At the halfway point of 2021 we’ve already seen three major events that underscore just how vulnerable and neglected some of our nation’s most critical infrastructure has become.
Most recently, JBS, the world’s largest meat supplier, suspended operations on June 1 for 24 hours following a ransomware attack that could have dramatically disrupted the food supply chain and elevated meat prices further. JBS, which controls about 20 percent of the slaughtering capacity for cattle and hogs in the U.S., halted cattle slaughter at all its American plants. The attack also affected JBS operations in Australia and Canada. JBS informed the U.S. government the ransomware attack originated from a criminal organization likely based in Russia.
Just one month prior, a ransomware infection shut down the Colonial Pipeline, which supplies vast amounts of refined fuels to America’s Eastern Seaboard. Gas prices instantly spiked and fears of fuel shortages led to consumer hoarding.
Whether the failures stem from nefarious attackers or severe weather, the impact remains the same: People are uncomfortable, hungry, scared, and angry. We as a nation must build better resiliency into our core infrastructure.
Core infrastructure refers to any utility or service that supports our economy and way of life. Interruptions to the most critical systems would cause panic and potentially injury and death. These include, but are not limited to, electricity, water, wastewater treatment, natural gas, and fuel supply such as gasoline, home heating oil, and diesel fuel.
The consequences of lost utility services are dire:
Just one of these interruptions can incite hysteria—and rightfully so. Imagine if we experienced several at the same time—no electricity, no fuel, no fresh food or water.
Ransomware and other malicious software attacks are not new, but the targets are. Groups have recently turned their focus to infrastructure, food, and electric service, with other systems sure to come in the near future. The average cost of recovery from such attacks is now close to $2 million, double from 2020. The US. Cybersecurity Infrastructure Security Agency (CISA) published a guide last year that explains how ransomware works and best practices for prevention. Sadly, companies such as JBS and Colonial Pipeline failed to heed this advice.
Demand for electricity has skyrocketed with the pervasive use of high-consumption electric water heaters, clothes dryers, hair dryers, well pumps, ovens and stovetops, and heat sources. The influx of electric cars has driven up demand even more, and they will likely become our single largest energy-using devices.
Our electric grid can barely keep up with air-conditioning demand in hot summers. Most of us have experienced rolling blackouts in our lifetime due to insufficient electric generation or power grid strain. Now imagine adding millions of electric cars demanding electricity. Then introduce a cyberattack on the electric distribution systems. What are you left with? A weak, vulnerable system that almost the entire country relies on for modern living. We’ve already seen such attacks succeed outside the U.S. They are not fiction.
Water utilities operate similarly to pipeline companies and deliver clean drinking water for the communities they serve. Imagine a malware attack on the utility control system that left millions without water service. Or a wastewater treatment attack that resulted in overflowing sewers. America’s Water Infrastructure Act (AWIA) was enacted in 2018 to address cybersecurity and physical security risks for water utilities across the county. Still, too many smaller utilities have not completely mitigated cybersecurity risks.
Pipeline companies control the flow of their products through computer automation. Industrial control systems manage all of the pumps, valves, meters, and safety of operations. Information technology systems also control billing and customer orders and track product delivery. Major outages can occur if any of these vital systems become inoperative.
In the case of the Colonial Pipeline, ransomware impacted their ability to deliver fuel to millions of people. This was an embarrassment that led the President of the United State to hold a public press conference explaining the situation, which unveiled a complete lack of resilience and responsibility.
Vulnerabilities exist on almost every device we operate today. Commercial IT systems and Industrial Control Systems are no different. The Colonial Pipeline failed because they had not sufficiently mitigated vulnerabilities through cybersecurity controls. Why? We often find that budgets and misunderstandings around the risks are the biggest reasons for lax cybersecurity. Lawmakers are writing legislation at this moment to address the cybersecurity of our critical infrastructure. Unfortunately, it takes high-profile events to bring appropriate attention to our vulnerabilities.
What’s worse, existing cybersecurity technology like Modern Endpoint Detection and Response (EDR) solutions very likely could have prevented the Colonial Pipeline ransomware impact: Not only did they get infected, but they were not able to recover without paying the ransom. In addition, some EDR solutions help recover infected endpoints as well. Colonial also didn’t have a viable means of fast recovery for their critical systems.
Darkside, the group that attacked the Colonial Pipeline, publicly admitted they avoid targeting entities that serve the public. Apparently, they just stumbled on Colonial as an interesting company to exploit for ransom. What would happen if they or another group went after our infrastructure? If the organizations behind the infrastructure handle cybersecurity as poorly as Colonial did, we should all be very concerned. We need to do better.
In some respects, we control our own fate. Cybersecurity systems today are effective enough to thwart most cyberattacks, Including the Colonial Pipeline. Government agencies such as CISA publish information to guide infrastructure operators. Here are some specific actions operators should consider right away to reduce their risks:
Professional services organizations with experience in operation and information technology security systems can perform risk assessments that shape a strong cybersecurity strategy. Often, infrastructure operators already have many of the systems required to build and support an effective cybersecurity program. Leveraging existing systems and bolstering them with newer, more effective cybersecurity solutions can dramatically reduce the risk of ransomware impact.
At Stratascale, we offer cybersecurity assessments that determine areas of weakness along with corresponding improvement strategies. Since we work with all major cybersecurity companies, we can design, engineer, and implement proven, mature solutions based on your risk vectors, needs, and budgets. These solutions, along with a good risk analysis, will reduce the likelihood of a ransomware attack or any other type of malware-induced business interruption.
David is a Senior Security professional and Risk Management expert. His strongest skills involve finding and engineering technical solutions for security vulnerabilities. David has experience in vulnerability assessments, encryption solutions, data loss prevention, incident handling and industrial control security. His management experience enables him to easily bridge the gap between technical and management teams.
David's currently holds CISSP, GCIH, GPEN, GCFA, GCIA, and GRID certifications.