The nation’s infrastructure is vulnerable to cyberattacks. We know this because a successful, prolonged (the attacks began as early as March 2016) cyberattack was discovered this year.
In March 2018, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) announced that Russian hackers had targeted and penetrated some of the country’s most sensitive infrastructure including power, nuclear, water, critical manufacturing and aviation networks. The report confirmed that America’s vital systems can be – and were – compromised.
Old Tactics Still Work in the New World
It was found that hackers gained access to these systems by exploiting vulnerabilities in their networks’ online operations. They attacked smaller, less secure organizations – vendors, subcontractors, etc. who interacted with the primary targets – then leveraged those connections to attack the intended victims.
One technique the hackers used was spear phishing – an attack vector that’s been utilized for quite some time. They sent targeted emails from compromised accounts that were familiar to the recipients, convincing them to disclose confidential information.
Once inside, the hackers planted malware that allowed them to observe and record information from energy generation systems. These attacks were all about reconnaissance and they let Russian hackers collect data on how our infrastructure systems operate.
A Digital Warzone
Now more than ever, our critical infrastructure needs to be prepared for an electronic battleground. It’s cyber warfare.
Critical Infrastructure Sectors encompass a broad collection. Infrastructure facilities include:
• Pipeline Transport
• Hazardous Waste
• Mass Transit
• State Schools
• Public Spaces
• Solid Waste
• Water Supply
Critical National Infrastructure (CNI) is what governments define as assets that are essential for the functioning of a society and economy. These include:
• Shelter and things needed for heating including natural gas, fuel oil, and district heating
• Food production and distribution
• Drinking water, wastewater and sewage
• Transportation systems including rail, airports, harbors, and inland shipping
• Security services including police and military
• Electricity generation, transmission and distribution
• The economic sector including goods and services and financial institutions
What’s Being Done to Protect Critical Infrastructure?
In May 1998, President Bill Clinton initiated a critical infrastructure protection plan under Presidential Decision Directive 63. The directive defined elements of the national infrastructure as critical to the national and economic security of the United States, and developed steps to protect it.
In December 2003, President George Bush updated the plan through Homeland Security Presidential Directive 7: Critical Infrastructure, Identification, Prioritization and Protection.
Organizations like the Institute for Critical Infrastructure Technology, the nation’s leading cybersecurity think tank, are also working to protect our critical infrastructures. They facilitate cutting-edge research, knowledge sharing platforms and more to help educate and empower cybersecurity leaders to engage in protecting our most vital national systems.
Of course, there are other common-sense cybersecurity precautions critical infrastructures should employ. Set privileged access, require complex passwords that must be changed on a timeline, utilize multifactor authentication and limit user functionality. All of these things help protect against compromise.
The Modern Cyberwar Rages On
Our connected world continues to expand the avenues for possible cyberattacks. Foreign governments are creating cyber weapons and targeting our nation’s critical infrastructure, public and private sectors. Cyber agents are breaching firewalls, committing espionage with an increasing ability to avoid detection.
Additionally, protecting infrastructure from a cyberattack is difficult in the US because elements of it are federally, state, or privately owned. One challenge is how to assign responsibilities between the shareholders and still adequately protect the infrastructure. Unfortunately, these issues are being worked out as we are under attack.
What’s more, a state-sponsored attack on our critical infrastructure doesn’t necessarily constitute an act of war. Because the digital battlespace is new, it does not have fully-defined laws or standards like the rules of conventional warfare, which can make it difficult to respond to in a meaningful way.
But through all of this, one thing is certain – all organizations (and especially our nation’s most critical systems) must remain diligent in combatting cyberattacks.
Protecting the internet is our shared responsibility. Keeping our critical infrastructure secure requires a national public effort. For guidance, tips and resources, please review the US Department of Homeland Security’s strategies on critical infrastructure security and cybersecurity.