In the TV series Mr. Robot, Elliot Alderson, a gifted cybersecurity engineer by day, moonlights as a vigilante hacktivist for the "fsociety" group, which conspires to topple corporate America by canceling the debt records of every citizen.
In this doomsday scenario, cyber anarchists aim to disrupt the financial infrastructure that supports the global economy as a means to bring about their ideological political goals. Beyond this dramatic metaphor lies a sobering truth: Our world is interconnected to such a degree that the notion of critical infrastructure has evolved beyond what we have traditionally classified as such.
While power plants, chemical factories, and government agencies rightfully deserve the "critical" designation, there are scores of other industries upon which these critical infrastructure organizations would cease to properly function if they were knocked out of commission by a well-orchestrated targeted attack.
To reduce risk and thrive in this age of unpredictable and targeted attacks, critical infrastructure organizations must take a more expansive view of the critical infrastructure ecosystem, commit to making cybersecurity training a priority for employees at every level of the organization, and embrace a holistic zero-trust approach that prioritizes prevention strategies over reactive detection methods.
Mitigating Cyber-Risk with Training and Awareness
In February 2019, employees of the Fort Collins Loveland Water District and South Fort Collins Sanitation District in Colorado were hit by a ransomware attack that locked them out of their computers — for the second time in two years. In September 2019, Kudankulam Nuclear Power Plant, the largest nuclear plant in India, was breached in a malware attack, and in November 2019, criminals shut down computers at Mexican oil giant Pemex in exchange for a $5 million ransom. The US experienced the first attack on a power grid in March 2019 when North American Electric Reliability Corp. (NERC) was disrupted in a "cyber event" that lasted nearly 12 hours.
As public and private enterprises look to new cybersecurity solutions to mitigate the risks, global cybersecurity spending is expected to grow to $133.8 billion by 2022, according to International Data Corporation. The White House's 2020 budget alone includes more than $17.4 billion for cybersecurity-related activities, a 5% increase over 2019. However, we'll need to do more than throw money at the issue.
The problem lies in the fact that critical infrastructure sectors have become increasingly attractive targets — both for nation-states engaged in geopolitical campaigns as well as profit-motivated criminal syndicates. That's largely due to the fact that much of our nation's critical infrastructure is built upon a tangle of legacy industrial control systems that were intentionally designed as closed, air-gapped systems.
But perhaps the greatest vulnerability is the human element. While many of these companies address supply chain risks by certifying the cybersecurity practices of their partners, basic security awareness and training often lags behind other industries. Threat actors, regardless of their motivation, are like water flowing in a riverbed: They will always choose the path of least resistance.
A Shift in Mindset: From Detection to Prevention
As we enter the next decade, executive leadership for critical infrastructure organizations must take a hard look at their existing IT systems, their security practices, and, most importantly, their attitudes toward how they approach cybersecurity.
And because threats can now come from anywhere, any piece of connected technology must be treated as potentially malicious. This is the essence of a zero-trust, prevention-first mentality, one in which trust is never implied and the legitimacy of every file, every device, and every network connection is always questioned.
All employees — whether executives, engineers, or accountants — must develop a deeper appreciation that any interaction with technology can open a door to a potential cyberattack. It's imperative that critical infrastructure organizations prioritize cybersecurity training for all employees, emphasizing that every person who interacts with technology also plays an important role in protecting mission critical infrastructure.
To prepare for the increasing sophistication and frequency of cyberattacks on critical infrastructure sectors, the burden will rest on the shoulders of executive leadership, who must take the lead in showing that all employees, regardless of their role or responsibility, are aware that any interaction with technology has the potential to unleash the next Stuxnet, or worse.
As we move into this new decade, there are more unknowns than knowns. While critical infrastructure security leaders can't predict and prepare for every attack scenario, they must at least acknowledge that the threat landscape has shifted and that a prevention-first, zero-trust approach is necessary to keep us all safe, this year and beyond.