Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.
As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.
We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.
Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.
It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.
And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.
Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.
The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.
Making more cyber resilient infrastructure
After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?
Here are a few suggestions:
- Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.
- Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.
- Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.
- Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.
For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.