In his testimony before the U.S. House Committee on Homeland Security on April 5, Amit Yoran, Tenable’s chairman and CEO, highlighted real-world challenges and offered guidance on how government can help.
When leaders in government and the private sector speak about critical infrastructure, we tend to describe it as if it were one monolithic entity, funded equally and governed by the same set of rules and regulations. In the United States, the reality is far different.
Heterogeneity among critical infrastructure providers coupled with other factors, such as their prime appeal as targets for cybercriminals and the industry pressure to digitize their operations, make it a challenge to craft a consistent, unified and effective cybersecurity strategy for this sector. It’s a critical issue whose implications extend well beyond the technology realm, as cyber breaches of water treatment facilities, hospitals or power plants can have life-and-death consequences.
It’s an issue Tenable is deeply involved in. Amit Yoran, our CEO and chairman, testified before the U.S. House Committee on Homeland Security on April 5 during the “Hearing on Mobilizing our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threat.’’ Yoran’s testimony provided a comprehensive assessment of the challenges and offered concrete suggestions for improvements.
“Critical infrastructure providers have a duty of care, highlighted in turbulent times, to be responsible stewards of the services that are relied on by millions of Americans,” Yoran said.
Data reveals stark differences in cyber maturity
The Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors in the U.S., including financial services, energy providers, healthcare, manufacturing, and water and wastewater treatment facilities. Some, like financial services organizations, are privately held, well-funded, for-profit entities, with no shortage of resources to hire the top cybersecurity talents and purchase best-of-breed technologies. Others, like energy and transportation providers, may run the gamut, with some privately operated, others publicly held, and some run as public-private partnerships, with wide variances in the level of funding and resources available to them. Still others, like water and wastewater treatment facilities, are run by local municipalities that often struggle to fund basic services, let alone find the resources to lure top cybersecurity professionals to their teams.
The level of cybersecurity preparedness amongst critical infrastructure providers is concerning. According to a report from the Center for Strategic and International Studies (CSIS) and Trellix— based on survey results from 800 IT decision makers from several countries around the world, including the United States — 9% of critical infrastructure operators don’t even have a cybersecurity strategy in place, despite the fact that 85% of respondents believe they have been targeted by a nation-state cyberthreat.
Tenable’s own vulnerability data reveals stark differences in cybersecurity maturity levels among key critical infrastructure sectors. According to Tenable data, the average number of critical vulnerabilities per device found in financial services organizations and in organizations in the energy sector — which includes providers of electricity, oil, gas and other consumable fuels — is about the same. Our data indicates both sectors are relatively mature in their cybersecurity practices. It takes a median of 12 days for organizations in the financial services and energy sectors to remediate a critical vulnerability. Contrast that with organizations in the healthcare and manufacturing sectors, which average twice as many critical vulnerabilities per device as their financial services and energy counterparts. Vulnerability remediation takes a median of 29 days for manufacturing organizations and 32 days for healthcare organizations, respectively. The more time a vulnerability is left unpatched, the greater the advantage it presents to attackers.
As Yoran stated in his written testimony: “There is no singular defense paradigm that could effectively be applied across all the sectors. Some critical infrastructure providers have a high degree of cybersecurity preparedness, strong risk understanding and risk management practices, and very strong security programs. Others are woefully ill-prepared.”
Attacks on interconnected systems have sweeping impact
At the same time, all critical infrastructure organizations face the same pressure to pursue digital transformation in their quest for efficiency and to accommodate the needs of a remote workforce. The changes are impacting not only the information technology (IT) systems and infrastructure but also the operational technology (OT) systems upon which critical infrastructure organizations rely.
While the notion of digital transformation is nothing new for those working in IT, the pace of change has quickened dramatically in the past two years as the global pandemic forced organizations to quickly ramp up a variety of cloud and remote access solutions in order to keep their businesses functioning. In OT, connectivity to IT systems and networks is a comparably new phenomenon and often involves updating legacy industrial systems with modern connectivity solutions in order to improve efficiency. Such IT/OT convergence is rapidly transforming how critical infrastructure organizations operate — and increasing risk in the process.
Taken together, the disparities in funding and the increasing interconnectedness of systems can significantly increase risk. To illustrate the real-world implications when a small municipality is targeted, Yoran’s testimony explored a February 2021 incident in which a water treatment plant was breached in Oldsmar, FL, a town of 15,000. In this incident, the attacker attempted to change the alkaline levels in the water to a level that would severely damage human tissue. It’s a striking example of the risks of IT/OT convergence; the attacker gained access to a remote IT management software called Team Viewer, and from there “accessed the system by exploiting cybersecurity weaknesses including poor password security, and an outdated Windows 7 operating system,” according to the FBI. This attack demonstrates the significance of proper system hygiene.
As alarming as the water treatment example is, another recent case even more starkly illustrates the potential negative outcomes of IT/OT convergence. On May 7, 2021, Colonial Pipeline was hit with a ransomware attack that caused the company to shut its operations for six days, prompting the President of the United States to issue a state of emergency. The compromise affected business systems located in the organization’s IT environment. The OT systems that control the pipeline itself were not directly accessed in the attack. Yet, the fear and uncertainty of the possible reach of the attack contributed to Colonial Pipeline’s decision to shut down pipeline operations. Colonial Pipeline ultimately ended up paying the hacking group DarkSide a total of 75 bitcoins ($4.4 million) for the ability to unlock its systems and get fuel back out to a majority of the East Coast.
Ransomware attacks against critical infrastructure providers represent a profitable enterprise for cybercriminals, as demonstrated by the Conti ransomware data leaks. The Conti bitcoin wallet data showed more than $1 billion had been paid, creating a massive funding method for Russian actors. It also clearly demonstrates the importance of vulnerability management as a core tenet of strong cybersecurity practice. The Conti group and its affiliates reportedly made use of over 30 known vulnerabilities, some of which were first disclosed in 2018.
While these challenges may seem daunting, Yoran’s testimony outlined four concrete steps the U.S. government can take to improve the cyber preparedness of critical infrastructure providers.
Establish baseline cybersecurity standards of care for critical infrastructure that align with international standards and the National Institutes of Standards and Technology (NIST) Cybersecurity Framework, based on effective cyber hygiene practices.
Finalize and implement the proposed SEC rule that requires public companies to disclose their policies and practices to address their cybersecurity risks.
Implement the cyber incident reporting requirements included in the FY 2022 Omnibus Appropriations bill.
Support and strengthen value-added engagement between the private sector and public sector.
Yoran’s testimony also included guidance on actions the U.S. government can take to protect its own networks and systems. These include:
Strengthening government networks by including protection of federal OT and Active Directory services in the Continuous Diagnostics and Mitigation (CDM) Program.
Implementing Section 1505 of the FY 2022 National Defense Authorization Act.
Establishing metrics for transparency and accountability.
Ensuring sufficient funding for CISA and the Office of the National Cyber Director to ensure they can meet mission requirements.
For more detail on these recommendations, access the full testimony here.
Learn more
Download Tenable’s 2021 Threat Landscape Retrospective
Read the blogs, You Can’t Modernize Critical Infrastructure Without Cybersecurity and Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure
Download the whitepaper, Prediction of an OT Attack