Last month, troops various National Guard units conducted a large scale simulation of a major cyber breach knocking out utilities across the U.S. This is a long-feared scenario, and one that appears to become more likely with every passing year. The relative ease with which a ransomware gang took down the Colonial Pipeline shows that a cyber disruption of critical infrastructure may be in our future
It’s a positive sign that the National Guard is taking this risk seriously enough to practice for it. The fact that the exercise, known as “Cyber Yankee,” included rehearsing a collaboration with the FBI and private sector partners is further welcome evidence that the government is intent on not letting a major disaster unfold on their watch. If a serious incident occurs, the practice will pay off in a faster, more coherent response. And, the Guard may have countermeasures that are beyond the reach of some utilities and industrial concerns. However, it’s not enough.
The National Guard, along with other state and federal incident response mechanisms, are going to be slow in responding a cyber incident. Even if they can get organized and execute their response plan within hours, though it would probably be at least a day until they can really mobilize, attackers can still do a lot of damage—some of it nearly impossible to predict.
This is what concerns Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon. Cappi and his team help manufacturers, energy companies, water plants, and other Operational Technology (OT) clients with security and incident response processes. In his view, there is a risk of what he calls a “cascading effect” of a successful cyber attack on critical infrastructure.
“One incident can be a catalyst for other, hard-to-imagine events,” Cappi said. “Look at what happened to toilet paper during COVID. Who could have predicted that? With critical infrastructure, taking down a power station could lead to an unforeseen sewage backup, which leads to a disease outbreak that can’t be treated because the hospital is blacked out, and on and on.”
In the case of certain industrial concerns, the impact of an attack can be immediate and catastrophic. Cappi noted, “An oil refinery can be made to explode in minutes if attackers understand its cyber-physical vulnerabilities well enough. There isn’t time for the National Guard to show up.”
Hexagon works with its clients on being proactive, avoiding catastrophic outcomes by staying a step ahead of cyber criminals. For instance, they recommend assuming that their security has already been compromised and developing a plan for what to do post-breach. This usually takes the form of an overall resiliency plan that brings together people, technology and processes. “We used to focus on uptime and reliability as our two key success metric,” Cappi said. “Now, we’re shifting our focus to safely regaining productive operations.”
A resiliency plan might call for improving backup systems to minimize the impact of an attack. Putting the plan together also usually includes maintaining a detailed OT asset inventory. “You have to know what you have running in your infrastructure,” Cappi said. “You can’t secure what you can’t see, but you would be astonished at what a utility or industrial plant might find on its network. ‘I thought we disconnected that last year,’ is a typical comment we hear.
Being prepared and staying resilient also usually requires some contemplation of realistic human behavior. It might be helpful, for example, to institute incentives and penalties to get people to comply with policies like patch deployment.
Cappi also expressed the sentiment that critical infrastructure security could benefit from more active government focus. As he sees it, industries by themselves are not good at developing and enforcing standards for security and resiliency. Instead, it might be better if the government mandated risk-based minimum standards for security and resiliency. The foundations of such standards already exist in the NIST frameworks and the like, but they need “teeth,” according to Cappi.
The state of security for critical infrastructure remains fragile. It’s a positive development that entities like the National Guard are preparing to address a likely but unknowable future crisis. At the same time, much more work needs to be done by private companies, ideally in partnership with a more engaged government.