Critical Infrastructure provides basics in our daily lives including food, water, healthcare, communication and power to our country
Throughout the month of October we had been sharing important tips based on the Stay Safe Online campaign for National CyberSecurity Awareness month. There have been some common themes throughout each topic. The first is that we each as individuals must take responsibility personally for our own cyber safety. The other is that these responsibilities include mindfulness when using technology, creating logins, interacting through the internet and of course when we share any information about ourselves.
I had not considered the interdependence of my daily activities with CyberSecurity until learning more about cyber safety through these tips. There are 16 sectors of critical infrastructure: they supply us with food, water, financial services, public health, communications and power. These systems are operated via the internet, so any disruption can potentially have a multitude of effects. Think back to the 2003 blackout or any major disaster you have experienced. When large areas are affected by power loss alone, there can be chaos.
Individuals and Organizations play a role in protecting Critical Infrastructure
The energy sector is right there every morning when your alarm wakes you up, as you make your morning coffee and breakfast and watch the morning news. Every time you use electricity, you are being supported by the nation's power grid. Cyber attacks on critical infrastructure can be catastrophic. In December 2015, a major power outage in the Ukraine was attributed to a cyber attack initiated through a spear phishing email. This same method was used to breach several nuclear power plants including Wolf Creek Nuclear Operating Corporation based in Kansas, with no details released regarding the impact of these attacks, motive or repercussions.
In November 2016, San Francisco's municipal railway was hit by malware. Hackers displayed a message on station screens: "You are Hacked, ALL Data Encrypted... ”. Luckily there was no impact on the transit service, safety systems or personal information of passengers. The same hacker was later linked to another attack.
Some estimates state that the US loses nearly 300 billion dollars a year from theft of intellectual property. Mo Hailong, a lawful, permanent resident and employee of a China-based seed company, was convicted for his role in a long-term conspiracy to steal trade secrets from Iowa-based DuPont Pioneer and Monsanto. He successfully stole inbred corn seeds from a cornfield. 87% of farmers do not have a response plan if a security breach should occur at a company holding their data. Of those surveyed, only about one in about 20 companies managing their information had presented a security-breach plan.
In September 2015 several attacks on fiber optic cables interrupted phone service for AT&T clients in Livermore California. The attacker was nicknamed the "Fibre-optic ripper". This was the 12th attack of it's kind on AT&T's network and in response they offered a reward of 250 thousand dollars for more information on the attack.
Another example of a breach to critical infrastructure happened between 2015 and 2016 in the SWIFT banking messaging system In this case, attackers were able to find vulnerabilities in the defenses of banks and use them to access their systems and ultimately gain access to their legitimate SWIFT credentials. Millions of dollars were stolen and these attacks were traced back to North Korea.
Critical infrastructure providers need to take cyber security seriously. They should follow industry-leading and standard frameworks to manage their security posture. This is where the importance of the NIST framework comes in. The NIST CyberSecurity framework provides common language to create industry standards and best practices to guide businesses in understanding, managing and protecting against CyberSecurity threats. This method has been proven when this framework is integrated across industries such as manufacturing, utility, communications, financial services and transportation to mitigate risk management. In 2015 the NIST framework was used by 30% of businesses with projections for 2020 to be in use by at least 50% of private sector businesses.