Since last year, the scale and severity of ransomware attacks have escalated to an alarming level. On top of raising the amount of ransom, bad actors have also shifted the target victim from small-to-medium virtual businesses to large-scale brick and mortar entities that are the pulse of America – critical infrastructures; the sector that supplies the life essentials to the nation, from water and electricity to transportation and education.
As the core engines for the country, these companies are key targets for cybercriminals as they are too important to ignore the threats and the country cannot afford any of them to shutdown – even a slight delay of their operations can lead to a butterfly effect on the whole supply chain. In the two most recent major ransomware attacks that targeted critical infrastructure businesses, both victims, the world’s largest meat processing company JBS USA and America’s largest pipeline system Colonial Pipelines, decided to pay out the ransom to avoid a longer paralysis. The former paid an $11 million one week after the hack and the latter paid $4.4 million in Bitcoin on the day of the attack – which was later reported to have been mostly recovered by the intervention of the Department of Justice (DOJ). Both companies have claimed the decision was made out of a necessity to not cause more serious damage to the supply chain. But now the cybercriminals have learned the vulnerabilities and dilemma of companies in this sector, future attacks will only be more targeted and fatal.
The DOJ has taken on the battle and elevated the level of investigations of ransomware attacks to the similar priority of terrorism. The department is currently studying and investigating more than 100 types of ransomware to prepare the nation for the next strike. Reinforcing defense power is a top priority but it may not be enough. The government needs to also increase the budget for the critical infrastructure sector to amend the vulnerabilities as most of the hardware and facilities that operate under this sector are very dated and insufficiently funded. Due to the mixed-ownership between public and private sectors and the frequently changing funding policies, the funds allocated to renovation and maintenance of the facilities are highly imbalanced. According to the latest report in 2021 from the American Society of Civil Engineers (ASCE), America’s critical infrastructure system was rated overall as C –, risen from level D four years ago. Although the rating jumped from “mostly below standard” to “average,” the infrastructure investment gap has grown from $2.1 trillion to $2.59 trillion. If the investment gap can not be closed, it will lead to a massive loss in GDP by 2025. The Colonial Pipelines hack is just an alarm bell, if the country keeps pushing off the investment in critical infrastructure security, the price to pay for this negligence will be unimaginably high.
When facing a terrorism act, the authorities should take the lead in guarding the country. But this does not just fall to the governments, companies and organizations under this sector should also gear up and conduct evaluations over the old systems and implement new technologies to enhance their defense systems.
Firstly, companies should put sensitive monitoring systems in place and build a central checks and balances system. Most companies under this sector have multiple operating systems, which means a delay in any one might cause paralysis of the entire facility. Therefore, an extensive and comprehensive monitoring system is the first moat to keep criminals out. Putting in 24/7 sensitive surveillance over the entire system can eliminate the chance of leaving loopholes to hackers. Additionally, a central controlling system can ensure that if one system is isolated and compromised by hackers, the manager can still access that system remotely and mitigate the damage. Secondly, and extremely important for this sector, companies should always use separate IT and Operating Technology (OT) systems. Some companies choose to converge the two systems for easier management, but that also brings potential threats. Most OT systems, including hardware and other physical equipment, are built decades ago without regular maintenance and renovation, because of that, OT usually becomes the first target for hackers. If the two systems run on the same server, hackers can easily breach through the connection and get control of both systems.
Last but not least, a small leak can sink a great ship. Therefore, managers should always make sure every employee receives the proper cybersecurity training and education. According to Verizon’s 2021 data breach investigations report, 85% of cyber breaches involve human elements. To minimize the risks, every company should educate employees on how to identify spam and malicious email and adopt a “zero-trust” approach to limit each employee’s access to the entire database.
The battle against terrorism in the digital age will be a systemic challenge, that’s why every sector of a nation should play its role in the defense. The government should lead forceful investigation and sanctions towards the bad actor and enact a funding system that can fill the investment gap in the critical infrastructure sector. In addition, companies should bring in additional staff training on cybersecurity; update and put in monitoring systems and new technologies.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.