In May 2021, America’s energy jugular was threatened by a remote group of malicious cyber actors, called DarkSide. They unleashed a ransomware attack on one of the largest energy firms in the world and caused chaos across half of the United States. The ransomware attack stopped gas deliveries on the East Coast, causing shortages at the pump, a price spike on gasoline, and forced the company to pay millions of dollars in ransom to get their networks released.
The ransomware attack was the latest example of the potential danger that can be caused by the convergence of cybersecurity and physical security. Industry adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices into their networks have led to an interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once-clear and separate functions of cybersecurity and physical security.
Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.
A successful cyber or physical attack on connected industrial control systems (ICS) and networks can disrupt operations or even deny critical services to society. For example:
- A security gap in access controls, such as unauthorized access to facilities or system permissions, can allow an individual to use a universal serial bus (USB) device or other removable hardware to introduce a virus or malware into a network.
- Heating, ventilation and air conditioning (HVAC) systems can be virtually overridden, causing a rise in temperature that renders network servers inoperable.
- A cyberattack on telecommunications can impair communication with law enforcement and emergency services, resulting in delayed response times.
- An unmanned aircraft system (UAS) can compromise sensitive information by gaining access to an unsecured network using wireless hacking technology.
- A cyberattack exploiting healthcare vulnerabilities can compromise sensitive data or cause a connected medical device to malfunction, resulting in injury or loss of life.
Over the past several years, the nature of this threat has evolved and is now more complicated and asymmetric. Infrastructure — the systems that enable our way of life, such as water, transportation, electricity, etc. — continues to be a frequent target of interest by a diverse group of malicious actors — nation-states like Russia, China, Iran and North Korea, as well as cybercriminals, terrorist groups, and others — who can initiate attacks from anywhere in the world.
We have seen this evolving threat environment firsthand, as it has been quite a year for cybersecurity. First, we witnessed cybercriminals seize on the pandemic as an opportunity to deliver malicious software, steal data, disrupt organization operations, and target vaccine developers and supply chains.
As many countries enforced social distancing and shifted to a remote work environment, this also resulted in an expanded attack surface, forcing companies across the globe to rethink their business strategies, kick-starting an accelerated digital transformation for many organizations.
In the U.S., we worked across all levels of government and industry in a whole-of-nation effort to successfully protect the 2020 U.S. Presidential election — and the lessons learned continue to drive improvements in information sharing, communication and incident response within our country as well as with our democratic partners.
In December, we were alerted to a cyber espionage campaign that was likely ongoing since September 2019 — commonly referred to as the Solar Winds cyber incident. The U.S. government formally attributed this cyber supply chain compromise to Russian Foreign Intelligence Service actors. This compromise has targeted not only U.S. government networks, but also industry networks.
In March, we were alerted to another widespread exploitation. This time cyber actors targeted one of the most widely used business applications — Microsoft Exchange Server. And a month later, we were alerted of another exploitation in Pulse Connect Secure products, which goes back to the consequences brought on by the COVID-19 pandemic and growth in the use of virtual private networks, which enable our remote work and education and continue to be on the list for malicious cyber actors to exploit.
And just in the last few months, Americans experienced the real-world consequences of the ransomware epidemic as malicious cyber actors targeted a fuel pipeline, taking down part of our infrastructure on a regional level, as well as a meat production plant, causing a shortage in our food supply chain.
Ransomware is an important threat to take into account because these types of attacks are hitting entities across the globe. Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.
Ransomware is an epidemic affecting cities, hospitals, schools, manufacturing and other critical infrastructure targets.
Malicious cyber actors are going after these victims because they have both the means and, most importantly, the incentive to pay. Distinct threat actor groups that engage in ransomware attacks appear to be collaborating more closely with their peers in the criminal underground, behaving more like cybercrime cartels than independent groups. Ransomware attacks that previously took weeks or days now only require hours to complete.
While these threats are undoubtedly significant, looking ahead, we believe that, through collective defense and resilience, we can dramatically decrease the number and impact of ransomware attacks.
What can we do?
Given this rising threat, the U.S. government is looking to better coordinate protection efforts that anticipate and counter criminal groups’ tactics, techniques and procedures, to help prevent ransomware attacks from reaching their intended targets. This will ensure our nation and the global community address criminal campaigns as a whole, rather than individual incidents.
This effort is being led from the White House. In response to recent attacks, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, released a memo on June 2, directed towards corporate executives and business leaders, urging that those in positions of authority take seriously and act decisively in their efforts to protect against ransomware.
At CISA, we are supporting these efforts by focusing on hardening targets, making our systems more secure and resilient, and more difficult for cyber actors to penetrate.
CISA’s counter-ransomware initiatives, like most of our work, are designed to defend today and secure tomorrow. That means working collaboratively with our partners across government, industry and the international community to enhance the security of infrastructure against today’s threats and shape the strategic environment over the long term.
We are doing so in a number of ways:
- We share alerts on new ransomware campaigns like we did late last year when we had credible information on a threat to hospitals, which would have had devastating consequences during the COVID -19 pandemic.
- We also provide best practices on how to prepare and respond to ransomware incidents. I encourage you to utilize CISA’s resources to reduce your organization’s risk to ransomware. These resources can be found on CISA.gov/ransomware.
- Beyond sharing alerts and best practices, we are raising awareness of the threat and sharing best practices that everyone can do through our recently launched outreach campaign to reduce their risk of ransomware.
For critical infrastructure owners and operators, CISA has the following recommendations:
Develop an incident response plan: It is imperative that you develop a scenario-based incident response plan that includes clear leads and backups for all the potential incident response roles from the executives, to the incident commander, to legal counsel and public affairs.
Back up systems: Backing up all critical information to the cloud or offline and testing your ability to revert to these backups is also a practice that organizations must routinely adopt. Doing so will help mitigate consequences in the event that an attack does occur.
Isolate systems: If the bad guys get in, make it hard for them to get data out. For example, immediately isolate the infected systems and review the connections of any business relationships, including any customers, partners or vendors that touch your network, to prevent the further spread of the attack.
Report an incident: If you fall victim to a cyberattack, we encourage you to reach out to us. Upon request, CISA also regularly deploys expert teams to help entities mitigate and recover from cyber incidents, and we stand ready to provide our services to any organization that has experienced a cyberattack.
The U.S. government highly recommends that ransoms not be paid, primarily because you would be paying a criminal who may or may not return your data, which would also encourage cybercriminals to attack more victims. Over the longer term, we want to see what more we can do to evolve our collective capabilities to block emerging types of ransomware and foster the market for scalable protective innovations.
None of this is easy, and unfortunately, if the business model remains viable, we are unlikely to see a significant reduction in the activity from the ransomware actors. Until then, we need to do everything we can to reduce the likelihood that they are successful.
Convergence to Improve Security
Together, cyber and physical assets represent a significant amount of risk to physical security and cybersecurity — each can be targeted, separately or simultaneously, to result in compromised systems and/or infrastructure. Yet, physical security and cybersecurity divisions are often still treated as separate entities. When security leaders operate in these silos, they lack a holistic view of security threats targeting their enterprise. As a result, attacks are more likely to occur and can lead to impacts such as exposure of sensitive or proprietary information, economic damage, loss of life and disruption of national critical functions (NCFs).
NCFs are functions of government and the private sector so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. These functions are connection, distribution, management and supply. As the U.S. becomes more dependent on cyber and physical infrastructure, the opportunities and threats both converge.
Convergence is a formal collaboration between previously disjointed security functions. Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions.
A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination and collaboration. Organizations of all sizes can pursue convergence by developing an approach that is tailored to the organization’s unique structure, priorities and capability level.
CISA is ready to provide resources to individuals and organizations that request assistance. On CISA.gov, there is a plethora of information regarding cyber safety, cyber hygiene and the detection and prevention of cyberattacks. This information can make the difference between being protected or being vulnerable.
Additionally, CISA offers comprehensive training for industrial control systems, continuous diagnostics and mitigation and incident response training, among others. Registering for training in person or virtually is easy, and all CISA services are provided free of charge.
As we look ahead, we know that our adversaries will continue to try and exploit vulnerabilities, utilize ransomware as a threat tactic and target critical infrastructure. That being said, it is imperative that we come together and renew our efforts to encourage responsible behavior and oppose those who would seek to disrupt our security.
The U.S. government is committed to collaborating with our partners in the private sector to strengthen the security of our global digital infrastructure.
Cybersecurity is the new battlefield, and only by reaching across traditional boundaries and continuing to adapt to meet new challenges will we be able to develop a common strategy and unify our collective defense.
Recognizing 2021’s National Critical Infrastructure Security and Resilience Month, Security magazine had the honor of working with security leaders within the public and private sectors to bring you October’s Special Report — comprised of five different features to be used as best practices and resources to assist critical infrastructure organizations in bolstering their security postures to prevent and reduce the risks of disruptions.