The Key Cybersecurity Vulnerabilities for Critical Infrastructure
A main and obvious vulnerability is the human element. Too many users still use weak passwords or reuse passwords for multiple accounts. Or they click on a suspicious link in an email or on a random PDF file.
In the case of the February hack of the water treatment plant in Oldsmar, Fla., “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” according to a Massachusetts state advisory describing FBI findings on the attack.
Another element often at play is that critical infrastructure providers are still running legacy software that has not been patched. For example, all computers used by personnel at the Oldsmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system.
If critical infrastructure entities were conducting monthly cybersecurity audits, those vulnerabilities could be flagged and remediated more easily. Yet even if they are caught, sometimes the humans who need to implement the changes simply do not.
Another element of vulnerability is insider threats, whether that comes from employees or contractors with access to critical systems.
Finally, there are vulnerabilities from Internet of Things devices and the way that operational technology systems have become connected to the internet and IT systems. Many providers do not understand the security risks that these connected devices can pose.
EXPLORE: What are the risk preparedness lessons government can take from the Oldsmar hack?
How to Strengthen Cybersecurity Defenses for Critical Infrastructure
The first step to improving cybersecurity is to conduct a thorough assessment of the entity’s current IT environment and security controls. Critical infrastructure providers should work with trusted third parties on such assessments and determine vulnerabilities in their hardware, software, licensing, patch management, and security procedures and protocols.
After that, providers can work with their partners on upgrades to their IT infrastructure and architecture to better secure their networks and IT environments.
The next step should focus on personnel, including audits of who has access to which systems. Providers should adopt a least-privilege strategy, giving users the minimum level of access they need to do their jobs.
Agencies should also improve their cybersecurity training, ensure that users are following best practices on password security and phishing, and conduct more regular training than they do currently.
This will inevitably lead to discussions and concerns about whether critical infrastructure providers have the budget to do all of this. Often, whatever is on the main radar screen for agency and IT leaders is what gets funding, and too often changes are only made after a catastrophe.
The attacks this year should be a wake-up call to all critical infrastructure players to enhance their cybersecurity. They can work with third parties on managed security services and with agencies such as the Cybersecurity and Infrastructure Security Agency to improve their security posture. Agencies should also back up their data to multiple locations to help stave off the worst effects of a ransomware attack.
Assessments, auditing and training may sound boring, but these are the basic blocking and tackling elements that agencies need to perform to improve their IT security.
Attacks on critical infrastructure providers are increasing, and the threats to our national security are real. Agencies must conduct more regular security drills, including what they will do if they are the victim of a ransomware attack.
Sometimes agencies are defeated by the simplest means. Basic security protections can go a long way to helping prevent those attacks.
This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.
