At a time when the world is gripped by a virulent pandemic, there is perhaps no greater critical infrastructure than the nation’s hospitals that are treating Covid-19 and other patients. It’s not hard to imagine the ramifications if even a few of those hospitals were incapacitated and unable to fully care for the sickest among us – because it’s already started to happen.

Heartless attackers used ransomware to disable computer systems at healthcare facilities in Oregon, New York, Vermont, Michigan and Wisconsin in October. The FBI and other federal agencies have issued warnings about “imminent cybercrime threats” aimed at the nation’s healthcare providers.

And it’s not just the healthcare industry that’s vulnerable. According to the security consultancy Kroll, ransomware has been the most observed threat across its client base in 2020, accounting for over a third of security events. While the volume of ransomware has steadily increased, it has also materialized into one of the most destructive types of attacks because it elicits a “deer in headlights” reaction from defenders and creates a newsworthy event by very publicly crippling an organization.

When we hear the term “critical infrastructure,” we want to believe that the assets – whether they are physical or digital – are extremely secure. Our minds conjure images of the vaults of Fort Knox, which are protected from every angle. However, critical infrastructure of the digital variety is not necessarily any more secure than any other digital asset. It all comes down to how meticulous the organization is in looking for and quickly closing vulnerabilities and security gaps that expose an attack surface for a bad actor to exploit.

In fact, many of the successful ransomware attacks this year made their way into environments by first exploiting vulnerabilities in completely different parts of an organization or even its supply chain. Remote attackers often exploit unpatched servers, misconfigurations, compromised credentials, and other conditions that demonstrate poor security hygiene.

Researchers at Awake Security recently examined one such form of critical infrastructure: that which supports the national election process. The research analyzed the attack surface for state and local government organizations. The non-partisan, purely technical assessment focused on using only publicly available information to identify the external facing infrastructure that could be targeted and infiltrated by an outside attacker. The team studied and reported on the vulnerabilities that could be used by an attacker looking to gain a foot hold, spread laterally, launch attacks and cause disruption, spread disinformation or establish a path to the crown jewels of election infrastructure. (For details on how this was done, read the report The Day After the Elections: The Attack Surface That Could Undermine Our Trust in the Elections.)

It’s important to note that the country’s election infrastructure is not one monolithic system that is centrally controlled. Rather, the equipment and systems are actually owned and operated by thousands of individual state and local government agencies. This latter fact contributes to a high level of vulnerability, especially now when budgets to secure elections at the local level are very constrained. So, the results of the Awake Security research should come as little surprise.

In short, researchers found:

  • Thousands of Internet-facing applications, many of which appear to be running vulnerable and, in some cases, decades old software
  • States and counties exposing services like Kerberos that have been previously exploited in attacks such as WannaCry and ZeroLogon
  • Common vectors for ransomware and other destructive attacks within the state and county infrastructure

Fortunately, cybersecurity experts at the Department of Homeland Security declared that the 2020 U.S. election was one of the safest and most secure in recent history, but given the massive number of vulnerabilities throughout the computer systems, the outcome could have been quite different. And just because the election is over, doesn’t mean these vulnerabilities disappear. There are still many adversaries looking to wreak havoc at all levels of government and the focus on cybersecurity around the election should serve as a clarion call to shore-up cyber defenses.

Critical infrastructure in other industries have their weaknesses, too. Utilities, public transportation and the U.S. defense industrial base have all been targeted for attack. Threats to organizations in these critical sectors, if carried out, could have dire impact beyond just the company or agency involved.

While many organizations and agencies are operating under constrained budgets today, security of digital critical infrastructure must be prioritized. Owners of the assets should be following these best practices.

  • Understand the assets – Do a complete and thorough discovery of all assets to fully understand what must be protected and what your attack surface truly is – it often isn’t what your first impression is.
  • Look for existing compromise – Do a compromise assessment to learn if any parts of the network already have a hidden compromise or signs of previously unknown compromise.
  • Use the proper tools – Implement the tools that can monitor for threats, misconfigurations, and other weaknesses and automate response and remediation to reduce time to neutralize the problems that are found.
  • Mind the gaps – This goes back to the first bullet; organizations are typically aware and therefore monitoring and protecting only about 40-50% of the attack surface. The rest are often beyond the purview of even the best endpoint security tools e.g., IoT devices or shadow IT / cloud infrastructure. As a consequence, this puts these assets beyond the visibility of even the best security team.
  • Isolate critical assets – First identify the assets that are more critical to business operations and then consider solutions like network segmentation and multi-factor authentication to protect these assets and to monitor and prevent the lateral spread of threats.
  • Implement ZTNA – Use zero trust network access techniques to ensure access is not based on assumptions such as a secure perimeter. Remember these days almost every threat at some level manifests as an insider threat – even if it is the result of stealing a victim’s credentials.
  • Make security a continuous process – The practices above aren’t a one-time thing. Security must be a continuous process.

With dedication and diligence, following the best practices above can reduce the risk of cyber threats against digital critical infrastructure.