The White House on Monday issued an important statement on impending cyberattacks from Russia. It’s likely that fluid transnational threat actors will continue to probe industries that rely on industrial control systems as they are a high-value target less tolerant of outages or downtime.  

With the White House reiterating its earlier warning that the Russian government has been exploring options for potential cyberattacks, it’s important to take action now to address risks, vulnerabilities, and double-down on security best practices. Security teams really need to prepare for and identify evolving threat actors, tactics, and new exploits. Such steps will reduce an organization’s risk profile.

To build proactive methods to fortify operations, companies and industries have to share information. Despite the distributed and interdependent nature of critical infrastructure, progress on cybersecurity also requires a centralized and impartial command post. The recent Cyber Incident Reporting Act (CIRA) establishes the Cybersecurity and Infrastructure Security Agency (CISA) as that entity.  

Many industries are stuck in react mode because it’s nearly impossible to predict the likelihood of a cyberattack and identify the next target. CIRA, drafted with input and support from the 16 critical infrastructure sectors, establishes a new journey for critical infrastructure entities outlined in Presidential Policy Directive 21, rather than a destination or an ultimatum. While the bill mandates a 72-hour reporting timeline for cyber incidents and ransomware payouts, the follow-on rule making creates an opportunity for industry partnerships to enhance cybersecurity both in proactive steps to reduce risk and exposure and coordinated responses to emerging attack vectors and threat actors.

The CIRA bill was not signed in a vacuum. Here’s a snapshot of what has been done in the last several months to help fortify the critical infrastructure sector:

  • The bipartisan infrastructure bill in November 2021 and promises from other countries across the European Union could result in hundreds of billions dollars for critical infrastructure sectors, and for green and renewable energy projects.
  • In the U.S., the Defense Industrial Base (DIB) has already introduced a shared threat intelligence monitoring program that includes a 72-hour breach reporting mandate and a voluntary program for public-private partnerships to address cybersecurity. Cooperation lets the industry move from best practices and shared ideas to methods and models of implementation.
  • The U.S. Security and Exchange Commission has proposed new regulations to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. They recommended a four-day reporting period.
  • The European Union Agency for Cybersecurity in Europe released new guidance to assist operators of essential services to implement cybersecurity measures.
  • The European Commission has been working to overhaul the 2006 European Programme for Critical Infrastructure Protection (EPCIP). The EPCIP reviews sectors not sufficiently taken into account and maps in part to CISA’s subcommittee on building resilience in critical infrastructure.

We know that critical infrastructure sectors are dependent on one another. For example, the water sector depends heavily on the energy, transportation, finance, and manufacturing (mostly chemicals). Transportation depends on energy, finance, communications, and manufacturing. And energy has become incredibly interdependent, where more than 90% of inputs into the energy sector in the U.S. are outputs of the same industry.

The landscape of the energy industry has become so vast that it directly impacts food, transportation, finance, government, and communications. Digitization across the industry results in a plethora of touch points for adversaries to access and exploit. This vast threat landscape creates a cost/benefit analysis where more touch points translate to more widespread potential for malicious impact.

Digital interdependencies exacerbate transactional dependencies among and between sectors. Organizations and operators rely on data and technology, and many sectors rely on the same vendors in their supply chains. The interdependencies are two-fold. Asset owners are dependent on data, information, and communications to produce, refine, and manage their supply chain and production. They are also dependent on data, information, and communications to deliver those products – goods, resources, and services – to populations and industries.

The misunderstanding and misrepresentation of these dependencies and interdependencies can quickly lead to panic, especially in industries that produce and distribute goods, resources, and services that are vital to daily life and health. We tend to prioritize energy, water, and food, though different populations also rely on government services, transportation, healthcare, and finance to conduct daily operations and meet the needs of their constituents, patients, and customers.

Industry needs to prioritize developing ways to understand and monitor what’s at stake – breaking down the people, technologies, and processes used to produce and deliver those goods and services – to identify the most important technology, data, information, and communications to secure. After President Biden’s warning this week, it’s more than time for businesses to get more proactive about security.

Danielle Jablanski, OT Cybersecurity Strategist, Nozomi Networks