Cybersecurity Essentials for Critical Infrastructure
Introduction Today, cyber-security curricula are available across educational types and levels, including a vast array of programs and modules tailored to specific sectors of industry and audiences, to allow more targeted delivery of knowledge. Nonetheless, general agreement on best measures and methods for cybersecurity training has yet to be reached. Objective In this study, we seek to establish the current state-of-the-art in cyber-security training offerings for critical infrastructure protection and the key performance indicators (KPIs) that allow evaluating their effectiveness. Particular focus is given in this study on the aviation, energy and nuclear sectors. Methodology Accordingly, the article presents the findings of a systematic literature review that collected relevant literature produced after 2000.
The identified sources have been examined according to a formal data extraction form, allowing the analysis of relevant training solutions, methodologies, target groups and focus areas. Results The results show that solutions that provide hands-on experience, team skills development, high level of real-life fidelity are often preferred to other options, with simulation-based solutions showing the highest amount of research and development. Nonetheless, researchers have not reached agreements on optimal training delivery methods and design of cybersecurity exercises. Conclusion Consequently, research on improving current cybersecurity training offerings should be conducted, to demonstrate whether integrating advantageous attributes from different delivery methods could produce more comprehensive and effective solutions.
The 2020 World Economic Forum’s Global Risks Report listed cyberattacks on critical infrastructure as a top concern. WEF noted that “attacks on critical infrastructure have become the new normal across sectors such as energy, healthcare, and transportation.”
More Connectivity Means More Vulnerability
The new reality is that almost all critical infrastructures operate in a digital environment, and while the information technology landscape has greatly evolved, so have the vulnerabilities. The expansion of the threat surface due to global connectivity and the emergence of the internet of things and smart cities, has created opportune vulnerabilities for threat actors. Threat actors have grown more sophisticated and capable and they include nation states, organized criminals, and terrorists. In the digital ecosystem, critical infrastructure has become the preferred target for both cyberwarfare and cybercrime.
Attacks Around the Globe
Cyberattacks on critical infrastructure have reached all corners of the globe. Several weeks ago, Israel’s National Cyber Directorate detected and successfully stopped a cyberattack by Iran against its public water systems. Israeli cyber chief, Yigal Unna, described that attack as a “synchronized and organized” attempt at disrupting key national infrastructure. During this same time period, Taiwan’s state owned energy company was targeted with a ransomware attack, and Japan’s telecommunications firm NTT internal network was breached. And those are just a few recent examples.
A March 2020 report by the cybersecurity firm Claroty found that a clear majority of IT security professionals are much more worried about cyberattacks on critical infrastructure than they are about data breaches in the enterprise. That’s consistent among respondents in the U.S., the UK, Germany, France and Australia and concurs with the WEF report.
Threat to U.S. Critical Infrastructure
In the United States, critical infrastructure is constantly under cyber and physical threats. There is no rest for the weary in government and industry. Over 80% of the critical infrastructure, including defense, oil and gas, electric power grids, healthcare, utilities, communications, transportation, education, banking and finance, is owned by the private sector and regulated by the public sector.
In February of this year, a ransomware attack targeted critical infrastructure belonging to a U.S. based natural gas compression facility. Last year The FBI announced that nation state hackers had breached the networks of two U.S. municipalities in 2019, and were able to exfiltrate user information. In the recent past, US refineries, dams and data centers have also been subjected to cyber-attacks.
Because of the potential ominous consequences of the threat, the US government has taken action. This has included investments in resources, policies and collaboration dedicated to protecting critical infrastructure. On May 11, 2017, White House Executive Order 13800 was issued “to improve the Nation’s cyber posture and capabilities in the face of intensifying cybersecurity threats.
At-Risk Sectors
In November of 2018, because of recognition of an urgent need for public and private sector cooperation, DHS formed the Critical Infrastructure Security Agency. CISA’s directives put a focus on the DHS mission of cyber preparedness and ensuring protection and resilience to critical infrastructure. DHS identified 16 sectors deemed critical because their assets, systems, and networks are considered vital to national economic security, safety and public health. They include:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems Sector
DHS pronouncements on their website state that cybersecurity threats to critical infrastructure “are one of the most significant strategic risks for the United States, threatening our national security, economic prosperity, and public health and safety. In particular, nation-states are targeting critical infrastructure to collect information and gain access to industrial control systems in the energy, nuclear, water, aviation, and critical manufacturing sectors. Additionally, sophisticated nation-state attacks against government and private-sector organizations, critical infrastructure providers, and Internet service providers support espionage, extract intellectual property, maintain persistent access on networks, and potentially lay a foundation for future offensive operations.”
According to Brian Harrell, CISA’s assistant director for infrastructure security, the agency’s role is to coordinate “security and resilience efforts and provide consolidated all-hazards risk analysis for U.S. critical infrastructure. CISA also conducts cyber and physical exercises with government and private sector partners to enhance the security and resilience of critical infrastructure.”
Defending the Energy Sector
While all 16 industry sectors are threatened, the energy sector stands out as being a target of choice for many hackers. CISA, the Department of Energy and industry are working closely to defend against a multitude of threats. The energy ecosystem of insecurity includes power plants, utilities, nuclear plants and the electric grid. Protecting the sector’s critical ICS, OT, and IT systems from cybersecurity threats is not easy as much of the energy critical infrastructure components have unique operational frameworks and access points, and they integrate a variety of legacy systems and technologies.
A Framework for Protection
Critical infrastructure cybersecurity relies on security framework protection based on layered vigilance, readiness and resilience. These guiding elements of risk management are provided in the National Institute of Standards and Technology’s mantra for industry: Identify, Protect, Detect, Respond, Recover.
In an ecosystem of both physical and digital connectivity, there will be always be vulnerabilities, and a breach or failure could be catastrophic. The internet was not built for security at its inception; it was built for connectivity. Following industry and government protocols derived from lessons learned is essential for protecting vital infrastructure. The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is information sharing between the public and private sectors and situational awareness.
Hope for the Future
There is also technological promise in enabling the cybersecurity priority of protecting critical infrastructure. Some newer areas of cybersecurity technologies that are fortifying infrastructures are being developed in the areas of cloud security, authentication, and biometrics. Automation is an emerging and effective cybersecurity pathway. Dedicated resources and the assimilation of emerging technologies such as artificial intelligence and machine learning can help automate detection and trigger cyber defenses. New innovations in networks, payloads, endpoints, firewalls, antivirus software and encryption can also be factors that harden critical assets against attacks.
The new normal of threats cited by WEF is a cause for vigilance and expanding readiness and resilience in all areas of cybersecurity. Protecting some of the world’s most important infrastructure assets is difficult, but it is an imperative.
