Jul 19 2021

What Critical Infrastructure Providers Need to Do to Enhance Their Cybersecurity

Vulnerability scanning and user training can go a long way to guarding against cyberattacks for utilities and other critical infrastructure players.

Critical infrastructure providers have been under siege this year, targeted in a series of high-profile cyberattacks. In February, it was a water treatment plant. In May, it was a vital energy pipeline. In June, it was the world’s largest meat processor. Also in June, NBC News reported that a malicious actor tried to poison a water treatment plant serving the San Francisco Bay Area back in January.

This string of events has raised ransomware attacks and other cyberattacks to the level of a major national security concern for the Biden administration. What can utilities and other state and local agencies that manage critical infrastructure sectors do to protect themselves?

These sectors face many of the same vulnerabilities as other organizations, including poorly trained staff that still click on malicious links, legacy software that needs to be upgraded and a lack of visibility into the connected devices that now proliferate in their IT environments.

There is no silver bullet for critical infrastructure providers. They will need to ramp up not just their vulnerability scanning but also cybersecurity training for staff and protection against insider attacks.

The Key Cybersecurity Vulnerabilities for Critical Infrastructure

A main and obvious vulnerability is the human element. Too many users still use weak passwords or reuse passwords for multiple accounts. Or they click on a suspicious link in an email or on a random PDF file.

In the case of the February hack of the water treatment plant in Oldsmar, Fla., “computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” according to a Massachusetts state advisory describing FBI findings on the attack.

Another element often at play is that critical infrastructure providers are still running legacy software that has not been patched. For example, all computers used by personnel at the Oldsmar plant were connected to the SCADA system and used an outdated, 32-bit version of the Windows 7 operating system.

If critical infrastructure entities were conducting monthly cybersecurity audits, those vulnerabilities could be flagged and remediated more easily. Yet even if they are caught, sometimes the humans who need to implement the changes simply do not.

Another element of vulnerability is insider threats, whether that comes from employees or contractors with access to critical systems.

Finally, there are vulnerabilities from Internet of Things devices and the way that operational technology systems have become connected to the internet and IT systems. Many providers do not understand the security risks that these connected devices can pose.

EXPLORE: What are the risk preparedness lessons government can take from the Oldsmar hack? 

How to Strengthen Cybersecurity Defenses for Critical Infrastructure

The first step to improving cybersecurity is to conduct a thorough assessment of the entity’s current IT environment and security controls. Critical infrastructure providers should work with trusted third parties on such assessments and determine vulnerabilities in their hardware, software, licensing, patch management, and security procedures and protocols.

After that, providers can work with their partners on upgrades to their IT infrastructure and architecture to better secure their networks and IT environments.

The next step should focus on personnel, including audits of who has access to which systems. Providers should adopt a least-privilege strategy, giving users the minimum level of access they need to do their jobs.

Agencies should also improve their cybersecurity training, ensure that users are following best practices on password security and phishing, and conduct more regular training than they do currently.

This will inevitably lead to discussions and concerns about whether critical infrastructure providers have the budget to do all of this. Often, whatever is on the main radar screen for agency and IT leaders is what gets funding, and too often changes are only made after a catastrophe.

The attacks this year should be a wake-up call to all critical infrastructure players to enhance their cybersecurity. They can work with third parties on managed security services and with agencies such as the Cybersecurity and Infrastructure Security Agency to improve their security posture. Agencies should also back up their data to multiple locations to help stave off the worst effects of a ransomware attack.

Assessments, auditing and training may sound boring, but these are the basic blocking and tackling elements that agencies need to perform to improve their IT security.

Attacks on critical infrastructure providers are increasing, and the threats to our national security are real. Agencies must conduct more regular security drills, including what they will do if they are the victim of a ransomware attack.

Sometimes agencies are defeated by the simplest means. Basic security protections can go a long way to helping prevent those attacks.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.

CITizen_blog_cropped_0.jpg

TerryJ/Getty Images