The cyber incident that forced the shutdown of the main gasoline pipeline to the US East Coast is another stark reminder that more needs to be done to protect fuel distribution systems, electric utilities, and other vital infrastructure from ransomware criminals like DarkSide, the Eastern European group the FBI has blamed for the attack.
The stakes are high. Our day-to-day lives rely on access to critical infrastructure. This makes those facilities particularly attractive targets to criminal groups and nation-state actors. Cyberattacks like the recent one threaten the well-being of citizens and the security of nations.
To counter the risk, private and public infrastructure operators need to think like hackers and identify the full range of severe but plausible threats that could cause damage. Leaders need to quickly produce and deploy defensive plans to combat potentially crippling threats. And, crucially, firms need to practice how they would respond to an actual attack to ensure their reflexes are ready.
In addition, organizations need to be prepared to share information about the latest threats more proactively with peers and relevant authorities, and alert others to vulnerabilities before malicious actors can exploit them and cause harm.
President Biden took a step in that direction on May 12 by signing an executive order removing contractual barriers to information-sharing and requiring information technology providers to share knowledge about any cyber breaches that could impact government networks.
Insufficient preparation is no longer acceptable for infrastructure operators. The risk of such hacks has been evident for years, and the recent compromise of network management software provider SolarWinds and an attack on a water treatment plant in Florida underscore how urgent the danger is and how serious the consequences could be. The number of security vulnerability advisories issued by the US Department of Homeland Security for controls systems supporting the electricity grid rose more than tenfold in just eight years.
There are four steps operators should take to reduce the risk of cyberattacks.
Adopt the Mindset of a Hacker
If you want to guard your home against the threat of burglary, you start by addressing the ways that thieves would typically enter dwellings: insecure doors and windows or an aged alarm system, for example. Infrastructure is much more complex but operators need to take a similar approach and ask themselves, if I wanted to demand ransom, cause damage, or steal valuable information, what could I do and how would I do it?
Once firms have identified their vulnerabilities, they need to start plugging the gaps and developing the right set of playbooks and response protocols. Businesses should start by prioritizing their most critical systems or facilities, the ones that if compromised could cause the greatest monetary or physical damage. The US government will create its own cyber response playbook and provide a template for the private sector under Biden’s executive order.
One US-based corporation gathered a group of seasoned employees and asked them how they would carry out an attack, based on their knowledge of the firms’ systems. The responses were both alarming and insightful as the workers described a variety of ways to compromise data or cause damage. Management set up a task force to review those risks and mitigate the vulnerabilities the employees identified.
Talk to Each Other
Any defensive strategy or red-team, blue-team exercise is only as good as the information on which it’s based. Companies and regulators know this, but many factors impede effective information-sharing in practice. Firms may fear legal liabilities or reputational damage if they disclose a cyberattack.
To imagine a better world, consider the aviation industry’s experience. Over the last 50 years, airplane crashes have become rare. This is thanks in good part to industry collaboration and regulations requiring the disclosure of safety issues and thorough public investigations into accidents.
It may not be easy or practicable to establish similar rules for cyberattacks across all domains in the near term, but firms should be encouraged to share as much information as possible about incidents and vulnerabilities. Information-sharing also needs to extend to governmental authorities that may reap valuable threat intelligence through their law enforcement agencies or, in the case of nation-state actors, through foreign intelligence gathering.
Enlist Your Suppliers
Companies increasingly rely on third-party software and technology service providers to support their digital business models. That makes it essential to include such vendors in their cybersecurity defense strategies. Suppliers can be a point of vulnerability, as happened to some organizations using SolarWinds’ software, but importantly from their cross-customer vantage point, they often have better intelligence or a unique view regarding cyber-risks and the best approaches for mitigating them.
Vendors can work with hundreds if not thousands of companies, giving them insight into the wide range of vulnerabilities that exist and the best practices for addressing them. If a company is outsourcing some of its IT operations to a third party, for example, it could demand that the vendor share its latest cybersecurity insights at regular intervals as part of the contract.
Practice Like it’s for Real
Cybersecurity isn’t static. Companies need to test their defensive strategies with practical exercises that are as close to real-life situations as possible.
The Securities Industry and Financial Markets Association’s latest exercise, dubbed Quantum Dawn V in November 2019, had more than 150 financial firms and 50 regulatory bodies across 19 countries respond to a simulated ransomware attack on systemically important institutions and a financial markets utility. It recommended that the industry create a directory of key players and personnel, and improve cross-border sharing of information among firms, trade associations, and regulators.
One US financial firm conducted an exercise involving a simulated cyberattack coinciding with a social protest and a storm, only to have nature intervene by throwing two actual hurricanes, wildfires, and a pandemic into the mix. Such exercises concentrate minds and enable organizations to learn a great deal about their vulnerabilities, their communications abilities, and how to respond in a crisis. And companies that enroll key suppliers in such exercises will ultimately be better prepared. The last place you want to be shaking hands and making introductions is on the cyber battlefield.
There is no such thing as perfect security, but operators of essential infrastructure and their regulators can do much more together to protect facilities from potentially devastating attacks.