Mitigating the Rise in Cyberattacks on Critical Infrastructure
Security experts are reporting an alarming rise in cyberattacks on U.S. critical infrastructure. In the past four years, for instance, healthcare institutions reported a 278 percent increase in ransomware attacks to the U.S. Department of Health and Human Services (HHS).
Whether instigated by domestic cyber criminals seeking financial gain or foreign adversaries motivated by geopolitical revenge, the impact of these exploits can be far reaching, propagating problems both down and upstream from the initial target. Why? Because nowadays there are many interdependencies among systems that are foundational to our country’s operations and security—everything from healthcare and basic social services to energy and agriculture.
What’s particularly notable is that some of the most frequent targets for cyberattacks have been hospitals and water treatment plants.
What Makes Hospitals a Tempting Target?
Hospital systems contain large repositories of patient personal data and medical research. Gaining access to patients’ Social Security numbers, bank account numbers, health insurance information, or the hospital’s intellectual property can be a highly profitable exploit.
Ransomware is often an effective means of exploitation because hospitals want to avoid disruption of services that could lead to dire consequences for their patients. Since hospitals maintain multiple systems and devices that are interconnected—from administrative operations and life sustaining medical equipment to third-party practitioner and insurance company systems—those connections present an extremely broad and tempting attack surface. Life support and other critical medical equipment tend to be most at risk for infiltration since hospitals could be compromising patient care if those devices’ operations were frequently interrupted for vulnerability scans and patches, as is regularly done with other IT equipment.
Because potable water is essential for life, any vulnerability in this pivotal component could be disastrous.
Given the importance of resiliency in this sector, the U.S. federal government has promoted initiatives to help hospitals harden their operations against cyberattacks. HHS published a Health Care Sector Cybersecurity Protection Program that includes best practices for fighting cybersecurity threats and a framework for validating the effectiveness of hospitals’ cybersecurity programs.
To further align efforts to improve cybersecurity, a recently created Healthcare and Public Health Sector Coordinating Council partnered with HHS and other U.S. federal agencies to coordinate approaches—strategic, policy, and operational—to prepare for, respond to, and recover from cyberthreats to the healthcare industry.
Why Are Water Treatment Plants So Vulnerable?
All water treatment facilities use programmable logic controllers (PLCs) within their operations networks to purify drinking water. The PLCs control the filtering and disinfection of water to ensure it’s free of contaminants before it flows into homes and businesses. Because potable water is essential for life, any vulnerability in this pivotal component could be disastrous.
Hackers recently developed an exploitation package allowing them to gain control of the PLC and manipulate the percentage of chemicals introduced into the disinfection process—raising or lowering them to unsafe levels.
Many of these PLCs have been around since the 1950s, so retrofitting their legacy code with new safeguards can be difficult—if not impossible. This has led some municipalities to install new security gateways ahead of the PLCs to mitigate their exposure. Introducing security gateways into the topology enables water treatment plant operators to monitor traffic attempting to communicate with the PLCs and block any traffic with harmful intent.
Why Do OT and IT Need to Join Forces?
Historically, anything to do with facility operations (Operation Technology or OT) functioned independently of IT. But as critical facilities began introducing more technology into their systems to increase operational efficiencies, they unintentionally expanded the potential attack surface into their IT network. Efforts to mitigate this problem have led to increased cooperation between the two spheres, and, in some cases, a fusion of IT/OT security and network operation centers.
During the past decade, this convergence has given managers of critical infrastructure a better, real-time understanding of their OT and IT technology ecosystem and the vulnerabilities of their devices and systems. It has helped them compile a collective intelligence about the interdependency among systems and how easily cyberattacks can cascade from one system to another. With closer collaboration between OT and IT, enterprises managing critical infrastructure can more effectively vet devices, systems, and software before they’re installed on the network.
Getting to know what’s under the hood. One of the biggest challenges to managing a critical infrastructure’s technology ecosystem is its sheer diversity of software and devices.
On the IT side there might be, at most, four or five standard operating systems. On the OT side, however, there might be thousands of different operating systems in play because each system and device was developed to perform a specific function. So, there’s no standardization. To further compound the problem, both IT and OT software generally include a quantity of third-party components or building blocks as part of their code, any of which could present a risk.
A large part of building system resilience starts with basic cybersecurity hygiene.
U.S. President Joe Biden addressed this issue on 12 May 2021 by issuing an Executive Order on Improving the Nation’s Cybersecurity, which highlighted the importance of having a Software Bill of Materials (SBOM) for all products to be installed on the network. The SBOM contains a comprehensive list of all the components and dependencies used to build a piece of software.
Access to this nested inventory of an application’s makeup can help critical infrastructure operators better understand, manage, and secure their software programs. Once aware of specific vulnerabilities, they can proactively patch or take other measures to reduce the risk of security breaches from those third-party software components. On the application development side, software engineers can use SBOMs to identify issues earlier in the development process so they can be resolved before incorporating them into the end product where they might cause damage.
Adapting to changing methods of attack. Artificial Intelligence (AI) in critical infrastructure is in its infancy and has many challenges. Despite this, AI continues to reshape the cyberthreat landscape, making it more difficult to detect and uproot insidious malware. Cybersecurity specialists are in a constant race to develop smarter, AI-driven analytics that can recognize the latest malware signatures, block process manipulations, and shut down efforts to redirect data.
To address these challenges, it’s important to understand the complexities of data involved and the vital need for clean data. AI, at its purest form, needs clean data for the creation of its analytics and learnings. To ensure data is clean, it must be secure throughout the whole supply chain. Sensors need to accurately acquire data, which needs to be secure from tampering or infiltration from cyber threats, then follow a line of progression to trigger accurate automation for AI to make accurate decisions. This accuracy is needed for the physical protection of a site and the protection of processes utilizing AI.
For example, physical applications could include alarming and pulling up video clips of a person in a specific area wearing a green shirt or driving a red truck. In process applications, an example would be the ability to detect the level of fluid in a vessel using thermal cameras, or using cameras to detect smoke in a process area, and trigger an alert alarm.
Another challenging aspect for AI in critical infrastructure is the fact that OT and IT systems are, due to criticality of systems, on separate networks. Although an IT system may want the metadata from sensors in the OT environment, connecting the two separate networks to allow this data through can present risks of cross breach in both networks.
But a large part of building system resilience starts with basic cybersecurity hygiene: knowing what devices and systems are on the network, their interdependencies, and each software component that went into building those products. Why is this important? Multiple vendors may use the same building blocks but may not issue security patches and updates in the same timely manner. If there’s a credible threat issued about a software component, the enterprise needs to know exactly where to find that component and that vulnerability across the network.
Instituting proactive policies and procedures—from encrypting all data, regularly changing passwords, updating user privileges, and installing firmware updates and cybersecurity patches in a timely manner—are other best practices for building resiliency. Because of system interdependencies, however, it’s best to test updates and patches in a sandbox or non-production system to ensure implementing these changes will not break crucial links between systems.
While many critical infrastructure operators struggle to justify the time and expense of implementing advanced cybersecurity measures, consider the ramifications to the country’s operations and security if they fail to do so.
Joe Morgan is the segments development manager for critical infrastructure for Axis Communications in the Americas and has more than 35 years working in the critical infrastructure space, focusing on physical security, operational efficiencies, and health safety.
Wayne Dorris, CISSP, is the program manager for cybersecurity for Axis Communications in the Americas. He has 33 years of experience with a blend of both physical and cybersecurity experience. His primary role is to drive cyber strategy and influence the development of cyber capabilities in products and solutions at Axis Communications.
