Legacy vulnerabilities risk critical infrastructure security
GettyImages/ EThamPhoto
Connecting state and local government leaders
The convergence of IT and operational technology along with the layering of third-party digital products and services over legacy systems often compounds the limited visibility and control security teams have, experts say.
With Ukrainian officials warning that Russia plans a terrorist attack on the Chernobyl nuclear plant – already damaged shortly after the war between the two countries began – attention to critical infrastructure security is high.
“In any world conflict, one of the primary threats posed is cyber actors disabling or destroying core infrastructure of the adversary,” Michael Johnson, chief information security officer at Meta Financial Services and a member of Safe Security’s board of directors, wrote in an email to GCN. “Based on the global reaction to the current world conflict, countries fear reprisals. The worry is, will there be collateral damage to the critical infrastructure of other countries not directly involved in the current conflict – whether it be energy infrastructure, water supply, financial systems, etc.?”
That’s especially concerning given that in the United States, nuclear facilities, water systems, highways and other critical infrastructure elements “have not been maintained to the extent they should be, including the software and technology that support it,” Troy Saunders, CISO at CentralSquare Technologies, said in an email to GCN. Some run on legacy operating systems.
As a result, cyber concerns around critical infrastructure are realistic. “The convergence of [information technology] and [operational technology (OT)], along with the layering of third-party digital products and services over legacy systems in critical infrastructure often compounds the limited visibility and control security teams have,” Johnson said.
Before the European conflict began, state and local governments were seeing increased threats against critical infrastructure. CheckPoint Software found that such attacks increased 102% in the first half of 2021. On March 7, the FBI issued a flash warning about RagnarLocker ransomware, which had been identified as affecting at least 52 entities across 10 critical infrastructure sectors as of January. In February, it issued an advisory about BlackByte, ransomware that had compromised businesses in at least three U.S. critical infrastructure sectors.
Lack of basic protections is one reason for the increased vulnerability. Agencies should “start with the basic security controls within your organization, such as knowing where your assets are, implementing access management controls with zero trust, ensuring your system has the latest updates and patches, and enabling security from the outside in with firewall protection,” Saunders said. “Next, and most importantly, agencies need to train their people.”
But resource constraints such as budgets and staffing are also issues. For example, some smaller agencies and townships don’t have an IT department, forcing them to outsource cybersecurity or rely on unskilled employees. Congress’s recent allocation of $2 billion to cybersecurity in the Bipartisan Infrastructure Law can help because the funds can be applied to critical infrastructure upgrades at all levels of government.
Two things that agencies must focus on are implementing information and technology management best practices, such as multifactor authentication, network segmentation and access control, and implementing quantitative risk management, Johnson recommended.
Modernization can also bolster security. “As agencies look to adopt cloud, they should choose a cloud vendor that can meet or exceed their defined data and security requirements,” Saunders said.
In the long term, however, agencies must adopt a security framework. He recommends the National Institute of Standards and Technology’s Cybersecurity Framework and participating in InfraGard, a partnership between the FBI and the private sector for the protection of U.S. critical infrastructure. “Agencies can gain access to guidance, conferences, webinars and alerts of the latest cyber threats,” Saunders said. “State and local entities can get involved in their localized section of InfraGard for their state or city.”
Despite the availability of tools to boost critical infrastructure security, those solutions often don’t give agencies real-time visibility into risks, forcing them to remain largely reactive to incidents, Johnson said. But there are ways to become more proactive.
For instance, the U.S. Computer Emergency Readiness Team collaborates with all levels of government, the private sector, the research community and international entities to monitor cyber trends. The Cybersecurity and Infrastructure Security Agency’s Cyber Security Evaluation Tool “provides a systematic and repeatable approach to assess the cybersecurity posture of [industrial control system] networks,” Johnson said, and this month CISA added 95 flaws to its known exploited vulnerabilities list.
Additionally, last July, the Biden administration issued the “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” calling for cyber performance goals for critical infrastructure organizations.
All of these efforts are positive developments, but Johnson and Saunders are cautious in their optimism about future critical infrastructure security.
“The impact of today’s threats and the potential impact of a cyberwar is a major concern,” Saunders said. “We rely so much on [the internet of things] and other technology to control functionalities for water, nuclear plants, energy, etc., that just one event can knock out the power in an area for weeks or months.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.