The risk to critical infrastructure is a long festering concern in the cybersecurity industry. Researchers, corporate security officers and government experts feared that energy producers, utilities and water systems lacked the manpower and investment in security.
The risk increased with the exposure of industrial control systems to the open internet and connected to IT systems through automation.
Industrial control systems had 893 vulnerability disclosures in 2020, up 25% year-over-year, according to 2021 data from industrial cybersecurity firm Claroty. Critical manufacturing, energy — which includes electricity, oil and natural gas — and water and wastewater reported the most vulnerabilities.
The oil and gas industry in particular grew more dependent on digital technologies to streamline operations in recent years, which increased the attack surface that was vulnerable to cyber activity, according to Moody's Investors Service.
As Colonial Pipeline slowly restores full service following last week's ransomware attack, the Biden administration, security researchers and industry analysts are scrambling to understand exactly how the massive pipeline operation was compromised by a Russian-linked ransomware gang DarkSide.
The attack exposed years of underinvestment and inaction that dragged out much needed enhancements to energy, utilities, water and other systems that desperately needed additional protection against sophisticated nation-state and criminal adversaries.
"The ransomware attack on Colonial Pipeline illustrates that cybersecurity is a growing credit risk, which can cause operational disruption to America's critical infrastructure," Leroy Terrelonge, VP at Moody's Investors Service said. "With cyberattacks rising in the energy sector as digital technologies streamline operations, oil, gas, electric power and renewable energy participants will continue to increase their cyber investments to mitigate these growing threats."
Spotty track record
The nation's preparedness for securing critical infrastructure has been spotty, according to Scott Shackelford, director of the Cybersecurity and Internet Governance program at Indiana University.
"In total DHS recognizes 16 such sectors, from financial firms to water utilities" as critical infrastructure, he said. "In fact, the vast majority of the U.S. economy has now been designated as 'critical,' with the open question being if everything is critical, is anything?"
Critical infrastructure executives have known for years that automation and exposure to the public internet would make them more visible targets to malicious attacks.
Among the growing cybersecurity concerns, ransomware attacks against critical infrastructure have steadily increased, according to data from Temple University. The university documented 396 ransomware attacks against critical infrastructure in 2020, up 93% year-over-year.
"Cyberattacks that target industrial control systems have been rapidly rising throughout 2020 and 2021," Dawn Cappelli, VP global security and chief information security officer at Rockwell Automation. "Most of them are ransomware attacks by financially motivated groups that spread from a company's main network into the industrial control system operational network."
The state of operational technology is less mature than information technology security, Cappelli said in an email. Many companies lack important security items, including a comprehensive asset inventory, protective technologies like firewalls and network segmentation, tools to detect anomalous or malicious network activity or trained security staff to respond to attacks.
"CISOs in companies that have OT environments should immediately create a holistic cybersecurity strategy for their converged IT/OT infrastructure, if they haven't done so already," she said. "This requires a cross functional team composed of IT, security and OT engineers."
