Combating Cyber Threats in Critical Infrastructure Through Due Diligence
Originally published in CSO Magazine by CyberSaint co-founder Scott Schlimmer
Imagine a major city in the United States without power. Transportation systems would fail, and businesses would have to shut down. Large segments of the population would panic. Considering the important role these sectors have in our country’s economy and way of life, the stakes are high. No one can deny the importance of critical infrastructure cybersecurity. Even more due diligence is required when building a cybersecurity program in key, critical infrastructure sectors.
Many critical infrastructure companies are working hard to become resilient to cyberattacks, but unfortunately, they face an uphill battle. So how do security leaders in these sectors execute cyber due diligence? In this article, I’ll be diving into a few of these sectors – energy, transportation and logistics – and will give you recommendations based on my experience.
What is critical infrastructure?
The US Patriot Act defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.” There are many critical infrastructure sectors, ranging from energy, to transportation, to telecom that need protection from cyberattacks since they are so important to our national security, economy and daily life.
Energy and utility organizations focus on preventing cybersecurity attacks, because without a stable energy supply, our economy cannot function. I have done a fair amount of work in this field, helping major companies in the energy sector protect their systems.
This sector is a priority target for cyberterrorists. Saudi Aramco, a Saudi Arabian oil company, was hacked in 2012. Hackers replaced data on hard drives with an image of a burning US flag. Then Secretary of Defense Leon Panetta, my previous boss when he was Director of the Central Intelligence Agency, labeled the incident as a significant escalation of cyber threats, according to the Washington Post.
Between 2010 and 2014, hackers infiltrated the US Energy Department's networks 150 times, according to USA Today. This statistic is terrifying and indicates the gravity of the situation when it comes to the vulnerabilities even in our government’s critical infrastructure departments.
Such vulnerabilities can manifest themselves with grave outcomes. In 2015 a cyberattack on Ukraine’s power grid left 700,000 people without electricity for several hours, just days before Christmas, according to The Telegraph.
These statistics are indicators of a much larger play for cyber attackers. Those in the energy sector should be well aware of any and all cyber best practices to implement, which I’ll go over momentarily.
Transportation and logistics
Our economy relies heavily on trains, planes, ships and automobiles, which are almost constantly under cyberattack. Cybercriminals are targeting all of the systems used in this industry, according to “Security Trends in the Transportation Industry,” an article published by IBM in 2016. The list of systems includes navigation, tracking, positioning and communication systems. If just one of these systems fell vulnerable, it would have a devastating effect on our ability to import and export the products and services that keep our economy alive and well.
In 2014 the Chinese national train reservation system was targeted by hackers who stole customers’ personal data. In 2015 the Polish national airline, LOT, had to cancel 10 flights due to a cyberattack against the airline’s computer system at a local airport. Not only is there fear that hackers will find a way to control our transportation, there’s also a fear our personal data will be stolen and exploited in the process.
Earlier this year, A.P. Moller-Maersk, a Danish business conglomerate with activities in transport and logistics, fell under a cyberattack. Hackers managed to damage Moller-Maersk’s computer system and reportedly cost the company up to $300 million. So, data breaches affect corporations, organizations and individuals.
The harsh reality for critical infrastructure stakeholders
Without a resilient cybersecurity program, cybercriminals could completely destroy the ways in which our economies and nations operate, those that the critical infrastructure sectors have worked so hard to build over many years.
Over the past few years in particular, industries have turned paper processes into digital ones, and have started using advanced analytics to streamline processes and provide solutions to business problems. Unfortunately, technology evolution and digitization lead to more doors for a cyber terrorist to enter.
As a security professional in critical infrastructure, where do I start?
The question that organizations and companies face is not necessarily which best practices to implement, but how to implement them. Finding a framework by which to reference your program can be difficult, especially because most frameworks or standards are regulatory and designed to be industry specific.
Aside from your existing frameworks – ISO, NERC, DFARS, COBIT – there is one framework that covers the depth and breadth necessary to organize and execute an effective and thorough cyber program. This framework, the NIST Cybersecurity Framework (CSF), is built upon NIST 800-53. According to a filing by the Telecommunications Industry Association, the telecommunications sector has identified the NIST CSF as “a great model for consideration of how to begin developing a flexible, voluntary, viable mechanism for cybersecurity readiness and resilience.”
From a risk-based perspective, companies protect their systems by assessing relevant threats and then develop and implement appropriate risk management practices. A broad, one-size-fits-all security plan could produce vulnerabilities by forcing companies to spend time and resources protecting data or systems that don't pose much risk to them specifically. Meeting standards that don’t address a company’s individual security environments is a recipe for missed steps and can cause an organization to overlook its key needs when they should be spending resources efficiently and effectively.
The CSF was built as a flexible approach that evolves with and encourages tech innovation and individualized security practices. I tend to think this is a good solution and one I’d recommend for all critical infrastructure sectors. NIST developed the CSF specifically to enhance the security and resilience of the nation’s critical infrastructure. The CSF is considered the most robust set of cybersecurity best practices, and much broader and deeper than the less robust ISO controls, for example. The voluntary risk-based framework compiles a set of controls to help organizations manage cybersecurity risks. It creates a common language for all the stakeholders to address and manage risks.
Organizations can implement the NIST CSF using this framework documentdirectly from NIST, or by employing third-party NIST CSF management software to make the process simpler and more manageable. There’s also a NIST CSF guide I wrote, and a previous article I wrote for CSO, “How to spend your cybersecurity budget increase.”
Regardless of the implementation method, it’s important for critical infrastructure industries to assess their cybersecurity risks and to protect themselves. An optimal way to start is to adopt the NIST CSF, which will bring depth and breadth to your due diligence for your organization.