Protecting Critical Infrastructure, Large and Small

Critical infrastructure is mentioned in the news by politicians and many other agencies who oversee or work within an industry that is considered critical to the United States and its daily functions. The Department of Homeland security labels critical infrastructure as the following and it “includes the vast network of highways, connecting bridges and tunnels, railways, utilities, and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water, and electricity all rely on these “vital systems.” (dhs.gov) All of these systems are considered at the very least important to our normal everyday function.

Many in the news, media, politicians, or agencies like “CISA (Cybersecurity and Infrastructure Security Agency), which is tasked with “securing” the CI have been raising red flags for years on how the United States is not prepared for a major Cyber-attack. That the power grid is vulnerable to cyber threats and it’s not a matter of if but when it will happen. Cyber is the great equalizer. It gives nations states, terrorists, and malicious actors a way to cause chaos and erode the confidence of the American people without having to drop a bomb or use a kinetic means of attack.

In the last decade there have been several instances of infiltration that I am afraid are a precursor of things to come. These attacks are not only happening in the United States, but they are also occurring everywhere around the world. We hear about high profile attacks like the Colonial Pipeline in 2021 that caused the largest pipeline in the US to completely shut down causing gas shortages on the east coast with many gas stations running out of fuel. Not to mention, record breaking prices at the pump. It took 11 days to restore service completely and a 5-million-dollar ransom payment. Countries in Europe are under consistent Cyber-attacks and threats to their power grids. In Europe they are dealing with an estimated 1,000 cyber intrusion attempts and attacks on a weekly basis. The war in Ukraine has exacerbated the severity of the attacks. The Polish deputy minister, Ireneusz Ziska has seen the attacks firsthand in a recent visit to Poland’s grid operation hub, “I was … observing thousands of attacks on our energy grid taking place live,”. (Jack, V. 2023) These threats and many others are not going to go away.

Here is the deal, these attacks are in fact going to intensify. With technology advancing at a rapid pace, especially AI and other machine learning, artificial intelligence methods, attacks are just going to get more invasive and evasive.

We need to start planning now. The reason I took to writing today is prompted by a recent incident reported in the local news. A relatively small water treatment facility in Aliquippa, PA was hit by a ransomware attack. So far, CISA and other authorities are pretty sure that the hackers were able to take advantage of a PLC (programmable logic controller) device, these devices are what controls many facets of the water facilities operations such as chemical dosing and water pressure. Yes, I said chemical dosing. These devices are made by a specific manufacturer in Israel that have been known to be compromised by Iranian hackers in the middle east. These are not your normal network component or computer device but are what’s called industrial computers. Yes, they are connected to a computer network but are not like a normal Windows based computer. They are, however, extremely important and if infiltrated can be used to access other interconnected systems and in even worse scenarios could be used to manipulate chemicals that can cause severe harm to the public. In this case, it looks like the facilities staff were able to shut the PLC down and use manual operation. The malicious actors were able to take advantage of the PLC device’s weak password and known vulnerabilities to gain access and exploit the water authority computer network. On the Unironic screen, a message was left: “You have been hacked, down with Israel, every equipment made in Israel is a Cyber Avengers Legal Target”. This water treatment facility serves around 7,000 people, a relatively small number of the population but could you imagine if they were able to reach the drinking water PLC component and change the chemical composition without anyone being aware until it was too late? That would have been catastrophic and deadly.

This scenario solidifies the fact that no critical infrastructure is safe. Both the public and private sectors need to have plans in place for attacks like this to happen. You must first ensure that the public is protected. Second, the facility and the workers are protected, and finally the critical industrial component of the facility is safeguarded so that it can continue servicing the public’s needs. It’s time to stop thinking that something is too small or unimportant to protect; that is not the case in the world we live in. Everything is interconnected. Everything is susceptible to attack. Statistics are available. In fact, I have attached a link to a few at the end of this blog. It’s not a matter of if but when an intrusion will occur. Critical Infrastructure is complicated because there are many different facets to the way industrial systems work, it isn’t just protecting your computer or training users not to open potentially malicious emails, although that is part of it. It’s about knowing what you have, the systems in place, and how those systems interact with the outside world, the internet. Knowing what you have is where the battle starts.

References:

Critical infrastructure. Critical Infrastructure | Homeland Security. (n.d.). https://www.dhs.gov/science-and-technology/critical-infrastructure#:~:text=Critical%20infrastructure%20includes%20the%20vast,rely%20on%20these%20vital%20systems.
Jack, V. (2023, November 26). Europe’s grid is under a cyberattack deluge, industry warns. POLITICO. https://www.politico.eu/article/energy-power-europe-grid-is-under-a-cyberattack-deluge-industry-warns/

Additional Resources: