Today, critical infrastructure organizations face many challenges. A lack of visibility across enterprise architecture, outdated IoT and OT devices, which often come with vulnerabilities and no available patches, and a lack of resources to combat increasingly sophisticated and frequent ransomware attacks. In short, critical infrastructure remains a sector ripe with opportunity for bad actors – and attackers take advantage of this.
According to the FBI, in 2022, ransomware gangs breached the networks of at least 860 U.S. critical infrastructure organizations. Additionally, of the 16 critical infrastructure sectors, 14 had at least one member that, “fell victim to a ransomware attack in 2022.” Even worse, ransomware attackers are continuing to innovate and refine their tactics to elicit maximum impact, and they’re not slowing down anytime soon. In fact, industry leaders warn that 2023, “could wind up being one of the highest grossing years for ransomware yet.”
Steadying critical infrastructure
Critical infrastructure organizations need all the help they can get. Fortunately, we’re starting to see more agency-led initiatives crop up to further aid in the information-sharing and resilience-building of these chronically under-resourced and over-targeted institutions.
Last month, CISA unveiled a new Ransomware Vulnerability Warning Pilot (RVWP), designed to identify vulnerabilities across critical infrastructure and alert system owners accordingly. The program mirrors another effective playbook CISA has run in the federal government for years, such as CISA’s Cyber Hygiene Web Application Scan and Trusted Internet Connection programs. While the pilot is not perfect, it’s an “extra set of eyes,” looking for publicly-exposed vulnerabilities. Its cross-functional approach also brings vulnerabilities to the attention of system owners who may not have had the time or resources to identify and remediate the potential threat on their own. Essentially, programs like this are one more weapon that we can use to fight the never-ending battle against ransomware.
In an ideal world, federal agencies and the federal government could supplement initiatives like this by offering additional tools and support in the mitigation process instead of just alerting organizations to an issue. This would let them go after the source of ransomware themselves.
We see some progress on this front. Earlier this month, the FBI disrupted a 20-year-old malware network being used by the Russian government – an impressive feat. Similarly, in the past few weeks, the idea of banning ransom payments altogether has been floating through government circles, which could be exactly what we need to stop ransomware. It’s a fundamentally different approach to deal with a problem that’s been way too prevalent for far too long. But in the meantime, we need to do more.
Support through action and accountability
From a regulatory perspective, we still need more accountability for poor cyber practices and lax cyber hygiene. It’s especially true for organizations in critical infrastructure, where an oversight in security can lead to an outage in production, an energy grid malfunction, or even a hospital’s systems going down for an indefinite amount of time. Whether it’s fines, notifications to insurance companies, or withdrawal of permits or contracts, we need to see the federal government holding more organizations accountable for the basics. We also need to see the U.S. government address building cyber resilience with as much urgency and rigor as other national security issues.
Ransomware has become pervasive, and it’s consistently threatening the underpinnings of our society. Critical infrastructure organizations need additional resources – people, tools, and legislation with teeth – to drive real, actionable change.
We need programs that encourage our best and brightest to join the cybersecurity battle. We need more loan forgiveness programs for cybersecurity professionals, and we need to approach cyber-skilling, recruiting, and retention with more creativity. When the nation puts its best minds and resources together to solve a problem, we can accomplish great things.
We are still in the “talking” phase of addressing the country’s cybersecurity issue and the ransomware problem. Unfortunately, this means every day spent talking, the more dire the consequences become. We need to get serious. We need to recognize cybersecurity as a true national priority and get to the “solving” phase of this discussion. While the problem itself may never completely go away, with greater focus we can become more resilient.
Gary Barlet, Field CTO, Illumio Federal
