As cyberattacks become more sophisticated and dangerous, the threat to U.S. critical infrastructure increases by the day and puts national security, businesses and the public at risk.
In a recent speech, Secretary of Homeland Security Alejandro Mayorkas echoed that point. In a blunt warning for policymakers and the public, he said that a hacker’s ability to carry out attacks “with a keystroke” from anywhere in the world means that national security is essentially synonymous with homeland security. “Ubiquitous cutting-edge technologies, economic and political instability, and our globalized economy have erased borders and increasingly bring threats and challenges directly into our communities — to our schools, hospitals, small businesses, local governments, and critical infrastructure.”
For critical infrastructure organizations such as electric utilities, water treatment plants, chemical manufacturers or hospitals, the stakes are incredibly high and potentially catastrophic. For instance, when hackers attacked the Ukraine power grid, hundreds of thousands were left without power for days. When ransomware gangs commenced an attack on a hospital, it was forced to take its appointment system offline, leaving patients without care. And hitting closer to home was when Colonial Pipeline Company proactively shut down its pipeline system in response to a ransomware attack — leaving many Americans unsure about the access to fuel for transportation.
As a result of this growing threat, it’s time for sector leaders to rethink cybersecurity strategies. And the Cybersecurity Performance Goals recently released by the Cybersecurity and Infrastructure Security Agency provide a good framework to do so. Beyond that, critical infrastructure operators need to adopt a more proactive cybersecurity plan. We simply can’t wait for the next attack.
A consolidated and comprehensive list of best practices and recommendations for organizations on everything from the concepts of zero trust, defense in depth, segmentation, and asset management, the CISA goals are an excellent starting point for organizations looking to work through the cybersecurity maturation process for their information technology and operational technology networks and proactively bolster their cyber defense posture.
The attack surface across critical infrastructure sectors is uniquely complex. Take health care, as an example. The pandemic forced new ways of providing patient care and sparked a massive proliferation in connected devices, giving rise to an ecosystem that is more connected than ever. While this has created benefits for patients and providers alike, it has exposed health care organizations to significant new risks at a rapid pace and enlarged the attack surface they must protect. And doing so is not easy. OT systems are no longer “air-gapped” away from IT environments, and traditional cyber tools offer little help, as they are not interconnected.
Rapid adoption of cloud technology and services has complications, as well. While cloud-driven delivery models create efficiencies, they also open the door to risk, as they are managed by third-party vendors, some of whom have little experience navigating security regulations, outsourcing across multiple jurisdictions and integrating across data sources and systems. And a supply chain is only as strong as its weakest link. A successful attack on an external vendor can expose several organizations and take them all down.
The first step critical infrastructure providers should take to address these challenges is engaging with their sector risk management agencies to develop a prioritized list of cybersecurity practices that can be adopted. By coming together to develop baseline procedures and ways to measure their implementation, leaders can significantly improve cyber hygiene and reduce the likelihood that a company will be successfully attacked. Such performance goals will also enable security leaders to prioritize their spending on high impact changes and optimize their investments and the returns they deliver.
The second step is to invest in experts in the field to implement these guidelines and drive their intended goals, including properly trained IT and cyber staff who can test, evaluate and implement security measures and/or configuration changes at an enterprise level.
Industry and government coordination is vital, too. All critical infrastructure organizations should have a relationship with CISA and integrate its products and outputs into their processes. They should also consider tapping Information Sharing and Analysis Centers for insights and best practices on cyberthreats and mitigations that can inform their strategies.
The cyberthreat landscape will continue to grow. And there is an urgent need for a more proactive approach to defending it. Cyberthreats can compromise critical information, disrupt operations, undermine national security, and even put lives in jeopardy. In planning in anticipation of — not in case of — them and preparing for the worst, critical infrastructure organizations can mitigate risks and keep their business and missions secure.
Kelly Rozumalski is a senior vice president leading Booz Allen’s National Cyber defense business.