Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

From Warnings to Action: Preparing America’s Infrastructure for Imminent Cyber Threats

As cyber threats grow more sophisticated, America cannot afford complacency. The time for decisive action and enhanced cyber resilience is now.

When FBI Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party in January, he painted a chilling picture of foreign adversarial cyber-agents pre-positioned in the networks of U.S. critical infrastructure operators ready to strike at a moment of Beijing’s choosing. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” he told members of Congress.

Wray’s warning has a ring of truth. We’ve already seen what can happen when smaller cyberattacks are carried out by far less capable threat actors. When Colonial Pipeline was taken offline for a week by a ransomware gang in 2021 people on the East Coast panicked, rushing to gas stations to top-off their vehicles and fill whatever containers they had available.

A Threat of Infrastructure Havoc

Then, government officials tried to reassure the public that there was no reason to fear the worst. Today they’re telling us that America’s power grid, water treatment facilities, hospitals, pipelines, transportation and logistics operations, telecommunications networks, and other critical infrastructure are under imminent risk and that a cyberattack will “wreak havoc and cause real-world harm to American citizens and communities.”

The urgency in Wray’s message was meant as a wake-up call to lawmakers and to snap those responsible for managing U.S. economic and critical infrastructure out of their complacency. For too long, Wray said, cybersecurity has not gotten the attention and resources befitting the threat. Organizations tasked with managing–and protecting–America’s critical infrastructure “cannot afford to sleep on this danger,” he warned.

Not the First Warning for Critical Infrastructure

It’s not the first time Washington, D.C., has tried to get critical infrastructure operators to step up their efforts to protect their systems. In early 2020 the U.S. Cyberspace Solarium Commission offered “A Warning from Tomorrow” describing a worst-case scenario in which the nation’s capital is crippled by a cyberattack that takes out water treatment systems, the electrical grid, and dams. In their scenario, fires and floods leave the region in ruins. Unfortunately that fictional account was released just as the country was falling in the grips of the very real Covid 19 crisis. The Commission rightly said we weren’t ready for cyberwar, but no one was listening; they had other things on their mind..

Secretary Wray’s warning, bolstered by additional chilling accounts from CISA Director Jen Easterly and Commander, U.S. Cyber Command, Gen. Paul Nakasone, got plenty of media and industry attention. The specificity of their combined testimony, along with the announced takedown earlier in the day of a botnet used by Chinese threat group Volt Typhoon to help “burrow deep” into thousands of critical infrastructure operations, was just the latest in a mountain of evidence that the threat is anything but hypothetical. Maybe now America’s critical infrastructure operators are finally listening and taking steps to evaluate and update their cybersecurity strategies.

Taking Steps to Root Out and Prevent Threats

Among the improvements that should be made is ensuring those responsible for network management and security have complete visibility across their enterprises. CISA has made it clear that this is a foundational element to protecting today’s complex and heterogeneous networks. When the agency issued Binding Operational Directive 23-01 in October of 2022 it emphasized that “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.” And while the Directive only applies to executive branch agencies, it underscores the security maxim that you can’t protect what you can’t see.

Critical infrastructure is a category that goes far beyond the list of usual suspects like dams, pipelines, and the power grid. It includes organizations like hospitals, air and sea port facilities, transportation and logistics operations, telecommunications, large industrial concerns, major financial services networks, and any other organization that, if taken offline, would risk physical harm or disruption of economic activity.

Advertisement. Scroll to continue reading.

Unfortunately many of the organizations that would be targeted in any cyberattack against critical infrastructure have systems that rely on older IT and operational technologies (OT) that are difficult to secure. This includes industrial controls, Supervisory Control and Data Acquisition (SCADA) systems, and obsolete software and operating systems (the kinds of vulnerabilities targeted by Volt Typhoon). Often these technologies were developed and deployed before digital supply chains became essential and so were never meant to be exposed to the public internet. That puts the security teams in a bind, but they are not without hope.

The Time to Act is Now

With the right tools, critical infrastructure operators can gain the ability to discover and identify all the assets connected to their networks, including IT, OT, Internet of Things (IoT), mobile devices, and more. Once visibility is achieved, available asset and threat intelligence can be used to quantify and assess risk, prioritize patching or mitigating actions, and apply policies that ensure critical assets can be segmented and protected, and that vital operations can continue even if a cyberattack is successful. That is the essence of cyber-resiliency – the ability to take a punch and still deliver vital services.

There can be no excuse for further delay in taking the steps Director Wray, Director Easterly, and General Nakasone recommended. The time to take action is now. From reinvigorating an emphasis on cyber hygiene to implementing new tools to enable a Zero Trust posture, the means are available to vastly improve cyber readiness, security, and resiliency.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights