Infra
Harden Critical Infrastructure Against Foreign Cyber Attacks, U.S. Agencies Warn
What do you think of when you hear “critical infrastructure”? A bridge? A power station? A train?
What about when a child drinks from a water fountain in a park? Or when a teacher uses AI to help students learn? Or when boarding your flight on a holiday weekend?
We don’t often think of the systems that underpin these and so many other daily activities, but the fact is that these processes are increasingly digitized, and they’re often reliant on networks and systems that were built without security at the forefront of the design.
While such systems ground our energy, health, water, telecommunications, and agriculture sectors—among many others—they are increasingly vulnerable to malicious cyber activity, and the attackers are upping their game.
Earlier this year, U.S. cybersecurity officials warned about state-sponsored malicious cyber actors affiliated with the People’s Republic of China, including a well-known cyber attacker, Volt Typhoon, that were compromising and maintaining persistent access to U.S. critical infrastructure for future disruptive activities should a conflict with China arise.
The Environmental Protection Agency issued yet another warning recently to water systems urging them to take immediate action to protect the nation’s drinking water from cyber threats. Per the EPA, cyberattacks can damage water structures like valves and pumps, interrupt how water is treated or stored, or increase chemical levels to dangerous amounts.
Not all U.S. critical infrastructure can withstand and recover from a cyberattack, with some critical infrastructure owners needing more resources to improve cybersecurity and resilience on their own. As Jen Easterly, director of the Cybersecurity and Infrastructure Agency, told Congress, “Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology.”
Companies should be held to a high standard when it comes to the development of digital products. The Biden-Harris Administration’s emphasis on accountability for industry is laudable in this regard but these continuing urgent warnings from the federal government warrant urgent action on cyber-physical resilience.
For example, the Colonial Pipeline event led to calls to improve cybersecurity, which is important. While important, the deeper call to action should be oriented around what segmentation should have existed so a compromise to Colonial’s business systems had no impact on its wider operations.
What is needed is a fundamental shift in approach—a move beyond digital security to genuine resilience. That begins with how products and services are designed and built—designing whole sets of systems that support critical infrastructure to operate in expected ways under extreme pressure.
Imagine a hospital being able to continue to operate with loss of internet connectivity, or during a ransomware attack; a water utility being managed manually while officials investigate suspicious distribution activity at a sanitation facility; or a power grid being recoverable in a modular way during an unexpected widespread outage during a thunderstorm.
We can get there. We must get there.
The President’s Council of Advisors on Science and Technology published a recent report that includes recommended actions to allow all critical infrastructure systems to achieve resilience including: establishing performance goals, coordinating research and development, improving government capacity to enhance cyber-physical resilience via Sector Risk Management Agencies, and ramping up owner/operator accountability for cyber physical resilience.
The continued warning from cyber officials demonstrates the need to harden our infrastructure and pursue enduring resilience now. Attacks are only increasing. Are your systems ready?