The critical infrastructure sector — energy, utilities, oil and gas, and more — is largely made up of privately owned and operated organizations, and yet, their demise is anything but private. As we’ve watched critical infrastructure attacks or unexpected natural events take place in a variety of forms over the past year — including the Colonial Pipeline Co. cyberattack, the Texas power crisis and others — damage to an organization within this sector can have devastating impacts across organizations, communities and countries.
The Colonial Pipeline Co. system, which carries gasoline and jet fuel to portions of the United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline, leading to shortages across regions of the country.
Other news from this year included attacks and attempted attacks on water treatment plants in California and Florida, where threat actors hacked into systems to alter chemical levels of the water supply.
Criminal attacks are not the only threats that can have a widespread impact on the sector and greater population, however. When Texas saw uncharacteristically cold temperatures in February of this year, the critical infrastructure in the state was not equipped to handle the extreme temperatures in that region, resulting in more than 100 deaths and millions of Texans losing power for more than two weeks. Additionally, Hurricane Ida, which made landfall on Louisiana and Mississippi at the end of August this year, was one of the most powerful hurricanes in U.S. history to make landfall on the mainland; more than a million customers in Louisiana and Mississippi were without power, for weeks.
In the past year and a half, in particular, security leaders have realized there is no such thing as a “black swan” event, says Brian Harrell, Vice President and Chief Security Officer at AVANGRID. While the threats to critical infrastructure may be big, the potential impacts may be even bigger, but there’s no response “cavalry” waiting in the wings to swoop in and help. With this in mind, Harrell says, critical infrastructure organizations can take a couple of steps to secure their business, their services and their communities — and they all come down to being proactive.
First and foremost, organizations involved in securing critical infrastructure need to seek out partnerships across businesses and agencies to share information and ideas on challenges, protections and more.
“It comes down to resilience,” Harrell says. “For nearly all our infrastructure sectors, we need to embrace collective defense. The private sector, academia, government and the vendor community are all in this together. No longer can there be silos to go it alone; we need to tackle these challenges with strategic partners in mind.” He adds that, as an industry, we’ve learned from past incidents that organizations must make investments in security and resilience, as well as forge relationships internally and externally as part of their planning, response and recovery procedures, rather than waiting around only to react to an attack.
Though relationships are key, Harrell adds that part of a proactive security program includes basic threat and vulnerability assessments to be able to understand risks and challenges unique to the organization. “It really starts with understanding your crown jewels and who has access to the keys to the kingdom. As an organization, you also need to understand the threat your employees pose as well as understand the tactics and techniques of nation-state adversaries. If we understand these things, we can better understand our systems and risks,” he says. “With risk reduction in mind, let’s also be realistic about how we invest in security. We should protect diamonds like diamonds, and pencils like pencils.”
Once the security leader has a strong handle on the risks, it’s imperative that organizations invest in testing those vulnerabilities through exercises, as it allows the organization to trial response and recovery plans, as well as bring cross-functional departments and external partners together to work on communications and fine-tune response.
“We need to test our response and recovery plans frequently and with the assumption that our worst day is right around the corner,” Harrell adds.
While standards and compliance surrounding cybersecurity within the critical infrastructure sectors have recently been a topic of international dialogue, Harrell cautions that organizations cannot sit by and wait to be told how to prepare for a potential storm. “Security compliance is really a minimum baseline for our programs. We should constantly be testing our own systems and understanding what the adversary is after, as well as the techniques and procedures they are using. If we implement legislation and standards and then say, ‘now we are secure,’ that is a mistake,” Harrell says. “Mandatory compliance is one of many tools in the toolbox, but compliance alone will not prevent future attacks.”
In acknowledgment of the wide-reaching effects that damage to critical infrastructure organizations and systems can impart, Security magazine has dedicated our October 2021 issue to Critical Infrastructure Security. This month, our features cover the challenges and risks associated with this market sector, along with solutions and best practices