September 27, 2021
The May 2021 Colonial Pipeline attack, which resulted in the prolonged closure of one of America’s largest pipelines due to ransomware, highlighted the real-world consequences of a successful cyberattack.
It shut down nearly half of the supply of jet fuel and gasoline for the east coast of the United States, sparking fears of shortages and hoarding, and then, resulting in actual shortages. The company paid a ransom said to be about US$4.4 million.
The vulnerability of critical infrastructure to cyberattacks has been a topic of research and discussion for decades, with references dating back to at least the 1990s in IEEE journals.
So why has this risk exploded into public attention now? And what makes critical infrastructure around the world so vulnerable to cyberattacks?
Critical infrastructure, most of which is operated by private industry, faces the same risk that other businesses face. It’s become far easier, and less risky, to exploit vulnerabilities for profit, which has provided an incentive for people to write ransomware.
“The monetization and weaponization of digital threats was comparably new when the critical infrastructure components that manage our modern world were being designed for reliability a decade or two ago,” said IEEE Senior Member Kayne McGladrey.
McGladrey says that it’s time consuming to patch security flaws in many of these older components, some of which were designed to run uninterrupted for decades.
“The room for innovation in this space is analogous to the magician’s trick with the fully set table and tablecloth,” he said. “The innovators in this space will be able to replace the table without touching the tablecloth. That could mean in-place upgrades of critical systems, or seamless transitions from a legacy technology to a modern and secure technology.”
Some critical infrastructure facilities had long depended on a kind of built-in level of protection due to the obscure nature of the components they use.
These components, referred to as operational technology, are designed to manipulate physical processes, like electrical flows and chemical reactions, as described in IEEE Security and Privacy Magazine. Often, these components are developed using uncommon programming languages, and exploiting these obscure devices would not normally be profitable for cybercriminals because there are millions of easier targets, like personal computers at large companies. Additionally, operational technology has traditionally been insulated from the internet through dedicated communication lines, making it even harder to reach.
Traditionally, cybersecurity efforts related to critical infrastructure have focused on preventing attacks by sophisticated threat actors targeting operational technology to damage the plant itself.
Increasingly, however, operational technology is in contact with internet-connected information technology systems. An electricity provider, for example, may use software to analyze operational data. That data might be useful for the purposes of increasing efficiency or even sending bills to customers. But a ransomware attack impacts the entire operation of that system by targeting the IT systems.
That’s what happened in the case of the Colonial Pipeline.
As hackers grow increasingly emboldened and sophisticated, what are the keys to securing the infrastructure that millions rely on for day-to-day life?
The answer to that question is the subject of intense focus from governments, researchers and critical infrastructure operators
“Newer cryptography technologies, best practices and protocols, and in the future, AI, will be keys to securing cyber-physical infrastructure,” said IEEE member Marcelo Zuffo.
One solution is to not repeat the mistakes of the past. Software developers and engineers need to consider security concerns at the very beginning of the process, and throughout development. It also means training personnel, using the right security tools and evaluating risks across the supply chain, including software and hardware.
“The challenges are probably interconnected, given the cyberattacks raging on worldwide,” says IEEE member Marcos Antonio Simplicio. “The opportunity here is strongly related to awareness: more and more people are paying attention to the topic of cybersecurity as a strong requirement (or paying the price for not taking the topic seriously enough).”
And significant attention is also focused on making sure operators can restore service quickly when they are attacked.
“Resiliency is more important than the unrealistic goal of denying all threat actors all the time,” said McGladrey. “Countermeasures and response tactics should be diverse and across people, processes and technology. For example, much has been made of a hypothetical example of a threat actor opening the floodgates on a dam and flooding a city, but that fails to consider the human countermeasures that are watching the floodgates and could take corrective actions in time to prevent a catastrophe. Defense in depth is necessary for critical infrastructure.”