications, and edge devices, with the flexibility to recover to dissimilar environments, including physical to cloud, virtual to physical, and any combination thereof.
In addition to these features, both of our backup and disaster recovery software solutions employ Active Protection, an advanced AI-based technology designed to automatically detect and stop ransomware attacks and other malware incursions like cryptojackers in their tracks, while simultaneously and immediately restoring any encrypted files from your latest backup.
All Acronis SCS products are built and supported in the United States by US citizens to ensure the highest level of protection for our public sector customers.