For decades, security experts have warned that America's critical infrastructure is at risk for cyberattacks. Yet, despite seemingly endless conversations, ongoing debate, and escalating concerns, modernization is slow and protections continue to lag.
When the Colonial Pipeline breach took place, it was as predictable as it was frightening. The ransomware attack shut down the pipeline for six days starting on May 7, and it led to a spike in oil prices along with shortages in some areas. But the next attack could be even more devastating: Large swaths of the nation could be left without electricity or Internet access, water filtration systems could go offline, or natural gas deliveries could be disrupted during winter. Any of these could put lives at risk.
At the heart of the problem is aging operational infrastructure and industrial controls that lack security required for the digital age. As organizations have overlaid connected IT systems and Internet of Things (IoT) devices, the situation has become nothing short of a nightmare. In many cases, these pipelines and facilities have hundreds or even thousands of potential entry points for attackers.
Heaping on additional pain: approximately 85% of US infrastructure is operated by private companies, with virtually no cybersecurity regulations in place.
"Many of the systems in use weren't designed for an era where operational and IT technology would be linked," states Joe Nocera, Leader of PwC's Cyber and Privacy Innovation Institute.
Risks Get Real
The threat to critical infrastructure is substantial — and the problem is growing worse. According to IBM Security X-Force, attacks on the energy sector have doubled over the last year. Part of the problem is that many operational systems and industrial controls are more than a quarter century old. Ironically, they're actually quite secure— as long as they aren't connected to IT systems.
These systems were designed to deliver ultra-high availability, and they are extremely expensive and complicated to update or swap out.
"It can cost a company billions of dollars to completely replace aging operational infrastructure with modern equipment," says Mark Carrigan, chief operating officer at the PPM Division of Hexagon, a firm that specializes in building out industrial projects and embedding security controls.
Taking these industrial and operational controls offline — even for a short while — can create enormous headaches. As a result, many infrastructure-based companies aren't in any hurry to move forward with more modern systems.
"You can't easily move from one system to another. You have to carefully examine the configuration of the control system and reengineer the device completely," Carrigan adds.
This includes everything from valves and flow controls to sensors and connected business systems. In the case of the Colonial Pipeline breach, for example, the attackers reportedly entered the company through a billing system. The company shut down operations because it had no way to bill customers.
Indeed, "Business and operational connections are now heavily interconnected," says Tim Erlin, vice president of product at Tripwire, a firm that offers threat detection and asset visibility systems.
As a result, he says, numerous gaps and vulnerabilities may exist — even of many of the components aren't directly connected to the Internet. A pipeline, for example, may have several hundred devices and sensors installed along every mile. Cyberattackers only need to find a single device that is vulnerable to worm their way into the network. At the same time, they may find an entry point through phishing or using compromised employee credentials.
"It's more complicated than industrial systems are simply old," Erlin says. "The real problem is that these blended environments of new and old systems increase the risks."
The Fix Is In
Despite the complexity of these environments, the idea that critical infrastructure cannot be protected lands somewhere between misguided and disingenuous. Nocera points out that other industries, such as banking, have figured out ways to connect legacy operational technology, such as ATMs, so that they work with IT devices and remain highly resilient.
"In general, banks are about 15 years ahead of these infrastructure companies in terms of integrating and securing technology," he argues.
A starting point for improving security within critical infrastructure is to recognize that building a stronger fortress won't necessarily keep cyberattackers out, Carrigan says. Threat intelligence, next generation firewalls and more advanced asset discovery, configuration and management tools are all useful, but they can't stop a person from clicking a bad link or an IoT manufacturer from introducing an entry point.
Likewise, some malware detection software can stop ransomware gangs from encrypting known types of malware, but they can't guarantee that a new and previously undetected ransomware dropper won't succeed in encrypting files. Even air gapped systems are no guarantee, since it's occasionally necessary to move data from one system to another — and malware could sneak through.
A strong zero-trust, multilayered defense, including multifactor authentication (MFA) everywhere, is critical. Yet it's also necessary to expect that attackers will get into a system, Carrigan says.
As a result, firms must also do a better job of segmenting networks and setting configuration restore points — particularly on operational systems. In addition, it's essential to have reliable backups residing on multiple and disconnected systems, along with a contingency plan for how to deal with an attack.
Help from Legislators
Security experts say there's also a need for action on the political front. Congress has a role to play in establishing basic cybersecurity regulations and possibly offering tax incentives for critical infrastructure firms to upgrade their systems and adhere to a desirable level of security. President Biden's May 12 executive order to require government agencies to use multifactor authentication and adopt a zero trust model is a start, they say.
It will likely set a tone for the private sector. However, Biden's $2 trillion infrastructure proposal and counter plans from Republicans have no language focused specifically on cyberattacks.
In the end, there are no simple answers or easy fixes. The most modern industrial controls, which push operational reliability and efficiency to near 100 percent levels, still present security risks. The irony, Carrigan says, is that there ultimately may be a need to rethink systems and, in the most critical systems, use electric and pneumatic controls.
"We've seen a few companies implement non-connected electrical systems as the very last line of defense," Carrigan says. "If something goes wrong, it can be controlled by a wrench and a screwdriver."