Critical infrastructure still porous after many grand improvement plans
We call it critical infrastructure (CI), because it is. The systems that bring us our water, heat and light, that carry away our sewage and other waste, that connect us to the internet, that guide us through urban centers with coordinated traffic lights — all those and more would upend our lives, safety, health and economy if they failed or even malfunctioned significantly.
But we have grown so accustomed to them that we take them for granted, as if they were as automatic as the sun and the tides. We don’t wonder if the light will come on when we flip the switch. We don’t hold our breath and cross our fingers when we flush the toilet — we push the lever and walk away without a thought.
Perhaps not such a good idea. While there have been relatively few incidents that have taken down significant elements of critical infrastructure, some of them have illustrated the ominous possibilities, along with the reality that things connected to the internet cannot be taken for granted.
And even though U.S. presidents from Bill Clinton through Donald Trump have issued executive orders calling for strengthening U.S. cyber defense of CI, the reminders of vulnerabilities keep coming.
That could be in part because securing critical infrastructure is not glamorous. It doesn’t call to mind glorious exploration, like the title of one of President Trump’s earlier initiatives in December 2018 — a proposed, “Cybersecurity Moonshot.” It doesn’t involve jets, missiles, bombs and aircraft carrier battle groups.
It’s relative drudgery: finding vulnerabilities in millions of lines of computer code, patching vulnerabilities in water or electrical systems that were never designed to be connected to the internet.
Cyber is physical
But it really needs to get done. Because cyberattacks on critical infrastructure could cause just as much, or even more, damage than missiles or bombs.
The examples are not just the internationally famous events like the 2010 Stuxnet attack — attributed to but never officially acknowledged by Israel and the U.S. — that destroyed an estimated 984 uranium enrichment centrifuges in the Iranian nuclear program; and the 2015 Russian attack on Ukraine that brought down a portion of that country’s energy grid in the cold of December.
They are also regional and local. In September 2018, a series of seemingly random natural gas fires and explosionsupended the lives of thousands of residents in three communities in the Merrimack Valley of Massachusetts, destroying dozens of homes, leaving thousands without gas or heat for months and costing more than $1 billion to repair.
While an investigation concluded the cause was human error that led to catastrophic excess pressure in gas lines, numerous experts said a cyber attacker who was able to take control of the system and “fool” pressure sensors could do the same thing.
Others, from more recent headlines:
- The September 2019 report by Kaspersky ICS CERT on the “threat landscape for industrial automation systems”found that 41.6% of industrial control system (ICS) computers in the energy sector globally were targeted by cyberattacks in the first six months of the year.
- This past December, Siemens reported vulnerabilities in an application server and migration server that, if exploited, could let attackers disrupt power generation.
- A report issued in January by the industrial security firm Dragos declared that “the number of publicly known attacks impacting ICS environments around the world continues to increase, and correspondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is currently assessed as high.”
- In January, the federal Department of Homeland Security (DHS) issued a warning about maintaining the security of software behind the nation’s critical infrastructure, due to threats from hostile nation-states, most specifically Iran.
- Joe Weiss, a control systems cybersecurity expert, in a blog post earlier this year, listed five malicious attacks in 2019, including one against a U.S. utility.
- Security Week reported earlier this month on an access vulnerability in traffic light controllers made by the Austrian firm SWARCO and deployed in more than 70 countries that could have allowed attackers to take control of the system. Among the possibilities: turn all the lights red, which would create immediate gridlock, or turn them all green, which could cause multiple accidents.
That is only a partial list, of course. And top officials are very much aware of the risk and have been addressing them, at least rhetorically, for some time. For decades we have been hearing dire predictions of a “cyber Pearl Harbor” due to industrial control system (ICS) vulnerabilities in U.S. critical infrastructure that include energy, transportation, water, sewer, food and agriculture, health care, communications — 16 in all, according to the Department of Homeland Security (DHS).
Many experts say those predictions are hyperbole — that U.S. infrastructure is diverse and resilient enough that there is no chance of the nation, or even a portion of it, going dark for weeks or months at a time.
But most experts also acknowledge that the existing weaknesses are significant. Joel Brenner, a former senior counsel and inspector general at the National Security Agency (NSA), in a March 2017 report titled “Keeping America Safe: Toward More Secure Networks for Critical Sectors” for the MIT Center for International Studies, wrote, “The digital systems that control critical infrastructure in the United States and most other countries are easily penetrated and architecturally weak, and we have known it for a long time.”
In an accompanying blog post, he declared, “The White House has been issuing ineffective directives addressing critical networks like clockwork since the ’90s.”
“Bottom line: Over a quarter-century this nation spent billions of dollars on cybersecurity for key infrastructure, yet we are less secure than we were 30 years ago. Good work on cybersecurity is being done, but most of it involves tactical fixes to immediate problems in a never-ending round of Whac-A-Mole. For a nation that is more dependent than any other on electronic connectivity, this is a losing game.”
Offense, defense or both?
So what would be a winning game? That doesn’t have an entirely clear answer.
There is increasing debate over whether most of the nation’s efforts would be best spent making CI security more resilient — as in better on defense — or focusing more on offense (or at least the threat of offense).
According to Jason Healey, recent rhetoric from the top has become more aggressive. In a post on Lawfare earlier this month, Healey declared that President Trump’s Cyberspace Solarium Commission is leaning more toward offense and steering the national effort to protect CI more toward the military than to civilian sectors.
Healey, founding director and now senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and senior research scholar in cyber conflict and risk at Columbia University’s School of International and Public Affairs, wrote that previous administrations have focused more on “cybersecurity and resilience, especially through partnerships between the public and private sectors with little to any direct military role.”
He acknowledged that President Obama did say in a 2015 speech that “we have to build stronger defenses and disrupt more attacks,” but noted that Obama mentioned the military only in passing.
By contrast, the Solarium Commission “uses hawkish national security language that the ‘federal government and the private sector must defend themselves and strike back with speed and agility’ and with ‘layered deterrence,’” he wrote.
But those on the commission itself say things like offense and retaliation are just one layer, and that defense is very much part of the strategy. Robert Morgus, director of one of the task forces of the commission, said “deterrence by denial” is one of three key elements of layered defense.
Quoting political scientist Joseph Nye, one of the “contributing experts” to the report, Morgus said deterrence by denial “must make the cost of aggression ‘unprofitable by rendering the target harder to take, harder to keep, or both.’”
Of course, one of the best ways to make a target harder to take is simply to “build security in” to the software that runs it. If an attacker can’t take a target, there is no need for the time, expense and risk of retaliating.
Indeed, the problem with going on offense in the world of cyber is that, as experts have said for many years, software can level the playing field between nation-state adversaries. Countries like Iran or North Korea, which could never challenge the U.S. militarily, could conceivably do catastrophic damage simply with computer keystrokes from thousands of miles away.
Prevention means doing the basics
So preventing events like that means better defense — focusing on the basics of software security.
Michael Fabian, principal consultant at Synopsys, previously remarked about the 2018 Moonshot report that “information security across the board needs to do fewer ‘transformational’ things and more ‘fundamental’ things.”
And while Rehan Bashir, managing consultant at Synopsys said the U.S. is “moving in the right direction” to improve the security of critical infrastructure, he added that “it is still not enough.”
He said a roadmap to better security exists, and rather than issue grandiose plans every couple of years, U.S. officials simply need to follow it.
“There is an immense need for organizations to adopt security frameworks such as the NIST [National Institute of Standards and Technology] ‘Framework for Improving Critical Infrastructure Cybersecurity,’” he said.
He cited a report from the U.S. Government Accountability Office (GAO) titled “Critical Infrastructure Protection — Additional Actions Needed to Identify Framework Adopting and Resulting Improvements,” which found that “sector-specific agencies (SSAs) have not developed methods to determine the level and type of adoption of NIST framework to establish processes to secure critical infrastructure.”
That could start the nation on the path to treating critical infrastructure with the attention it needs.