Secure and reliable utility operations are vital to national security across the globe. The frequency of attacks on critical infrastructure is rapidly rising, with U.S. data on ransomware attacks on critical infrastructure collected by Temple University showing an increase from 68 attacks in 2018 to 241 attacks in 2020. Attacks are not just rising in the U.S., but across the globe.
In response to this rise in attacks, the U.S. has launched a 100-day critical infrastructure plan, focused specifically on the electricity industry. In addition, A Department of Energy (DOE) Request for Information (RFI) is seeking recommendations for securing the U.S. Energy supply chain, which will open up an important dialogue that will likely result in new ideas for protecting the nation’s electricity operations against future attacks.
Cybersecurity spending for critical infrastructure (CI) has felt little impact from the COVID-19 pandemic, and is set to increase by $9 billion over the next year to reach $105.99 billion by the end of 2021, according to ABI Research. However, the research director also went onto say that energy is one of the sectors where spending has lagged and diverges significantly among regions.
The Urgent Need for Cybersecurity on a Global Scale
More needs to be done to protect utilities from cyberattacks, not just in the U.S. but in Europe as well. The 100-day plan from The U.S. Department of Energy and the Cybersecurity and Infrastructure Security Agency (CISA) gives an indication of the urgency required to tackle cybersecurity, and the seriousness with which the U.S. administration regards this issue.
The Solarwinds attack last year, whilst not a direct driver of this initiative, highlighted the important issue of supply chain risks which are likely to gain more attention from both attackers and defenders. If attackers can compromise something so critical as network monitoring software, to gain privileged access to networks, a greater focus is needed to understand how to surface and mitigate those risks. Indeed the European Network for Cyber Security (ENCS) in its security program for 2021 will, amongst other things, provide support for analyzing risks to the electricity supply chain and sharing knowledge about implementing information security management systems.
As a result of over 450 cyberattacks on critical infrastructure the EU have also set out a new version of the NIS directive. With European companies seen as less well-prepared than firms in Asia and America, they could now face fines from €10m to two percent of their global annual revenue for not complying with the new rules which include; reporting any cyberattacks to the appropriate authority within 24 hours.
One challenge in the ICS space is information sharing, with companies notoriously reluctant to share information that might reveal the operational details of their environments. The UK’s NCSC created a Community of Interest which provides a trusted community to share knowledge expertise and experience. This is an area that the U.S. plan also cites through a voluntary industry effort, so that more organizations can both contribute to and benefit from shared expertise.
The UK NCSC along with the Department Of Energy and the CISA have also been working together, and released a joint Guidance document for Industrial Control Systems last year. It is this kind of global cooperation which will help to move the needle in the favor of those seeking to keep our Critical National Infrastructure secure.
The U.S. plan specifically calls out the need to implement measures or technology that enhance their detection, mitigation, and forensic capabilities. This focus will also serve the European nations well. Detecting threat actors who have already bypassed protection mechanisms and are moving around inside the network is a critical capability. Again, looking at the SolarWinds supply chain attack where an update to a trusted software application provided a threat actor access to the network, monitoring tools could have surfaced the unusual connections from that trusted application and potentially not only have flagged the anomaly but mitigated it as well.
Technologies such as Security and Information Event Monitoring (SIEM) provide a platform for centralized visibility across many disparate technologies, and when combined with Network, Detection and Response (NDR) solutions can give deep visibility into what is happening, for example surfacing unusual traffic in the SCADA environment, or connections from internal hosts that are beaconing to a command and control server.
A Cyber-Focused Future
The EU adopted a new CyberSecurity Strategy for the Digital Decade in December 2020. The strategy recognizes society depends on secure and reliable digital tools and connectivity more than ever. It articulates three key ways to deliver on the strategy:
1. By boosting the security of essential services and connected things
2. By strengthening collective capabilities to respond to major cyberattacks
3. By working with partners around the world to ensure international security and stability in cyberspace
It’s certainly encouraging to see that working with partners has become a theme, and as we move towards what seems to be an ever-more-digital future, protecting the foundations of that future is more than ever a team effort where information sharing and cooperation will be equally as important as technology solutions.