Blog / 11 min read
The world is rapidly evolving, and digital and physical systems are constantly converging. Standalone systems that once solely managed critical infrastructure operations are now connecting to the internet and sharing sensitive information. This newly converged extended internet of things (XIoT) has brought about myriad of benefits from protecting the nation to maintaining a strong economy and enhancing the quality of life for citizens. Although the functions of critical infrastructure are essential to national prosperity, the cybersecurity implications are slowly outpacing the benefits. Unlike any other time, public policymakers worldwide are recognizing these threats to critical infrastructure and how they impact our way of life. New mandates and recommendations from governments not only identify threats and potential consequences, but also urge action. Unprecedented directives have put owners and operators on notice that cybersecurity is a priority in critical industries. In this blog, we will discuss why critical infrastructure is so vital, the cybersecurity regulations and standards that have been developed to protect it, and the steps critical infrastructure organizations can take to achieve cyber and operational resilience.
According to the Cybersecurity & Infrastructure Security Agency (CISA) critical infrastructure are the assets, systems, and networks that provide functions necessary for our way of life. CISA has identified 16 critical infrastructure sectors that are considered so vital that their incapacitation or destruction would have debilitating consequences on security, the economy, and national public health or safety. Critical infrastructure is the backbone to modern society, not only underpinning the effective operation of businesses and services but also the long term confidence and planning in a region. Providing resilience and security is necessary for furthering economic growth and investment, and for protecting public safety.
Due to the interconnectivity of the cyber-physical systems (CPS) in critical environments that orchestrate sensing, computation, control, networking and analytics — and result in the reliable systems and operations we depend on — an attack on one system could have cascading effects throughout the entire environment. For example, a cyberattack on an electrical grid could potentially also disrupt transportation systems, cause communication failures, or lead to the compromise of medical facilities — all of which could result in the endangerment of public safety and, in the worst-case scenario, cost lives. The importance of critical infrastructure has also made it a major target for state-sponsored cyber warfare and espionage. By gaining unauthorized access to critical systems, nation-states can attempt to gather intelligence, disrupt operations, or disable infrastructure capabilities which would result in major threats to national security and public safety. These are just a few reasons why protecting critical infrastructure is so crucial.
Next, we will discuss real-world examples of cyberattacks on critical infrastructure, the disruption they caused, and will outline the robust cybersecurity measures these systems and devices require for protection.
As the cyber landscape continues to evolve and cybercriminals become increasingly sophisticated in their methodology, new and highly devastating attacks are emerging. In recent years, we have seen this through the following notable examples of attacks on critical infrastructure:
This devastating ransomware attack infected an estimated 230,000 computers in 150 countries in just a few hours by exploiting a dangerous vulnerability in unpatched versions of the then-widely used Windows 7 operating system. The attack began affecting dozens of National Health Services (NHS) facilities and eventually spread to over 60 NHS hospital trusts. During the attack, the affected hospital trusts were locked out of their digital systems and medical devices, resulting in significant disruption for patients and healthcare staff. The impacts of this disruption to many healthcare network’s critical infrastructure included staff reverting back to manual processes, a disturbance to radiology services, canceled outpatient appointments, elective admissions and day case procedures, and emergency ambulances having to be diverted to other hospitals.
Widely regarded as the most costly and destructive ransomware attack in history, NotPetya cyber attack paralyzed operations at multinational corporations across several critical infrastructure sectors including healthcare, energy, and transportation. The damage was an estimated $10 billion and had profound influence on the behavior of cybercriminals and cybersecurity practitioners alike. This cyber incident sparked the realization that OT networks are critical to operations, making them extremely valuable in ensuring the safety and security of industrial operations. This shift from opportunistic, spray-and-pray cyber attacks to more deliberate, targeted campaigns against critical infrastructure organizations with low tolerance for downtime has dramatically altered the threat landscape. This far-reaching attack brought widespread havoc to critical infrastructure organizations and served as a wake-up call when it comes to the security threats brought by IT and OT connectivity.
Critical infrastructure networks have also been in the bullseye of geopolitical conflict. In 2015 and 2016 Ukraine experienced two separate cyberattacks on its power grid. These carefully planned incidents, attributed to Russian hackers, resulted in widespread power outages for hundreds of thousands Ukrainian residents. Due to a lack of visibility throughout the network and without continuous network monitoring, the power distribution companies that were compromised were unable to detect anomalies in network activity and stop the attack from occurring. These incidents set precedent for the security of power grids around the world and highlighted the detriment attacks on critical infrastructure can have on public safety. As cyber threats are no longer just a concern of IT system administrators and network engineers, cybersecurity must become a company-wide initiative to combat these orchestrated efforts.
During the Colonial Pipeline attack, a ransomware-as-a-service group called DarkSide targeted pipelines’ IT systems, leading to a temporary shutdown. The disaster resulted in fuel shortages and higher gas prices for consumers as well as loss of consumer confidence in the protection of critical infrastructure. This attack arose as a result of a single compromised password and old VPN, an attack which typically requires minimal effort for cybercriminals to carry out. Luckily, this type of attack can be easily prevented with basic CPS security in place. As cyber criminals continue to increase in sophistication and understand that critical infrastructure organizations, like Colonial Pipeline, cannot afford downtime it has become increasingly important for them to adopt a strong critical infrastructure cyber security strategy. In response to this incident, the Department of Homeland Security’s Transportation Security Administration (TSA) announced much needed transportation cybersecurity requirements. Below, we will highlight the requirements set by the TSA to boost the cyber resilience of critical infrastructure.
As a result of the above attacks and the sensitive nature of industrial controls systems (ICS), governments and regulatory bodies around the world have recognized the need to establish cybersecurity standards and regulations to protect critical infrastructure. In this blog, we will focus on three relevant regulations and frameworks set forth by the United States government and regulatory bodies:
The TSA has issued cybersecurity directives for Rail, Air, and Pipeline Transportation. These directives are focused on performance-based measures to boost the cyber resilience of U.S. railroad operations, airport and aircraft operators, and critical pipelines. As a result of persistent transportation cyber threats against U.S. critical infrastructure, the TSA is taking emergency action by requiring the development of an implementation plan that describes the measures transportation providers are or will be taking to strengthen cybersecurity resilience and prevent operational disruption and infrastructure degradation.
CIP standards have been developed by the North American Electric Reliability Corporation (NERC) and apply to the electric utilities industry. These mandatory standards address physical security, personnel training, incident response, and system security. The standards apply to all entities involved in the generation, transmission, and distribution of electric power, including utilities, power plant operators, and grid operators. The framework was established to regulate, enforce, monitor, and manage the security of the Bulk Electric Systems (BES) in North America.
CISA has established an Information Sharing and Analysis Organization (ISAO) to gather, analyze, and disseminate cyber threat information. ISAO is a non-governmental organization established to “engage with existing information sharing organizations, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders to develop a set of voluntary standards and guidelines for the creation and functioning of ISAOs”. Through ISAO, critical infrastructure organizations can share threat intelligence information and best practices to raise awareness and collaborate on proactive cybersecurity measures to mitigate risk. Aside from ISAO, CISA also provides guidance for critical infrastructure organizations on establishing strategies for risk management, cyber hygiene, incident response, vulnerability management, continuous monitoring, and more.
Developed by the U.S. Department of Homeland Security (DHS), NIPP is intended to guide the protection and resilience of the nation’s critical infrastructure. The plan outlines how government and private sector participants in the critical infrastructure community can work together to manage risk and achieve security and resilience outcomes. NIPP provides a strategic framework for a collaborative approach to safeguarding critical infrastructure with key aspects including encouraging organizations to adopt risk management practices, providing guidance for incident response and recovery efforts, emphasizing the need for cross-sector coordination, and promoting continuous improvement by leveraging emerging technologies and best practices. This living document undergoes frequent updates to reflect changes in the threat landscape, technological advancements, and lessons learned from any incidents or new findings. Serving as a collective approach to safeguarding critical infrastructure, NIPP helps ensure the nation’s security and resilience.
Following the regulations and standards set for critical infrastructure can help organizations achieve cyber and operational resilience; however, many face difficulty in ensuring compliance as policies and standards can be complex. By leveraging a CPS security provider, like Claroty, organizations can address specific requirements outlined by industry regulations and frameworks. Claroty solutions are purpose-built to align with industry-specific regulatory frameworks and standards, and are specifically tailored to the needs of critical infrastructure organizations — helping them to reduce complexity. With Claroty, critical infrastructure organizations can ensure they are keeping up with the evolving threat landscape and protecting against attacks similar to the ones we’ve discussed by:
Claroty provides comprehensive visibility into an organization's entire XIoT, allowing them to identify and catalog their assets. This asset inventory is not only essential for detecting and mitigating risk, but also can be leveraged for compliance reporting purposes.
Claroty solutions for critical infrastructure organizations automate the process of identifying vulnerabilities, prioritize them based on risk, and then provide the best course of action for remediation. A clear vulnerability and risk management strategy helps organizations assess their risk posture while meeting the vulnerability management requirements of many cybersecurity regulations.
As we’ve noted in our examples of cyber attacks to critical infrastructure, remote access is an easily exploited attack vector in many environments. Claroty SRA was purpose-built to remove the complexity and administrative barriers to effective, efficient remote access for both internal and third-party users. With SRA, organizations can quickly and easily connect to, troubleshoot, and repair assets, while also meeting the requirements for secure network architecture outlined in several industry regulations.
With advanced analytics and anomaly detection, Claroty solutions identify potential cyber threats and provide real-time alerts. Multiple detection engines automatically profile all assets, communications, and processes in industrial networks, generating a behavioral baseline that characterizes legitimate traffic to weed out falses positives. These advanced features enable security practitioners to detect emerging threats and then respond to them promptly, which is key for compliance with regulations and standards.
As we know, critical infrastructure is essential to public safety, security, and the overall well-being of society. Increasingly, threat actors have targeted these critical systems due to an organization's willingness to pay ransom — a result of their inability to afford downtime. The only way for organizations to prevent these threats and achieve resilience is by establishing a robust critical infrastructure cybersecurity strategy. In order to do this, organizations can team up with a CPS security provider that addresses their unique challenges and assists them in demonstrating adherence to industry-specific regulations. The four capabilities listed above just scratch the surface of the ways in which Claroty can assist critical infrastructure organizations achieve operational resilience while streamlining their compliance efforts and reducing the complexity of meeting regulatory requirements. With an accurate asset inventory, strong vulnerability and risk management strategies, Secure Remote Access, and the right threat detection methods, critical infrastructure organizations can boost resilience by tackling their industry-specific challenges head-on.