Imagine the U.S. losing all power; transportation systems have failed; businesses have been forced to shut down, and millions of people are in a state of panic. No one can deny the importance of critical infrastructure. Cyberattacks of late are allowing us to imagine, for better or for worse, that incidents like these, but typically at a smaller scale, are more possible than ever. The growing threat of advanced cyberattacks on critical infrastructure and industrial control systems indicates a serious challenge for organizations.
There are many critical infrastructure sectors in the U.S., from energy to transportation to health, and “their incapacitation or destruction would have a debilitating effect on national economic security, national public health and safety, etc. Cybersecurity threats impact companies, reputations, and the ability to innovate. Therefore, the protection of all sectors is critical, and now is the time to take action.
Many of the cyber defenses used by organizations and operators to avoid attacks are outdated and ineffective, however, as hackers always seem to be one step ahead. Also, visibility within cyber teams is limited, and human error is challenging to track, leaving vulnerable spots for hackers to exploit.
Cyber Risks for Critical Infrastructure: Energy
Energy and utility organizations worldwide are focusing on cybersecurity attacks, and because without a stable energy supply the economy cannot function, the sector is a priority target for cyber terrorists.
In 2012, Saudi Aramco, a Saudi Arabian oil company, was hacked, and hackers replaced data on hard drives with an image of a burning U.S. flag. It prompted the then Secretary of Defense Leon Panetta to label the incident as a significant escalation of the cyber threat.
Betwe,en 2010-2014 hackers had stolen source code and blueprints to the U.S. oil, water pipelines, and power grid, and had infiltrated the Energy Department's networks on 150 occasions. In 2015, a cyber attack on Ukraine’s power grid left 700,000 people without electricity for several hours just days before Christmas. Notably, the hackers behind this incident have attempted several cyberattacks against the U.S. energy sector.
Transportation & Logistics
The transportation industry is of utmost importance when it comes to prioritizing cyber program management. According to "Security Trends in the Transportation Industry" (published by IBM in 2016), cybercriminals are targeting all systems used in the industry, including navigation, tracking, positioning, and communication systems. Those who facilitate our daily use of trains, planes, ships, and automobiles are under constant attack.
In 2014, the Chinese national train reservation system was targeted by hackers who stole customers’ personal data. In 2015, the Polish national airline, LOT, had to cancel 10 flights due to a cyber attack against the airline’s computer system at a local airport.
Earlier this year, A.P. Moller-Maersk, a Danish business conglomerate with activities in transport and logistics, fell victim to a cyber attack. Hackers managed to compromise Maersk’s computer system, resulting in disruptions to global transportation, including delays at the Port of New York and the Port of Los Angeles.
These examples demonstrate that without a complete security system, cybercriminals can compromise the infrastructure that critical infrastructure industries have invested so much in building. Over the past few years, industries have begun the process of digitizing paper-based processes and utilizing advanced analytics to meet their needs. However, more technological evolution leads to more opportunities for cyber terrorists to enter.
As a Stakeholder in a Critical Infrastructure Organization, Where Do I Start for Cyber Risk Management?
It is important for industries to assess their cybersecurity risks and to protect themselves. A good starting point is to adopt a cybersecurity framework.
NIST developed the Cybersecurity Framework (CSF) to enhance the security and resilience of the nation’s critical infrastructure and is considered the most whole set of best practices for any business's cyber program. The voluntary risk-based framework compiles a set of controls to help organizations manage cybersecurity risks. In fact, all government agencies are required to use this framework for protection purposes. It creates a common language for all the stakeholders to address and manage risks.
As of 2015, 30% of U.S. organizations were using the NIST CSF, and use is predicted to rise to 50% by 2020. Only when more companies adopt this framework can we better prepare for cyberattacks. Don’t wait until the attack hits for your business's wake-up call. Realizing the significance of how a framework can exponentially increase your resilience can help you immensely as you work to make your cybersecurity program more robust.