Cybersecurity is an issue that must be addressed in all critical infrastructure operations. At the same time, though, many industries and professionals are wondering what the future of cybersecurity will hold. In what capacity will the state intervene? And might we expect stricter mandates?

What led to the current state of cyber threats to essential infrastructure?

Cybersecurity is not a new concept, especially in the IT industry, where it is essential to implement new technologies that boost productivity while reducing risk. Critical infrastructure, however, particularly in the fields of industrial control systems (ICS) and operational technology (OT), adopted technology before security became a problem. Because air-gapping was still commonly used and effective back then, although this is no longer the case now. When we conduct assessments, we frequently discover that the client is considerably more vulnerable and has far fewer air gaps than they had first thought.

The convergence and interconnection of operational physical processes to the digital world occurred unintentionally as critical infrastructure businesses adopted new technologies, ranging from information technology to field sensors. By doing so, businesses opened themselves up to a wide variety of new cyber dangers that their internal IT departments and network administrators were unprepared to handle.

In a nutshell, that is what transpired with Colonial Pipeline. A full shutdown was implemented out of an abundance of caution and to “contain the threat” after discovering a security flaw in the IT infrastructure. In other words, the threat could not be stopped without shutting down the pipelines, and once it was in, control, safety, and confidence were severely hurt.

The vulnerabilities in our ecosystems were first brought to light by Colonial Pipeline and then by JBS Foods. When the supply chain, customers, reputation, and rebuilding operations are taken into account, the total cost of each attack quickly goes above the $16 million paid in ransom, some of which was recovered.

What important laws like the NERC CIP, the NIST Cybersecurity Framework, and the NIS Directive are for cybersecurity

Some sectors of essential infrastructure, notably the unregulated group, are already using rules and best practices to secure their operations. For instance, 2018 saw the release and modification of the Pipeline Security Guidelines in response to a request from the TSA (which included mandatory components). As is the case with other industries, manufacturing has benefited from CISA’s publication of guidance meant to improve the industry’s cybersecurity. Most of these (and the rules that must be followed) are based on the NIST Cyber Security Framework (NIST CSF).

However, there are many who have joined the regulated group, which takes a stricter, more required approach. For instance, the Federal Energy Regulatory Commission (FERC) enforces regulations, audits, and penalties for compliance with the North American Electric Reliability Corporation Critical Infrastructure Protection Plan (NERC CIP). Ten million dollars was the biggest NERC fine ever levied, given for 120 infractions spread out over a period of four years.

NEI 08-09. Cybersecurity in the nuclear energy sector is similarly governed by NEI 08-09. In addition, the NIS Directive regulates many European sectors, notably the telecommunications sector.

The latest directive raises the question, “Is more regulation up next for pipelines?” as owners and operators of important pipelines work to meet the impending TSA deadline. If so, should the TSA oversee its implementation?

According to Power Magazine, companies are looking to FERC for guidance on pipeline regulations, which might eventually lead to a program similar to NERC’s CIP that is expanded beyond the bulk power sector. However, compliance does not equal security, as cybersecurity experts have been quick to point out, and this is another issue bulk power has faced over the years. To that end, what steps should pipeline business owners and managers take?

The following are the three recommendations of virtually all models (and rules). By taking these steps, you will strengthen your security and your ability to comply with requirements.

1.   Conduct a thorough vulnerability assessment for at least 30 days.

The TSA’s deadline of 30 days to do a vulnerability assessment is a sensible one. Nonetheless, this is only the beginning and may be an example of the ‘knee-jerk’ criticism that has been levelled. Despite popular belief, there is a lot that can be missed during a 30-day procedure.

Threats in the cyber realm are infamous for hiding out in systems for extended periods of time before launching an attack. Some diseases, like Havex, take at least three years to show any symptoms. Earlier this year, in September 2019, it was discovered that malware had been used in an attack against India’s Kundankulam Nuclear Power Plant (KKNPP), which had apparently begun in May 2019. Finally, towards the end of October, after a third party had revealed the threat to the manufacturing operation, the attack began. Both of those would be missed by a 30-day assessment of vulnerability.

Operations must perform a comprehensive evaluation of everything known and unknown about the situation. Unfortunately, piping and instrumentation (P&ID) diagrams often fall behind the times, so a simple walkthrough can reveal both new assets and potential risks. A complete evaluation necessitates a look at everything from assets to traffic to behaviour, people to processes. Once businesses know what’s going on, they can take the steps they need to protect their operations and make them less vulnerable to cyber threats and attacks.

2.   Separate those networks!

The TSA’s deadline of 30 days to do a vulnerability assessment is a sensible one. Nonetheless, this is only the beginning and may be an example of the ‘knee-jerk’ criticism that has been leveled. Despite popular belief, there is a lot that can be missed during a 30-day procedure.

Threats in the cyber realm are infamous for hiding out in systems for extended periods of time before launching an attack. Some diseases, like Havex, take at least three years to show any symptoms. Earlier this year, in September 2019, it was discovered that malware had been used in an attack against India’s Kundankulam Nuclear Power Plant (KKNPP), which had apparently begun in May 2019. Finally, towards the end of October, after a third party had revealed the threat to the manufacturing operation, the attack began. Both of those would be missed by a 30-day assessment of vulnerability.

Operations must perform a comprehensive evaluation of everything known and unknown about the situation. Unfortunately, piping and instrumentation (P&ID) diagrams often fall behind the times, so a simple walkthrough can reveal both new assets and potential risks. A complete evaluation necessitates a look at everything from assets to traffic to behaviour, people to processes. Once businesses know what’s going on, they can take the steps they need to protect their operations and make them less vulnerable to cyber threats and attacks.

3.   To ensure complete safety, adopt a “zero-trust” policy.

The capacity of threat intelligence and IDS solutions has grown over the past decade, allowing for more precise visualization of devices and the rapid discovery of vulnerabilities. However, the number of successful cyberattacks on vital infrastructure keeps rising. To provide adequate protection, automation, and resilience, the critical infrastructure sector must expand its current capabilities beyond the limited threat intelligence and device visibility now available. To meet the current security needs, these capabilities are obviously needed, and a Zero Trust Networking Access (ZTNA) strategy is a must.

Access permissions for users, programs, and data in a Zero-Trust architecture are granted only when necessary. Access controls are granular and revocable, ensuring that data remains secure no matter where it is requested (inside or outside the LAN). All-access control activities should be logged and audited, and ideally, they should be able to send out alerts on their own.

Next-Generation Cybersecurity Preparation

It is conceivable that both statutory legislation and voluntary frameworks will coexist in the future of critical infrastructure cybersecurity. The government will keep an eye on cybersecurity until the threat and risk are reduced, but the conversation might be different if businesses had protection instead of just visibility right now.

Whatever the case may be, recent events and responses have brought into sharp focus a critical weakness in our nation’s infrastructure, ecosystem, and supply chains: cybersecurity. Taking precautions now will strengthen operations in the short term and make them more ready to meet future compliance obligations. With cyber-resilience as the end goal, you should do a thorough risk assessment and take strict steps to protect your operations.