Shoring up cybersecurity in critical infrastructure and the nation's defense supply chain

A recent surge in cyberattacks, including SolarWinds and Colonial Pipeline, has intensified a focus on cybersecurity across industrial sectors and critical infrastructure. As a result, the U.S. government and other organizations within the nation’s defense supply chain have taken action to protect the critical assets and organizations that ensure the security and prosperity of our country.

Why Critical Infrastructure and the Defense Supply Chain Are Vulnerable to Attack

Adversaries have tested all aspects of our national infrastructure — from water treatment plants to oil and gas enterprises, hospitals, shipping ports, and more — to find ways to infiltrate systems and bring operations to a halt. Although cybercriminals have traditionally attacked information technology (IT) systems, many now have their eyes on operational technology (OT) systems commonly found in critical infrastructure.

While IT attacks may bring down information systems and cause delays or shutdowns, attacks on OT systems can have potentially devasting consequences. By infiltrating OT networks and systems, cybercriminals can access industrial control systems (ICS) and disrupt the nation’s shipping ports and operations, interfere with gas supplies, empty oil tanks into oceans, cut off a region’s electricity, or even detonate explosions at power plants.

The August 2021 attack on the Port of Houston saw hackers — who were suspected to be backed by foreign governments — breach a computer network at one of the largest ports on the Gulf Coast. Hackers exploited a previously unknown vulnerability in password management software to break into one of the Port’s web servers. Once they gained access, the hackers installed malicious code that expanded their access to the Port’s systems.

With this level of access to the Port’s IT system, the hackers could have quickly taken control of the ICS and brought operations at the port to a standstill. Fortunately, the incident was detected early, and authorities prevented the hackers from disrupting shipping operations. Attacks of this nature have prompted many organizations and government agencies to tighten cybersecurity measures through increased regulations for critical infrastructure and defense contractors.

The Department of Defense (DOD) and the Federal Government contract a large volume of work to third parties, and a lot of that work involves classified information. As such, these contractors have access to vast amounts of sensitive data related to supplies, partners’ operations, government security procedures, and military intelligence. This access makes these contractors high-value targets for attackers.

The challenge of securing the nation’s data is made more complex when one considers the potential vulnerabilities of suppliers. Take, for example, a U.S. facility that manufactures industrial controllers. Although the controllers are assembled here, some of the controllers’ components come from China. Each part manufactured abroad opens the resultant product to interference due to the country’s inability to set cybersecurity regulations abroad. It’s easy to see how securing a supply chain becomes more difficult with each link.

These vulnerabilities can lead to attacks with dire consequences. Wars can be fought through networks by disrupting supply chains, shutting down hospitals, or deleting critical records. One nation could stage a digital blockade on another, putting civilians at risk from all angles. If the attacked government is unprepared to detect or combat an attack, the consequences could be detrimental.

How the Government Is Protecting Both Sectors

The spotlight on cyber vulnerabilities has spurred new government action related to the defense supply chain and critical infrastructure organizations.

In 2020, the government established the cybersecurity maturity model certification (CMMC) as a verification process for defense industrial base (DIB) contractors within the DOD’s supply chain. The CMMC ensures that DIB companies implement cybersecurity practices and procedures that adequately protect federal contract information (FCI) and controlled unclassified information (CUI) within their networks.

With CMMC, all contractors who provide products or services to the DOD must demonstrate that they meet rigorous cybersecurity standards before winning defense contracts. The Department is implementing CMMC through a phased rollout. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.

The adoption of CMMC is significant as it’s the first time the government has imposed a mandate of this nature. Before CMMC, companies’ certification status did not affect their ability to win contracts. Now, they have no choice but to comply if they want to keep working with the DOD.

Additionally, the CMMC process requires commitment. Unlike other certifications, such as ISO 27000, a CMMC is not merely a paper process audit. Companies cannot simply check items off a list to become certified. CMMC requirements involve monitoring a company’s connections and data flow.

Requiring a CMMC from companies of all sizes is a significant move toward universal attack preparation. When it comes to cybersecurity, smaller companies have typically avoided implementing advanced security measures. Hackers realized attacking large companies with robust security programs was more difficult than focusing on smaller, less-prepared targets. The CMMC requirements dictate that these smaller businesses have similar security measures to their larger counterparts which should deter bad actors.

In relation to our nation’s critical infrastructure, the U.S. government has taken swift action to help the industry prepare for and protect itself against future attacks.

In July 2021, the Biden Administration released the “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.” This memorandum outlined key cybersecurity initiatives, including:

A collaboration between the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST) to create performance goals for cybersecurity within critical infrastructure.
The President’s Industrial Control System Cybersecurity Initiative aims to facilitate the implementation of technology and systems that provide threat visibility, detection, and warnings.

How Critical Infrastructure Organizations and Defense Contractors Can Defend Against Cyberattacks

Now, more than ever, it’s crucial for businesses of all sizes and in all industries to prioritize the safety and security of the country’s sensitive data. The reality is that private companies run most of the country’s infrastructure through government contracts, defense-related or otherwise. As such, these organizations must be proactive about implementing cybersecurity protocols. They cannot wait for an attack before upgrading their cybersecurity or rely solely on government guidelines. If they do, by the time an attack occurs, it’s already too late.

At its core, cybersecurity is about understanding how an organization touches external networks, how it segments those networks, where it stores sensitive information, and whether intruders can find any openings through which they can access sensitive information or take control of or disable operations.

Consider two banks: one with two vaults and one with 20. Both banks have two guards protecting them. Which bank would be easier to breach? It’s the same with companies in the defense supply chain and those within critical infrastructure. Cyberattackers are now trained to look for the cracks in these attack surfaces — they’re looking for the vaults with no guard protecting them.

Gaining visibility into an organization’s systems and connected networks is vital to defending against attacks – especially as we see increased connectivity in modern industry, which causes the attack surface to expand. Having these insights aids early detection and allows organizations to craft comprehensive supply chain and OT security plans that keep their systems safe from attacks.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.