When it comes to critical infrastructure, both large and small firms have benefited from the digital advances that are transforming our lives. But this innovation, improved convenience, and usability have come with increased cyber risk. There has been growth in both the size of the attack surface and the range of potential Operational Technology (OT) targets within critical infrastructure.
For example, in the energy sector, everything from the generation of power to its transmission and delivery to customers is now a target across both the electric grid and the oil and gas industry. The power sector is increasingly in the crosshairs for both potentially destructive advanced persistent threat (APT) activity by nation-states, as well as ransomware used by criminal actors’ intent on extortion.
Although the federal government recognizes 16 critical infrastructure sectors, energy is part of a subcategory that is increasingly referred to a "systemically important critical infrastructure" – or even more pointedly, as a “lifeline sector”. That’s because a handful of functions directly affect both health and safety as well as the operation of other critical infrastructures.
The federal government said in its annual national threat assessment report last year that one of the ways foreign adversaries are using cyber operations is to damage industry, including physical and digital critical infrastructure. And near the end of March, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) released a joint Cybersecurity Advisory (CSA) detailing campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations.
It's no surprise, then, that the Biden administration has recently put critical infrastructure – including the energy sector – on high alert, urging the government’s private sector partners to implement cybersecurity best practices to harden their cyber defenses immediately. The Administration has made it a priority to enhance cybersecurity, using a variety of tools ranging from Presidential Executive Orders to drive action within government and its supporting contractor base, Federal funds dispensed as part of recent infrastructure bills, to sharing standards and frameworks designed for government but useful for the private sector as well. Of note, CISA has created a Shields Up website to provide one-stop shopping for practical advice and measures to help organizations prepare for, respond to, and mitigate the impact of cyberattacks associated with the current geopolitical situation. The Administration is also working to create more systematic public-private partnerships with major critical infrastructure owners and operators in all sectors.
The energy sector isn’t monolithic in composition. It includes companies that create energy – running the gamut from oil and natural gas extraction and refining to electricity generation – companies that distribute energy in bulk, and companies that deliver it to businesses and consumers. Each type has own exposure surface to various types of attack and attack methods.
For instance, during geopolitical tensions in the Persian Gulf, reports documented that cyber-attackers targeted the ability to pump and refine oil by erasing data from the computers that manage these operations and even attempted to change settings to force production machinery to destroy itself. And, as we saw with the Colonial Pipeline incident last year, ransomware directed at a company’s IT network can lead it to suspend operations due to concerns that the attack could spread to OT networks that control industrial processes and potentially affect safety or performance – something that criminals intent on extorting money probably hadn’t intended.
There’s also a wide diversity in the size and capability energy-related organizations in the U.S. They run the gamut from small rural utilities that lack IT or cyber resources and expertise to large vertically integrated producers with sophisticated cybersecurity capabilities and in-house cyber experts. Yet a chain is only as strong as its weakest link, and due to the interconnected nature of the electrical grid, cyber-attacks affecting smaller and more vulnerable utilities can lead to broader cascading failures. The Biden administration has focused on helping these smaller utilities, in particular, with the Infrastructure Investment and Jobs Act, which will make funds available to strengthen their security and reliability as part of modernization efforts.
Every project in critical infrastructure should have cybersecurity baked in, regardless of the sector or the size of the organization. CISA has developed Common Baseline Cybersecurity Performance Goals that can be used to help drive this process. These goals are reasonably comprehensive and give straightforward guidance that can help non-expert users with implementation. This is especially helpful for smaller utilities that lack the expertise and resources to undertake more advanced measures. According to the Center for Internet Security, implementing even basic cyber hygiene measures can improve resistance to attack by up to 90%.
Small utilities should also think about outsourcing to meet some of their security needs, such as by using commercial products and security-as-a-service (SECaaS) offerings, or by joining regional consortia that can attain the critical mass of resources required to implement solutions beyond the reach of individual consortium members.
Those organizations with more advanced cyber capabilities and cybersecurity specialists may want to deploy these three techniques:
Malicious cyber actors are looking for opportunities to exploit vulnerabilities across the nation’s critical infrastructure – including the energy sector and the IT and OT networks that connect and power it. Further digital transformation is both beneficial and inevitable, but vulnerability and threat increase alongside the positive benefits of further digitization. Cybersecurity should be a continuing priority, both for improving the systems of today and planning for future upgrades. Government funding will help in this crucial endeavor, as will following the best practices set out by CISA and within this article. A stronger security posture is both necessary and achievable -- no matter the size or the sophistication of the organization.