Skip to main content
close search
site logo
Sponsored

This is not a dress rehearsal: What critical infrastructure owners and operators can do right now to defend against nation-state threats

Published April 11, 2022
SerrNovik via Getty Images

Grid modernization has created a complex ecosystem of network-connected equipment, exposing utilities to a wide range of potential threats from nation-states, criminals, disgruntled employees, and accidental misconfiguration. 

The energy sector is particularly vulnerable to cyberattack because core cybersecurity strategies—like the use of SPAN ports to direct bulk network data to security analysis systems and physical air gaps to separate the Operational Technologies (OT) network from the rest of the enterprise network—are fast approaching obsolescence.

As a result, the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (NSM), multiple cybersecurity initiatives, and the recently passed $1.5 trillion spending bill now require critical infrastructure asset owners (CIs) to deploy threat visibility and detection technologies in the name of national security.

The proliferation of federal cybersecurity initiatives was timely in its goal to defend U.S. infrastructure from cyberattack. But messaging has been unclear regarding which cybersecurity investments CIs must make—and what they can do now to mitigate clear and present threats.  

"Most critical infrastructures have either regulation or directives, but it's an inconsistent patchwork of security controls and oversight," said industrial and control systems (ICS) security advisor Patrick Miller of Ampere Industrial Security. "CIs know they need to increase security, but there is much speculation on which direction their regulations are going."

The $1.5 trillion spending bill requires CI owners and operators to immediately report cyber incidents to the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA). CIs must report to CISA within 72 hours any cyber incident that leads to "substantial loss" or "serious impact." Any ransomware payments made must be reported within 24 hours. The goal, according to CISA Director Jen Easterly, is to provide the agency with near real-time data and visibility to "help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks."

But is it too little too late? The bipartisan cyber reporting law was years in the making, and it could take another 24 to 42 months for CISA to enforce any new compliance standards. Meanwhile, the rate of cyberattacks on U.S. critical infrastructure has never been higher. 

CIs are pivoting quickly from measured, strategic thinking around "When and how should I make new security investments?" to the immediate, tactical deployment of cybersecurity resources—i.e., "What can I do today to mitigate a potentially crippling cybersecurity attack?"

Fortunately, there are immediate defensive and offensive actions that industrial operators and utilities can take to mitigate the risk of a large-scale cyberattack.

"All of these approaches need source data. It's the most critical place to start."

Patrick Miller

CEO of Ampere Industrial Security

1. Request resources from the board.

According to President Biden, the time is now for boards to approve and fast-track funding for cybersecurity tools and services that can be implemented quickly. "Executives should be open to increasing budgets for both equipment and resources."

At a minimum, says CISA, CIs must have the capabilities to

  • reduce the likelihood of a damaging cyber incident
  • detect malicious activity quickly
  • respond effectively to confirmed incidents
  • maximize resilience

For those CI boards who can't or won't fund stepped-up security measures, CISA has published a list of free tools. But buyer beware: CISA admits this list of free resources is subject to change and does not guarantee any of it will work. Again, it's free.

2. Copy all outgoing network traffic.

Not knowing you've been hacked is no longer a free pass to avoid reporting that you've been hacked. "If you can only do one thing," said Miller, "capture and store everything leaving your network(s), so you can act quickly to detect if you have an active attacker in your environment."

The NERC Critical Infrastructure Protection (CIP) standards include regulatory elements that already make collecting and archiving network traffic more important than ever before. 

3. Implement best-in-class security validation solutions. 

"Test your defense and detection posture by deploying breach and attack solutions and SIEM technologies for your most critical networks. Then scale this out over time to enhance your coverage," Miller suggested. 

Breach and attack solutions can continuously simulate attacks on your production network, reduce SIEM alerts, and stay ahead of attackers. 

SIEM technologies deploy AI and machine learning for advanced behavior analytics and regulatory compliance and reporting. 

This is not a Rehearsal, a Drill, or Optional.

Regulatory compliance is mandatory, and CI survival is non-negotiable. Keysight Technologies provides network visibility tools so CIs can see vulnerabilities without touching the live network. Advanced threat simulator solutions enable companies to "attack themselves" to validate if their security controls will block the latest threats as expected.

It's not too late for CIs to fortify cyber defenses. The cost of doing nothing could be high, so do all you can today. Practice and test your systems like it's game day because it could be.

Editors' picks

Editors' picks
Latest in Grid Security & Reliability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell