When FBI Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party in January, he painted a chilling picture of foreign adversarial cyber-agents pre-positioned in the networks of U.S. critical infrastructure operators ready to strike at a moment of Beijing’s choosing. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” he told members of Congress.
Wray’s warning has a ring of truth. We’ve already seen what can happen when smaller cyberattacks are carried out by far less capable threat actors. When Colonial Pipeline was taken offline for a week by a ransomware gang in 2021 people on the East Coast panicked, rushing to gas stations to top-off their vehicles and fill whatever containers they had available.
A Threat of Infrastructure Havoc
Then, government officials tried to reassure the public that there was no reason to fear the worst. Today they’re telling us that America’s power grid, water treatment facilities, hospitals, pipelines, transportation and logistics operations, telecommunications networks, and other critical infrastructure are under imminent risk and that a cyberattack will “wreak havoc and cause real-world harm to American citizens and communities.”
The urgency in Wray’s message was meant as a wake-up call to lawmakers and to snap those responsible for managing U.S. economic and critical infrastructure out of their complacency. For too long, Wray said, cybersecurity has not gotten the attention and resources befitting the threat. Organizations tasked with managing–and protecting–America’s critical infrastructure “cannot afford to sleep on this danger,” he warned.
Not the First Warning for Critical Infrastructure
It’s not the first time Washington, D.C., has tried to get critical infrastructure operators to step up their efforts to protect their systems. In early 2020 the U.S. Cyberspace Solarium Commission offered “A Warning from Tomorrow” describing a worst-case scenario in which the nation’s capital is crippled by a cyberattack that takes out water treatment systems, the electrical grid, and dams. In their scenario, fires and floods leave the region in ruins. Unfortunately that fictional account was released just as the country was falling in the grips of the very real Covid 19 crisis. The Commission rightly said we weren’t ready for cyberwar, but no one was listening; they had other things on their mind..
Secretary Wray’s warning, bolstered by additional chilling accounts from CISA Director Jen Easterly and Commander, U.S. Cyber Command, Gen. Paul Nakasone, got plenty of media and industry attention. The specificity of their combined testimony, along with the announced takedown earlier in the day of a botnet used by Chinese threat group Volt Typhoon to help “burrow deep” into thousands of critical infrastructure operations, was just the latest in a mountain of evidence that the threat is anything but hypothetical. Maybe now America’s critical infrastructure operators are finally listening and taking steps to evaluate and update their cybersecurity strategies.
Taking Steps to Root Out and Prevent Threats
Among the improvements that should be made is ensuring those responsible for network management and security have complete visibility across their enterprises. CISA has made it clear that this is a foundational element to protecting today’s complex and heterogeneous networks. When the agency issued Binding Operational Directive 23-01 in October of 2022 it emphasized that “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.” And while the Directive only applies to executive branch agencies, it underscores the security maxim that you can’t protect what you can’t see.
Critical infrastructure is a category that goes far beyond the list of usual suspects like dams, pipelines, and the power grid. It includes organizations like hospitals, air and sea port facilities, transportation and logistics operations, telecommunications, large industrial concerns, major financial services networks, and any other organization that, if taken offline, would risk physical harm or disruption of economic activity.
Unfortunately many of the organizations that would be targeted in any cyberattack against critical infrastructure have systems that rely on older IT and operational technologies (OT) that are difficult to secure. This includes industrial controls, Supervisory Control and Data Acquisition (SCADA) systems, and obsolete software and operating systems (the kinds of vulnerabilities targeted by Volt Typhoon). Often these technologies were developed and deployed before digital supply chains became essential and so were never meant to be exposed to the public internet. That puts the security teams in a bind, but they are not without hope.
The Time to Act is Now
With the right tools, critical infrastructure operators can gain the ability to discover and identify all the assets connected to their networks, including IT, OT, Internet of Things (IoT), mobile devices, and more. Once visibility is achieved, available asset and threat intelligence can be used to quantify and assess risk, prioritize patching or mitigating actions, and apply policies that ensure critical assets can be segmented and protected, and that vital operations can continue even if a cyberattack is successful. That is the essence of cyber-resiliency – the ability to take a punch and still deliver vital services.
There can be no excuse for further delay in taking the steps Director Wray, Director Easterly, and General Nakasone recommended. The time to take action is now. From reinvigorating an emphasis on cyber hygiene to implementing new tools to enable a Zero Trust posture, the means are available to vastly improve cyber readiness, security, and resiliency.
