An Analysis of the Threat Landscape & Corresponding Policy Recommendations

Ashley Fox and Benjamin Seebaugh

April 2020

Summary

As the world moves toward digitization, critical infrastructure systems—from power plants to airports—are becoming increasingly susceptible to cyber threats. Many of these systems, in developing and developed nations alike, lack the necessary security measures to protect from known threats, much less emerging threats not yet understood. Cybersecurity expert and CEO of I.T. security firm, Kaspersky Lab, Eugene Kaspersky, has warned that the potential for attacks is genuine and that it is only a matter of time before nations see a major remote cyberterrorist attack on their critical infrastructure.[1] In this paper, we will discuss the recent history of critical infrastructure attacks worldwide, the current state of critical infrastructure security in the United States, possible emerging threats facing key critical infrastructure systems, recommendations for addressing these threats, and the consequences of not acting.

Understanding critical infrastructure

Critical infrastructure is any system that is essential for the function of a society or economy. Currently, the United States government identifies 16 critical infrastructure sectors: chemical, commercial, communications, manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and wastes, transportation systems, and water and wastewater systems.[2] There are three types of threats to critical infrastructures: natural, human-caused, and accidental/technical.[3] For the purposes of this paper, we will focus on human-caused threats.

Human-caused threats include acts of terrorism, rioting, tampering, theft, financial crimes, explosions or bombings, and economic espionage. Many of the vulnerabilities associated with these threats are cyber. Common cyber threats include non-state actors seeking to destroy, incapacitate or exploit infrastructures to threaten national security; criminal groups attacking systems through phishing campaigns or spy/malware for identity theft, online fraud, or to extort for monetary gain; industrial espionage; disgruntled insiders or poorly trained employees and contractors who create opportunities for outsider penetration; national intelligence operations seeking to destabilize regimes or further other strategic goals; and national or commercial organizations trying to gain access to systems for political or commercial purposes.[4]

Recent global critical infrastructure attacks

One of the most well-known critical infrastructure attacks happened in 2015 when Ukraine was hit by a supervisory control and data acquisition (SCADA) cyberattack, resulting in a massive electrical blackout.[5] Approximately 230,000 people in western Ukraine, a group size equivalent to one-fifth of the nation’s entire population, were left without power for hours.[6] While the outcome of the attack wasn’t devastating, it did highlight a vital issue in the nation’s critical infrastructure security. The attack began by using spear-phishing emails—which is typically considered a low-tech approach to cyber intrusion—and escalated to the implanting of malware on Ukraine’s electric grid. This malware allowed hackers to gain access to Ukraine’s utility networks and manually switch off power to electrical substations. It was the second-ever known case of malicious code built specifically to disrupt physical systems, with the first being, Stuxnet, a code used by the United States and Israel to damage Iranian nuclear capabilities in 2009.

What most alarmed researchers about the Ukraine attack is that it appeared to be a dry-run test for future attacks, signaling the possibility of more substantial and more severe targets down the road. A year later, Ukraine’s power grid was taken down again by an evolved version of the malware. This time, it was fully automated. The full automation meant that the malware could "talk" to the grid equipment directly, which hastened hackers’ ability to take the system offline. Researchers also found that this version of the malware was far more scalable. What previously required more than 20 individuals to attack three regional energy companies was now capable of targeting 10 or 15 more energy companies in the same amount of time and effort.[7] Furthermore, the second attack was harder to trace. Once it infected a victim's network, it recorded network logs to send back to operators, letting them learn how to adapt and change future malware to control system functions. Lastly, the malware could comprehensively destroy all infected system files, effectively covering up its tracks after the attack was completed. 

Another well-known critical infrastructure failure also happened in 2015 to 2016 when millions of dollars were stolen from the Bangladesh central bank and a commercial bank in Vietnam. In this instance, hackers gained access to the SWIFT banking network—a global provider of “secure” financial messaging—by exploiting vulnerabilities in the systems of member banks, which allowed the attackers to control the banks’ SWIFT credentials for transferring funds to other banks. Since 2014, North Korean hackers have used SWIFT to attempt to steal more than $1.1 billion from at least 16 different financial institutions in 11 countries, including the $81 million stolen from the Bangladesh central bank. Despite efforts to curtail this activity, cybersecurity firm FireEye claims that the group responsible for this activity remains active and dangerous to financial institutions worldwide.[8] The firm further states that given the sheer scale of the attempted thefts and the group's affinity for destroying targeted networks, they are a serious threat to the financial infrastructure sector.

Lastly, whether its nuclear power plants or seemingly insignificant dams, the United States is no stranger to critical infrastructure threats and failures. While many know about Russian hackers influencing the 2016 U.S. presidential election, few are aware of the adversary's attempts to gain control over the American energy grid. Two years after the election interference, the U.S. government released a report describing a significant campaign by Russian hackers to infiltrate America’s critical infrastructure systems. In this report, the Department of Homeland Security and Federal Bureau of Investigation claimed that Russian actors gained access to computers across various targeted industries, including power plants, nuclear generators, and water facilities, to collect sensitive data such as passwords, logins, and energy generation data. Although the report doesn’t discuss identifiable sabotage, researchers believe that this intrusion could help set up future attacks to do more than just collect data.[9]

This report was the first time the United States government explicitly blamed Russia for attacks on energy infrastructure. By doing so, the government laid the groundwork for establishing deterrence in cyberspace by making sanctions possible and increasing the risk associated with future hacks.

Summary of the current state of affairs in the United States

Under the United States Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, the U.S. government outlines its strategy for strengthening and maintaining “secure, functioning, and resilient critical infrastructure.”[10] This document serves as the authority on managing the United States' critical infrastructure systems, which provide essential services to American society. It establishes chains of responsibility across federal, state, local, tribal, and territorial entities, as well as public and private owners and operators of critical infrastructure. It also clarifies critical infrastructure-related functions, roles, and responsibilities across the Federal Government to enhance coordination and collaboration for addressing major concerns facing various sectors.[11]. A majority of the critical infrastructure systems in the United States are privately owned, making the effectiveness of vulnerability assessments depend on the voluntary cooperation and collaboration of private owner/operators.[12]

One considerable concern with the critical infrastructure systems in the United States is the geographic concentration of significant portions of infrastructure. For example, nearly half of the country's oil refineries are located along the coasts of Texas and Louisiana, around one-third of all maritime container shipments pass through ports in California, specifically Los Angeles and Long Beach, and fully one-fourth of America's pharmaceutical drugs are manufactured in Puerto Rico. This overconcentration of resources makes it far easier for bad actors to produce large-scale attacks on critical American infrastructure, both in-person and online.[13]

One such example happened in 2003 when an electricity blackout across the Northeast of the United States highlighted the fragility of America’s aging, digital power grid. A single event, the outage cost approximately $5 billion in lost productivity and left around 50 million people without power. Given the interdependence of America’s power grid and the sheer geographic overconcentration of oil refineries, there is a significant vulnerability to terrorists, cybercriminals, and natural disasters alike. On a larger scale, disruption to energy supplies could cause substantial damage to the economy and security of the country.

More concerning than the vulnerability of the energy sector is the complex and combined physical and cybersecurity challenge facing America's transportation sector. Because the country has reached near-total computerization of rail, air, and marine traffic, the simplest disruption by a cyber-terrorist or even amateur hacker could rapidly escalate into a catastrophic event.[14] The transportation sector is not only responsible for transporting people and commercial goods but also large amounts of hazardous materials, making it a prime target of vulnerability. Trucks, moving containers, and even airplanes carrying this hazardous waste, if attacked, could cause irreparable economic, health, and psychological damage. Lastly, as evidenced by the current COVID-19 pandemic, even the slightest disruptions in supply chains, which are primarily dependent on critical transportation infrastructure, can have lasting adverse effects on the well-being of citizens and the economy alike.[15]

Emerging threats: A transportation case study

 Looking ahead, the landscape of emerging threats is as vast and varied as the number of devices and functions that make up the 16 critical infrastructure categories. Each machine, user, and the software type is an additional access point where a potential attack could be leveraged. However, several core tenants across critical infrastructure protection can be applied generally across the gamut. Due to the sheer volume of these possible weak links, this paper will seek to outline some of these broadly-applicable policy recommendations using the transportation networks as a case study for illustration.

From the outset, it must be noted that all ongoing advancements to bring critical infrastructure online are building upon a foundation that is already unstable. The President’s National Infrastructure Advisory Council (NIAC), a working group of the National Security Council, warns that cyberspace “is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure.[16]” Furthermore, the National Protection and Programs Directorate (under the Office of Cyber and Infrastructure Analysis, or OCIA) highlights three critical underlying themes of pre-existing weakness currently affecting critical infrastructure in the United States[17]:

1.     Changing Seams – the permeable physical and virtual convergence points connecting localities, software types, hardware components, sectors, and “legacy” & new technologies through which data and communications flow,

2.     Inconsistent Adoption – differing standards across different cities, industries companies, and users that can create “blind spots” where attackers can exploit vulnerabilities, and

3.     Increased Automation – reduced human interaction, which can create an array of possible risks such as inattention to all moving parts of a system, cascading failures, and inadvertent removal of manual overrides.

These themes, taken together, should be considered as the framework around which policymakers create cybersecurity regulations to protect our critical infrastructures across the board.

Compounding the effect of these weaknesses is the rise of cyberattacks targeting Industrial Control Systems (ICS) in the United States. During a 2016 hearing before the U.S. House of Representatives’ Committee on Homeland Security, Frank Cillufo testified on behalf of the Center for Cyber and Homeland Security of George Washington University. He assessed that cyberattacks against ICS equipment rose 20% in the preceding year alone.[18] By 2019, a researcher with cybersecurity firm Kaspersky reported that a deeply troubling 60% of ICS management entities had experienced cyberattacks during the previous 12 months.[19] At the time of publishing, this study revealed a concerning increase of 11% since the report issued only one year prior.

 Moving beyond the number of threat activities, one must also consider the quality of such attacks. These, too, fall along a spectrum. At one end are the relatively low-level incidents such as cyber espionage, intellectual property theft, and ransomware. These make up the bulk of events, but other intrusions involving remotely-executable malware have threatened to disrupt or damage systems that can cause catastrophic damage to societal functions.

When it comes to the transportation infrastructure, a variety of actors and interactions are at play. All vehicles traveling via roadways, railways, waterways, or airspace intersect public and private systems that must be aligned to bolster defenses at all junction points. The nature of threats emerging on the landscape as we currently know it can be mitigated by focusing cybersecurity efforts at two connection points[20]:

1.     Vehicle-to-Vehicle (V2V) – the systems through which vehicles communicate with each other and their surroundings to prevent collisions, and

2.     Vehicle-to-Infrastructure (V2I) – the systems that control flows of traffic on the macro-level throughout and across networks of movement.

Most importantly, beyond the concerning assessment of cracks that already exist in the foundations of ICS, the most critical threats are those that we haven’t even conceived of yet. For instance, encryption is the foundational technology we have relied upon for the overwhelming majority of defenses against intrusion. However, researchers are already warning of advances in quantum computing that are still five-to-ten years away from development. Such processing powers will have the capability to easily unlock the technologies that comprise the gold standard for today's encryption expectations. As a result, policymakers and technology developers alike must continuously consider how their regulations and products will be retrofitted and updated to protect against threats that may only be regarded as theoretical at present.[21]

Policy recommendations for addressing these threats

Policymakers have a range of regulatory options at their disposal. On the safest side, we can limit our risks by requiring analog controls, or we can disregard risk entirely by boldly connecting all critical infrastructure with the Internet. The former option stifles innovation while the latter extreme foolishly exposes us to attacks where it would hurt us the most. For that reason, we advocate for a hybrid model that combines digital assets & connectivity with a series of analog fail safes. Looking back to the three pillars of underlying weaknesses mentioned above, our abbreviated policy recommendations can be categorized as follows:

Technology seams:

1.     Mandate end-to-end cyber hygiene[22]

a.     Patching, password controls, access restrictions, etc.

b.     Most end-users are confused by tech security practices, so critical functions like security updates should be automatically "pushed" to systems whenever possible.

2.     Enhance collaboration & communication broadly:

a.     Establish a framework for collaboration and communication about regulations across states, federal agencies, the private sector, and the international community.[23]

i.     Every intersection across operating systems, manufacturers, and purposes must be viewed as an additional vector for attack.

ii.     Tech hubs such as N.Y., MA, CA should take the lead. The U.S. federal government should follow their models due to its relative global dominance in "big technology," and legislators should work alongside E.U. regulators to develop international standards due to their policy superiority in that realm[24].

b.     Share “information, tools, capabilities, and knowledge between the government, industry, academia, international partners, and community partners. Only by doing so can we close the gaps and prevent the enemy from carrying out successful cyber or physical attacks.”[25]

c.     Develop a single system of widespread, instant information sharing of cyber threats as they emerge to strengthen rapid response capabilities[26]

d.     Continue “red team” exercises being conducted by the U.S. government to highlight & bolster against the most cutting-edge attack types[27]

Inconsistent cybersecurity adoption:

3.      Require strictest security standards for market readiness

a.     Ensure that all devices that have the potential to create harm or societal disruption are airtight before shipping the final product

b.     These restrictions must inherently be stricter than what we see for personal phones and computers due to their capacity to inflict harm[28].

c.     These regulations should be modeled after those that are already being expertly implemented in the aviation industry.

4.     Create separate, secured data networks

a.     Backup communication networks must be established to link all public and private stakeholders in the event of related attacks that include disruption to communication networks[29]

b.     Monolithic, centralized systems such as GPS infrastructure should be duplicated to prevent central points of failure[30],[31]

Increased automation:

5.     Forward-looking standards:

a.     Horizon scans should be built-into regulatory standards to ensure that even technologies that don’t yet exist are considered when constructing defenses

i.     For example, post-quantum cryptography standards are already being drafted by NIST despite the technology being only theoretically possible at present[32]

6.     Human interventions:

a.     Analog, localized failsafes and overrides must be included for major functions of devices that can cause harm. This serves to further bolster against the vast majority of cyberattacks that are executed remotely.

Consequences of not acting

In its report on urgent cyber threats to critical infrastructure in the United States, NIAC highlights the “tremendous cyber capabilities” of the American government and private sector, but juxtaposes that unrealized potential against reality with the stark warning that “we are falling short.”[33] Unfortunately, those failures are slipping further during the current executive administration. As an example, "Cyber Storm" DHS training exercises that began in 2006 to conduct tests on critical infrastructure security have not continued on the established biennial timeline. Moreover, a report still has not been issued following the April 2018 exercise despite the exponential increase of malware capabilities since the most recent report released in 2016[34]. Adding to this, the Government Accountability Office (GAO) “has made over 3,000 recommendations to federal agencies to address cybersecurity shortcomings—and about 700 have yet to be implemented.” It warns, “[u]ntil these shortcomings are addressed, federal I.T. systems and data will be increasingly susceptible to cyber threats.”

Lacking government oversight, research indicates that private sector producers of transportation infrastructure technologies will not regulate themselves[35]. Despite the chilling effect that regulatory delays may have on innovation, these technological advancements should be reined-in until policymakers can establish the permissible frameworks for their devices. Hardware that has the potential to cause mass causalities or widespread societal disruption must be held back until airtight cyber defenses are in place.

 As always, American defenses must leave nothing to chance. We must continue to be one step ahead of our potential aggressors, and consider that they may possess the ability to launch an attack long before they execute their malicious plans. Especially in the transportation sector where autonomous movement is at stake, researchers and lawmakers alike must protect against removing the human element too soon where dangers like inattentiveness, skill atrophy, and over-reliance on imperfect software engineers could have catastrophic effects.  

[1] Samuel Gibbs, “Eugene Kaspersky: Major Cyberterrorist Attack Is Only Matter of Time,” The Guardian, May 1, 2014, sec. Technology, https://www.theguardian.com/technology/2014/may/01/eugene-kaspersky-major-cyberterrorist-attack-uk.

[2] United States Cybersecurity & Infrastructure Security Agency, “Identifying Critical Infrastructure During COVID-19 | CISA,” April 2020, https://www.cisa.gov/identifying-critical-infrastructure-during-covid-19.

[3] Tal, Jonathan, “America’s Critical Infrastructure: Threats, Vulnerabilities and Solutions,” Security Info Watch, September 20, 2018, https://www.securityinfowatch.com/access-identity/access-control/article/12427447/americas-critical-infrastructure-threats-vulnerabilities-and-solutions.

[4] Tal, Jonathan.

[5] Tom Ball, “Top 5 Critical Infrastructure Cyber Attacks,” Computer Business Review (blog), July 18, 2017, https://www.cbronline.com/cybersecurity/top-5-infrastructure-hacks/.

[6] Andy Greenberg, “Crash Override Malware Took Down Ukraine’s Power Grid Last December,” Wired, June 12, 2017, https://www.wired.com/story/crash-override-malware/.

[7] Andy Greenberg.

[8] FinExtra, “North Korean Hackers Used Swift Network to Steal More than $100m - FireEye,” Finextra Research, October 5, 2018, https://www.finextra.com/newsarticle/32742/north-korean-hackers-used-swift-network-to-steal-more-than-100m---fireeye.

[9] Kelsey Atherton, "It's Not Just Elections: Russia Hacked the U.S. Electric Grid," Vox, March 28, 2018, https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants.

[10] United States Cybersecurity & Infrastructure Security Agency, “Critical Infrastructure Sectors | CISA,” 2020, https://www.cisa.gov/critical-infrastructure-sectors.

[11] Obama White House, “Presidential Policy Directive -- Critical Infrastructure Security and Resilience,” whitehouse.gov, February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.

[12] “Critical Infrastructure Vulnerability Assessments | CISA,” accessed April 30, 2020, https://www.cisa.gov/critical-infrastructure-vulnerability-assessments.

[13] Tal, Jonathan, “America’s Critical Infrastructure.”

[14] Tal, Jonathan.

[15] Rebecca Liao and Ziyang Fang, “Supply Chains Have Been Upended. Here’s How to Make Them More Resilient,” World Economic Forum, April 6, 2020, https://www.weforum.org/agenda/2020/04/supply-chains-resilient-covid-19/.

[16] The President’s National Infrastructure Advisory Council (NIAC), “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure” (U.S. Department of Homeland Security, August 2017), https://www.cisa.gov/sites/default/files/publications/niac-securing-cyber-assets-final-report-508.pdf.

[17] Office of Cyber and Infrastructure Analysis, “OCIA - The Future of Smart Cities - Cyber-Physical Infrastructure Risk.Pdf” (Washington, D.C.: U.S. Department of Homeland Security, August 2015), https://www.us-cert.gov/sites/default/files/documents/OCIA%20-%20The%20Future%20of%20Smart%20Cities%20-%20Cyber-Physical%20Infrastructure%20Risk.pdf.

[18] Frank Ciluffo, “- EMERGING CYBER THREATS TO THE UNITED STATES,” § Committee on Homeland Security (2016), https://www.govinfo.gov/content/pkg/CHRG-114hhrg21527/html/CHRG-114hhrg21527.htm.

[19] Thomas Menze, “THE STATE OF INDUSTRIAL CYBERSECURITY” (Kaspersky ARC Advisory Group, July 2019), https://ics.kaspersky.com/media/2019_Kaspersky_ARC_ICS_report.pdf.

[20] Office of Cyber and Infrastructure Analysis, “OCIA - The Future of Smart Cities - Cyber-Physical Infrastructure Risk.Pdf.”

[21] Martin Giles, “Five Emerging Cyber-Threats to Worry about in 2019,” MIT Technology Review, January 4, 2019, https://www.technologyreview.com/2019/01/04/66232/five-emerging-cyber-threats-2019/.

[22] Martin Giles, “For Safety’s Sake, We Must Slow Innovation in Internet-Connected Things,” MIT Technology Review, September 6, 2018, https://www.technologyreview.com/2018/09/06/140459/for-safetys-sake-we-must-slow-innovation-in-internet-connected-things/.

[23] Bridget Johnson, “CISA Confronts 2020’s Top Critical Infrastructure Threats – Homeland Security Today,” December 31, 2019, https://www.hstoday.us/subject-matter-areas/infrastructure-security/cisa-confronts-2020s-top-critical-infrastructure-threats/.

[24] Giles, “For Safety’s Sake, We Must Slow Innovation in Internet-Connected Things.”

[25] Johnson, “CISA Confronts 2020’s Top Critical Infrastructure Threats – Homeland Security Today.”

[26] The President’s National Infrastructure Advisory Council (NIAC), “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure.”

[27] The President’s National Infrastructure Advisory Council (NIAC).

[28] Giles, “For Safety’s Sake, We Must Slow Innovation in Internet-Connected Things.”

[29] The President’s National Infrastructure Advisory Council (NIAC), “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure.”

[30] Lily Hay Newman, “What If a Cybersecurity Attack Shut Down Our Ports?,” Slate Magazine, May 11, 2015, https://slate.com/technology/2015/05/maritime-cybersecurity-ports-are-unsecured.html.

[31] Ciluffo, - EMERGING CYBER THREATS TO THE UNITED STATES.

[32] Giles, “Five Emerging Cyber-Threats to Worry about in 2019.”

[33] The President’s National Infrastructure Advisory Council (NIAC), “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure.”

[34] Cybersecurity & Infrastructure Security Agency (CISA), “Cyber Storm: Securing Cyber Space | CISA” (Washington, D.C.: U.S. Department of Homeland Security, March 6, 2019), https://www.cisa.gov/cyber-storm-securing-cyber-space.

[35] Martin Giles, “For Safety’s Sake, We Must Slow Innovation in Internet-Connected Things,” MIT Technology Review, September 6, 2018, https://www.technologyreview.com/2018/09/06/140459/for-safetys-sake-we-must-slow-innovation-in-internet-connected-things/.