Cyber Threats to Critical Infrastructure

Recent industry data shows that cyber attacks on critical infrastructure (CI)—such as energy distribution networks, financial systems, and communications networks—pose a growing threat to CI companies and state actors alike. The increasing prevalence and sophistication of cyber attacks on CI companies suggests that the risk of debilitating operational seizures on the country level, and a corresponding kinetic response, are substantially more likely in the near future.

In the western hemisphere, 76 percent of CI companies report that the cyber attacks they face are becoming more advanced, while more than 90 percent say that the number of attacks have either increased or remained steady. The nature of the threat has shifted as well, as attempts to manipulate equipment by accessing control systems are becoming nearly as common as attempts to steal information.

Last fall, US Department of Homeland Security (DHS) authorities discovered malware that had infiltrated the industrial control systems of oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines, and nuclear plants across the United States. The infiltration, which authorities say most likely originated from Russia, had gone undetected for three years. Last month, the Government Accountability Office warned that cyber attackers with the intent of crippling the nation’s air traffic control system would encounter disturbingly little resistance. These fears were confirmed just weeks later when the Federal Aviation Administration announced that unknown hackers had spread malware throughout the agency’s computer systems.

Despite the fact that cyber attacks on critical infrastructure are growing more sophisticated, abundant, and malicious, 79 percent of CI companies in the western hemisphere are not engaged in regular communication with their host governments on cyber issues. Information sharing is vital to mitigating cyber risk, but as long as participation in government collaboration programs remains voluntary, other threat reduction methods will only be partially effective. An information-sharing mandate that provides a single point of contact and standardizes the type and frequency of threat indicators would go far in simplifying the interaction between government and private industry.

Beyond policy solutions, there are a number of best practices that CI companies can implement to prevent cyber attacks from happening in the first place. Segmenting networks into subnets reduces the impact of attacks by compartmentalizing the data and devices affected by a breach. Segmentation also allows CI companies to devote fewer resources to low-priority subnets and apply stricter safeguards and controls to more sensitive ones, which is less costly and more effective than a one-size-fits-all approach. Remote access to control systems is another key vulnerability that is relatively straightforward to address. Simple solutions like requiring remote users to connect to administrative systems through VPNs within dual-firewall DMZs (subnetworks) could significantly reduce the risk of access by saboteurs.

With the breadth and intensity of the cyber threat to critical infrastructure growing by the day, industry leaders have a responsibility to engage with government partners and take ownership of their own cybersecurity. Mandated information-sharing protocols and the use of basic best practices would help reduce both the scope and severity of the looming cyber threat to critical infrastructure.