How Vulnerable Is Critical Infrastructure to a Cyberattack?

On Thursday Oct. 22, 2020, the Australian Home Affairs Minister Peter Dutton warned attendees at The Age's National Security Summit that they must prepare to counter prolonged and catastrophic cyberattacks on critical infrastructure that could disrupt entire industries.

The message to Australia and the world: "The potential consequences of a successful attack could be catastrophic. A prolonged and widespread failure in the energy sector, for example, could cause knock-on disruptions to other essential systems including medical, transport, traffic management systems, banking services or even the supply of food and groceries."

Meanwhile, in the United Kingdom, similar cyberthreats to critical infrastructure have emerged. The author of an article in Infosec Gobal writes, “A new director has been appointed to the National Cyber Security Centre (NCSC, a division of GCHQ), with the outgoing director warning that a 'national cyber emergency' due to a 'category one' cyber attack on our national infrastructure, which could cause loss of life or severe economic damage, has moved closer to probability. Emergencies have been reported that 'came close,' suggesting it feels very much like it’s a matter of 'when, not if.'"

Closer to home, CNBC reports the FBI announced that election infrastructure was under attack: "Iran and Russia have both obtained information about American voter registrations and are trying to influence the public about the upcoming U.S. presidential election, national security officials said Wednesday night.”

Is a New Trend Developing Regarding Critical Infrastructure?

In the midst of the current COVID-19 pandemic, cyberthreats, ransomware attacks and data breaches are all up around the globe. However, these cyberthreats appear more directed at destruction rather than on criminal activity to make money.

Back in June, this blog asked, "Is a 'Cyber Pandemic' Coming?" I included a quote from an article in The Jerusalem Post:

"The founder and CEO of Israeli cybersecurity firm Check Point warned Monday that the new reality created by the coronavirus pandemic will cause threats in the cybersecurity field to rise, and that countries need to protect themselves against the coming ‘cyber pandemic.’

“What happened in the last three months pushed forward five, maybe even 10 years of technological evolution,” he explained.

“More services moved online; companies removed barriers. We allowed developers to work just from within the company physically, so we could keep our intellectual property… In one day, we had to change all of that and allow people to access from home. This rapid change means hackers will find a way… The hackers can find a way to hack a personal computer of an employee and through them get into our Crown Jewels.”

The answer to that cyber pandemic question appears to be yes, if these frequent reports are accurate, and new examples emerge almost daily.  

There are differing views regarding whether global governments are ready for these attacks. This article lays out all that’s been done in Australia. Some of those items include:

• "Through amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the Act), the proposed laws will expand the current definition of critical infrastructure from only the physical protection of the gas, water, electricity and ports sectors to include healthcare, banking and finance, food and grocery, data and the cloud, defense, transport, space, energy and communications, education, research and innovation sectors. The Australian government, however, will in the longer term expect all businesses to take part in Australia's cybersecurity resilience;
• "The Act will be expanded to cover additional sectors to introduce new government assistance and direct action powers and will apply to owners and operators, regardless of ownership arrangements;
• "The Australian government proposes to have the power to impose obligations on companies to employ encrypted cyber defenses under a three-tiered ranking system of commercial assets and systems. In addition to the enhanced cybersecurity obligations, owners and operators of systems of national significance, as well as critical infrastructure entities regulated by the Act, will also be subject to a positive security obligation (PSO). The PSO will set and enforce baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk;
• "A voluntary code of practice will be implemented on the government's expectations for Internet of Things (IoT) consumer devices;
• "Legislative change may also have the potential to impact privacy, consumer and data protection law; and directors' duties;
• "A standing 'Industry Advisory Committee' will be established;
• "Significant funding commitments - specified in the Appendix of the Strategy Plan; and
• "The Strategy proposes the adoption of an approach, similar to that of the UK, where the government will work with the private sector to increase 'security by design."

Other nations are taking similar steps, and the overall critical infrastructure protection market is set to continue to grow rapidly through 2027.

Also this week, Wired Magazine released this article on 12 cyber threats that could wreak havoc on the election. The list includes ransomware, voter data manipulation, DDoS and many more items. Remember that the U.S. Department of Homeland Security (DHS) has declared election equipment and processes as part of critical infrastructure.

Final Thoughts

At the beginning of this month, this blog described how "DHS Works to Protect National Critical Infrastructure." I interviewed Thad Odderstol, deputy associate director of the National Risk Management Center.

The interview and sector reports linked described progress in the U.S. with plenty more work to be done. Nevertheless, the string of international security incidents and cyberattacks, along with the foreign nation-state attacks on the U.S. election infrastructure, make this question even more critical at the moment.

Just as in the pandemic, near-future events may determine if we are ready for a new round of cyberattacks against critical infrastructure.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.