In fulfillment of one of his campaign trail promises, President Trump signed off on a new a Cybersecurity Executive Order that places Critical Infrastructures, such as power grids, water and oil plants, directly in the national spotlight. The new Order, signed on May 11 2017, builds upon previous orders signed in earlier administrations but it also goes further, acknowledging the immediate urgency of fortifying these industries against cyber threats.
Under the Order, the executive branch is required to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure. The need to identify “authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities” that are facing the “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
The security of Critical Infrastructure has long taken a backseat to other areas within Cybersecurity but the reality is that it’s one of the most important topics requiring nation-wide attention. While it's obvious that security must be a top concern for any company today, when it comes to the potential scope of impact that threats to our nation’s Critical Infrastructure carry, it’s easy to see why the President chose to focus on this area. This new Order requires the DHS, DOD and other agencies to assess the security posture of the nation's Critical Infrastructures - something which has long been missing.
Critical Infrastructures Lack Visibility and Security Controls
One of the biggest problems facing Critical Infrastructure providers is the lack of security controls in ICS environments. It's no secret that the ICS networks that power Critical Infrastructures tend to be based on older technology, which were not designed with security in mind. As such, they lack controls that can restrict access to authorized personnel and alert in real-time on unauthorized activities. Moreover, they don’t provide event logs or audit trails that enable plant operators and security staff to track the activities performed in these environments - whether legitimate activities performed by employees, contractors and system integrators, or malicious acts performed by a malware or an adversary that gained access to the network.The lack of visibility along with inadequate security controls, make these networks the perfect targets for attackers looking to cause large scale damage.
The Risks to Critical Infrastructure
With the current atmosphere, Critical Infrastructure providers stand to face huge losses from the lack of clarity and awareness that's commonplace. These risks include:
- Physical damage to industrial equipment
- Flawed/unsuitable products
- Hazardous waste
- Environmental damage
- Risk to human lives
- Brand damage
- Legal costs
- Lapses in services and/or production
- Financial loss
Before dismissing these threats as hype, think about this: according to a report by IBM Managed Security Services, cyberattacks on Industrial Control Systems increased 110% in 2016. As targeted attacks continue to rise across the industry, we can no longer afford to ignore the reality. Risks like the recent WannaCry and Petya ransomware, and the ICS-tailored malware CRASHOVERRIDE can wind up shutting companies down and can put people into danger.
Supporting Critical Infrastructure to Ensure the Safety and Security of Their Operations
For far too long, companies have been complacent, allowing themselves to remain passive regarding the risks they face. With the new Executive Order,companies are going to start to think long and hard about their current security posture and what they can do to ensure that they have adequate controls, not only on their perimeter, but internal controls as well, to help them respond with greater accuracy and agility to security events.
What the new Executive Order is bringing to the table is hopefully a new level of awareness in Critical Infrastructures that will drive the implementation of security controls. With this order, the industry can no longer ignore the threats. Accountability is built in and no one will want to come out with a failing grade. These new measures and the heightened awareness are important first steps towards making Critical Infrastructure more secure.