In 2007, the late Mike Assante blew up a 27-ton diesel generator with 30 lines of code, demonstrating to officials from the Department of Homeland Security the destructive potential of cyberattacks targeting critical infrastructure.
Cyberattacks have progressed since then, and their potential remains as deadly as ever. Incidents like the recent Florida water treatment facility disruption remind us of the imminent threat cyberattacks can pose to critical infrastructure, while a recent indictment in Kansas — in which an employee used remote access to interfere with a water facility — confirms the persistence of malicious actors from the inside.
For years, individuals and institutions “in the know” have been trying to bring to national attention the vital need to protect critical infrastructure. This week, the Biden administration appeared to take notice, laying out a strategic plan for a 100-day sprint that incentivizes organizations overseeing power grids to identify vulnerabilities and proactively implement measures to protect themselves against cyber threat. As we will see, sophisticated technologies, such as artificial intelligence (AI) that learns “self,” are needed to rise up to the urgency and complexity of this call for action.
Critical infrastructure’s evolving threat landscape
The cyber threats targeting operational technology (OT) are in many ways distinct from those targeting familiar information technology (IT). Firstly, the high stakes involved in OT compromise and the operational outages that may ensue make OT a much greater target for nation-state actors. Indeed, in the history of advanced persistent threats (APTs) — the industry term for nation-state actors and state-sponsored groups — the practice of targeting OT stretches back more than a decade, and the threat of attacks against cyber-physical environments persists today.
Over the years, state-sponsored cyberattacks, including Industroyer and Triton, have done major damage to petrochemical plants, power grids and the range of industries relying on OT. Not only do APTs have access to large budgets and advanced technologies, but they also often have access to zero-days that leave rules, signatures and blacklists in the dark.
Nowadays, critical infrastructure has also become the target of lower-level threat actors such as cyber-criminal gangs. EKANS — a ransomware targeting processes related to industrial control systems — enabled cyber criminals to disrupt operations at international sites run by a global automobile manufacturer in 2020. As machine-speed attacks grow in sophistication, Secretary of Homeland Security Alejandro Mayorkas confirmed the severity of this challenge, stating at the 2021 RSA cybersecurity conference: “Let me be clear: ransomware now poses a national security threat.”
Protecting critical infrastructure: challenges from within
The cybersecurity challenges associated with protecting critical infrastructure not only involve protecting against external threats, but also grappling with the technology architectures of OT environments themselves. OT frequently includes decades-old legacy devices that were not designed with security in mind, and often carry with them infections that go unnoticed for years.
The prevailing security strategy often is still to “air gap,” that is, to separate the OT from the IT in the hope that attacks cannot move from one environment to the other. However, as OT and IT converge, this opens up the door for sophisticated attacks to easily pivot from one to the other — first moving from the inbox, for example, and then moving across the enterprise onto the plant floor.
Many organizations with industrial ecosystems are also adopting new technologies such as the industrial cloud. In particular, the renewable energy sector is a big adopter of cloud solutions, or ICS as a Service (ICSaaS). A wind farm in California, for example, might be remotely controlled by engineers on the East Coast, or a vendor might maintain and run equipment for a hydroelectric plant in Latin America from their European headquarters.
While this offers significant operational efficiencies, this trend also brings with it associated risks. In light of this, sophisticated technologies are needed to maintain visibility throughout OT, IT and ICSaaS, and also to protect against threats that traverse these domains. Legacy security tools simply cannot make the grade.
Advanced technologies provide a practical path forward
As the global threat landscape and the technology architectures that make up critical infrastructure evolve, many approaches to OT security still remain stuck in the past, focused on rules, signatures and patching known vulnerabilities in environments with industrial control systems (ICS).
The extent of this challenge became apparent at the SANS 2021 ICS Security Summit, with experts confirming that many advisories for ICS devices have no practical mitigation advice, and that more than one-fifth of reported common vulnerabilities and exposures (CVEs) don’t even include a patch. This makes vulnerability management workflows a process of diminishing returns.
Rather than continuing to play a cat and mouse game with attackers, organizations overseeing critical infrastructure should adopt a new approach to security. While the Biden administration has fortunately set out a plan to shore up the security of the U.S. power grid, without the right technologies in place, current estimations predict that it could take years to enact this plan — this is time we don’t have.
Protecting these sensitive environments requires a technology that can handle the scale, speed and sophistication of changes taking place within them, and also the scale, speed and sophistication of the threats they face. Fortunately, self-learning AI has been proven to provide full visibility into entire complex networks within days of installation and can also detect and autonomously investigate even the most sophisticated cyberattacks within seconds.
In a capacity analogous to the human immune system, AI that learns “self” achieves an in-depth understanding of normal behavior so as to immediately detect the subtle deviations involved in early-stage threats. By understanding normal rather than relying on predefined indicators of threat, self-learning AI responds to never-before-seen attacks and malicious insiders alike, as well as infections that have remained within ICS ecosystems for years.
Self-learning AI provides a practical path forward to overcome the threats facing critical infrastructure. The vital industry verticals that keep our societies up and running deserve these sophisticated technologies to maintain availability and integrity against the rising tide of cyberattacks.