The string of major supply chain and critical infrastructure attacks in the last couple of years have demonstrated not just the willingness of threat actors to target those systems, but also the importance of organizations planning for such attacks and being able to bounce back from them when they occur.
Incidents such as the software supply chain attacks against SolarWinds and Kaseya and ransomware attack on Colonial Pipeline last year can cause long-term downstream effects for customers and other organizations for months or even years afterward. They can also serve to make government agencies and defenders more aware of the specific vulnerabilities and weak spots that organizations have and help spur new thinking about how to address them. In the case of the darkSide ransomware attack on the Colonial Pipeline, a major east Coast gas delivery conduit, the intrusion clearly demonstrated the ever-growing overlap between cybersecurity incidents and real-world consequences.
“There are very few pure cyber incidents left, and Colonial really highlighted that for us,” Jason Tama, senior director for resilience and response for the National Security Council , said during a forum on critical infrastructure resilience at Northeastern University Tuesday.
“Power and other vital services such as water and transportation are good examples of things that can be disrupted through cascading effects. We’re getting after this by baking in cybersecurity from the beginning so we don’t have to bolt it on later. That ensures resilience.”
Resilience is a key property for critical infrastructure networks as well as enterprise networks, but it’s not a simple one to develop. Being able to absorb, respond to, and come back from attacks are vital capabilities for security teams, but they require a keen understanding of an organization’s strengths and weaknesses, as well as comprehensive planning and the ability to redirect resources as needed. But it also requires collaboration, both inside and outside of the organization.
“Sophisticated nation-state actors are pre positioning themselves inside our critical infrastructure."
“Resilience isn’t just about being able to bounce back. It’s about deterrence all the time because adversaries will see where you’re strongest and they won’t attack there,” said Brandon Wales, executive director of the National Cybersecurity and Infrastructure Security Agency (CISA).
Critical infrastructure resilience has become a top priority for the Biden administration, particularly as it applies to cybersecurity. Last month, the White House issued a lengthy fact sheet on CI security, highlighting the need for increased collaboration with the private sector and a more attack-resistant approach. While utilities and transportation systems and other critical infrastructure components have proven to be vulnerable to cyber attacks, the good news is that many of these systems were designed with resilience in mind from the beginning. Power companies and water companies and rail operators have to deal with all manner of disruption on a regular basis and have plans to work around them.
“Critical infrastructure resilience is difficult enough when you’re just talking about the vicissitudes of the natural world, but when you add cyber threat actors, it ups the threat by several orders of magnitude,” said Dennis McDermitt, CISO of National Grid, a major electrical power provider.
“They’re committed for the long term and we need to do a lot of work to address that.”
One of the main challenges in defending critical infrastructure and ensuring its resilience is the fact that CI entities are high on the target list of many threat actors, including state-sponsored attackers and cybercrime groups. And plenty of those entities have already been compromised.
“Sophisticated nation-state actors are pre positioning themselves inside our critical infrastructure to be able to leverage that access in the future,” Wales said.