Imagine the U.S. lost all power; transportation systems have failed; businesses have been forced to shut down, and millions of people are in a panic. No one would be able to deny the importance of critical infrastructure. Cyberattacks of late are allowing us to imagine, for better or for worse, that incidents like these, but typically at a smaller scale, are more possible than ever. The growing threat of advanced cyberattacks on critical infrastructure and industrial control systems indicates a serious challenge for organizations.
There are many critical infrastructure sectors in the U.S. from energy to transportation to health, and “their incapacitation or destruction would have a debilitating effect on national economic security, national public health and safety, etc. Cybersecurity threats impact companies, reputations as well as the ability to innovate. Therefore, the protection of all sectors is critical, and now is the time to take action.
Many of the cyber defenses used by organizations and operators to avoid attacks are outdated and ineffective, however, as hackers always seem to be one step ahead. Also, visibility within cyber teams is lacking and human error is difficult to keep track of, leaving vulnerable spots for hackers to enter.
Energy and utility organizations worldwide are focusing on cybersecurity attacks, and because without a stable energy supply the economy cannot function, the sector is a priority target for cyber terrorists.
In 2012, Saudi Aramco, a Saudi Arabian oil company, was hacked, and hackers replaced data on hard drives with an image of a burning U.S. flag. It prompted the then Secretary of Defense Leon Panetta to label the incident as a significant escalation of the cyber threat.
Between 2010-2014 hackers had stolen source code and blueprints to the U.S. oil, water pipelines, and power grid, and had infiltrated the Energy Department's networks on 150 occasions. In 2015, a cyber attack on Ukraine’s power grid left 700,000 people without electricity for several hours just days before Christmas. Strikingly, the hackers behind this incident have attempted few cyber attacks against the U.S. energy sector.
Transportation & Logistics
The transportation industry is of utmost importance when it comes to prioritizing cyber program management. According to Security Trends in the Transportation Industry (published by IBM in 2016), cybercriminals are targeting all the systems used in this industry, including navigation, tracking, positioning, and communication systems. Those who facilitate our daily use of trains, planes, ships, and automobiles are under constant attacks.
In 2014, the Chinese national train reservation system was targeted by hackers who stole customers’ personal data. In 2015, the Polish national airline, LOT, had to cancel 10 flights due to a cyber attack against the airline’s computer system at a local airport.
Earlier this year A.P. Moller-Maersk, a Danish business conglomerate with activities in transport and logistics, fell under a cyber attack. Hackers managed to damage Maersk’s computer system, and it led to disruption in transport across the globe, including delays at the Port of New York and the Port of Los Angeles.
These examples prove that without a complete security system, cybercriminals could destroy the infrastructure that critical infrastructure industries have worked so hard to build. Over the past few years, industries have begun the process of turning paper processes digital and using advanced analytics in order to meet needs, and more technology evolution leads to more doors for a cyber terrorist to enter.
As a stakeholder in a critical infrastructure organization, where do I start?
It is important for industries to assess their cybersecurity risks and to protect themselves. An optimal way to start is to adopt a cybersecurity framework.
NIST developed the Cybersecurity Framework (CSF) to enhance the security and resilience of the nation’s critical infrastructure and is considered the fullest set of best practices for any business's cyber program. The voluntary risk-based framework compiles a set of controls to help organizations manage cybersecurity risks. As a matter of fact, all government agencies are required to use this framework for protection purposes. It creates a common language for all the stakeholders to address and manage risks.
As of 2015, 30% of U.S. organizations were using the NIST CSF, and use is predicted to rise to 50% by 2020. Only when more and more companies get on board with this framework, we can better prepare for cyber attacks. Don’t wait until the attack hits for your business's wake up call. Realizing the significance of how a framework can exponentially increase your resilience can help you immensely as you work to make your cybersecurity program more robust.