by Dr. Greg White, Executive Director, CIAS-ISAO

Attacks on the Infrastructures

Over the last 12 months there have been a number of very public attacks on various critical infrastructures. These included:

• February 2021: A cyber intruder attempted to raise the level of sodium hydroxide in the water system in Oldsmar, Florida. The intrusion had been noticed by an employee and was quickly set to normal levels.
• February 2021: A spear-phishing attack was launched against the critical infrastructure of a natural gas compression facility which resulted in the facility being shut down for two days.
• April 2021: A hacking group with possible links to the Chinese Government penetrated the Metropolitan Transportation Authority’s (MTA) computer systems. However, they did not gain access to operational systems.
• May 2021: A ransomware attack was directed at the Colonial Pipeline that carries gasoline and jet fuel.  The company halted all pipeline operations to contain the attack. They paid the ransom ($4.4 Million).
• June 2021: It was announced that a ferry operator in Cape Cod and Nantucket was hit by a ransomware attack. Operations were disrupted causing service delays.

Earlier in January of this year, in response to the well-publicized Solar Winds intrusion, public officials stated:

They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout.

The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent.

[“As Understanding of Russian Hacking Grows, So Does Alarm”, NY Times, Jan 2, 2021]

This points out another aspect of attacks on critical infrastructures – nation-states are also involved but for a much different reason. The capability of nation-states also makes these attacks a much larger challenge when attempting to prevent, detect and respond to them.

We should learn several lessons from these attacks, including:

1. The difference between OT and IT networks and the importance of keeping the two separate as much as possible. Attacks on critical infrastructures generally target operations and not data.
2. The need for contingency/continuity of operations planning.
3. Ransomware attacks are a common attack, but nation-state attacks are also possible.
4. Critical infrastructures, because of their importance, will continue to be targets of attacks – especially if the importance of them leads to companies paying requested ransom in order to restore them to full operation.

A related issue that was brought home to communities was seen during the winter storms experienced earlier this year. The storms impacted so much of the state of Texas that individual communities were left largely on their own in terms of attempting to restore and maintain infrastructure services. We can expect the same need for individual communities to be able to respond to a loss of their critical infrastructures should a large-scale cyber attack be launched on the state’s, or the nation’s, infrastructures.

Protecting the Infrastructures

We know our infrastructures are targets for cyberattacks, both for cyber criminals as well as nation-states. The nation and most states have developed programs aimed at protecting our critical infrastructures. Much of this is directed at preparation and protection efforts. Communities should take advantage of these resources as much as possible such as the DHS Cyber Resource Hub, which lists a number of different services that DHS offers to communities.

There is one caveat to the help DHS offers to communities – DHS does not have the resources to provide all of their offerings for all communities in the nation. There is a waiting list for some of these services and smaller communities may not have the same chance to receive services as larger communities or those that are considered to be more of a target for attacks will receive. This brings us back to the statement that has been made in this forum before – communities need to be prepared to “do it on their own” especially when it comes to response and mitigation.

So, what steps can communities take to prepare for an attack on one or more of their critical infrastructures? Consider the following items:

• Participate in training, often available for free from entities such as the DHS National Training and Education Division (NTED). DIR has also published a list of certified cybersecurity training programs for use by state and local government personnel.
• Conduct a periodic Critical Infrastructure Exercise including both cyberattacks and natural disasters.
• Participate in community, state and sector ISAOs. These should be able to provide additional guidance and sector-based best practices that can provide more specific guidance for the various infrastructures.
• Ensure all critical infrastructure organizations and those needed by them have contingency/continuity plans in place and that they are examined/exercised on at least an annual basis.
• Conduct annual security assessments and penetration testing. If possible, every other year have a 3^rd party conduct these activities.
• Conduct annual security training for all employees and more extensive training for security personnel to ensure they are knowledgeable about the most current threats and vulnerabilities.
• Ensure separation between IT and OT networks for those infrastructures that require a sensor/control network for operations.
• Know what resources you have as part of your network. This is critical in determining what vulnerabilities you may be susceptible to.
• BACKUP, BACKUP, BACKUP. Make sure all organizations involved with the critical infrastructures have a backup plan that is followed and that is tested.
• Know what 3^rd party organizations may also have access to your network. Ensure that they are adequately protecting themselves with similar activities as the ones described here.
• If any of the above services are outsourced, ensure that the service provider(s) are adequately protected themselves and are conducting similar activities on their own operations.

As a final comment, a related topic that has many of the same characteristics as the critical infrastructures (and that in fact may include them) is the topic of High Value Assets (HVA) within a community. A future article will address how a community can identify its High Value Assets.