Recent threats to drinking water safety and a national shortage of gasoline supply have propelled the conversation about critical infrastructure cybersecurity all the way to the Oval Office.
Recently, the Biden administration released a long-awaitedexecutive order (EO) that seeks to improve the nation’s cybersecurity and protect federal networks by improving public-private information sharing on cyber issues. It also outlines the administration’s effort to strengthen our country’s ability to respond to both nation-state attacks and cybercriminals when they inevitably wreak havoc.
The administration has also put money behind their words, budgeting billions of dollars in funding toward the Defense Department’s cybersecurity efforts. This money will let the DOD innovate and modernize its cyberinfrastructure through research, development, and innovation.
The Biden administration primarily wants the DOD to focus on cybersecurity data analytics, climate resilience and transportation security technologies and has budgeted $2.1 billion toward the Cybersecurity and Infrastructure Security Agency (CISA).
These investments mark a positive step in transparency between technology vendors and government organizations. The security community works better together, and information sharing on vulnerabilities, breaches, and new nation-state threat groups will benefit the industry as a whole, while simultaneously protecting federal entities.
How we got here
Let’s take a step back to the May 7 pipeline ransomware attack, which led to widespread panic around gas shortages from Texas up the East Coast. The pipeline supplies 45% of the fuel for the East Coast, and its compromise led to hour-long waits at the pump and seven-year high gallon prices.
DarkSide, the Russian adversaries responsible for the attack, held the organization’s data for ransom at a $4.4 million price tag that was ultimately authorized to be paid in full by the CEO. The adversaries reportedly collected $90 million from a sum of 47 victims throughout the spree, with Colonial paying the highest price.
Just a couple months earlier, a water treatment facility in Oldsmar, Fla., experienced a similar fate. An unknown assailant gained access to the water treatment facility using TeamViewer, a remote desktop software program and attempted to increase levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Thankfully, the treatment facility had systems in place that would have detected the imbalance of chemicals before it came close to reaching its 15,000 residents’ faucets, but it was surely a wake-up call.
Why these attacks matter
A “Digital Pearl Harbor” has long been a fear of experts, which has become more prescient as our adversaries look to cause disturbances throughout our critical infrastructure. Attacks are no longer just impacting businesses and governments but are disrupting our day-to-day lives and how we function as a society. Yesterday it’s water, today it’s gas, tomorrow we could see an attack on the electric grid. The ambitions of hackers are only growing stronger as their motives also include looking for opportunities to create chaos that further breeds an environment that they can prey on.
These urgent conversations are bringing the relationship between the public and private sectors into focus. The EO and the DOD budget are both reassuring signs that the Biden administration will take the necessary steps to finally make infrastructure security a top priority, but the overall mindset about cybersecurity needs to change at a fundamental level.
No longer can we think of cyber tools as a secondary need to modernized systems – we must address them hand-in-hand. Governments at the federal, state, and local levels all must build cybersecurity controls into their systems as they modernize them instead of bolting them on as we have unsuccessfully done in the past.
What comes next
The EO and the FY22 budget are opening the right doors, and now it’s time for security experts to improve our industry’s approach. Government vendors must think differently about how they develop their software to address the evolving threats to our critical infrastructure.
To truly modernize and innovate our security approach as a nation – especially when it comes to authentication and access controls – we need to shift to an identity-based approach. This means creating a zero trust security mandate that minimizes the attack surface and improves audit and compliance visibility.
Recent research found that 77% of U.S. organizations utilize a zero trust approach in their cybersecurity strategy, but there’s no doubt still room for improvement. Modern privileged access management (PAM) solutions leverage identities to reduce the reliance on shared passwords, enforce more granular controls, and stop privileged administrative access abuse, the cause of the Oldsmar and pipeline attacks. Both incidents may have been preventable if their networks used a least privilege approach based on zero trust principles to verify who requests access, the context of the request, and the risk of the access environment.
We see the Biden administration’s recent investment in critical infrastructure as a welcome first step in fighting back against sophisticated and targeted attacks on our infrastructure. Government organizations should capitalize on the rise of public and private partnerships and budgeting for critical cybersecurity programs.
By framing existing security infrastructure around identity-based protection, organizations can more effectively address the root causes of the majority of breaches – privileged access abuse. This will put them in a much stronger position to resist the wave of sophisticated cyberattacks currently challenging the integrity of vital state and federal government infrastructure.
Bill O’Neill, vice president of public sector, ThycoticCentrify