Addressing the Threat to Critical Infrastructure
One only needs to scan recent headlines to understand that the threat to U.S. critical infrastructure is pervasive, persistent, and a significant national security concern. A U.S. energy company lost more than $1 billion in shareholder equity and half of its global workforce after its proprietary technology was stolen by a Chinese firm. A global maritime company that transports much of the world’s shipping cargo was brought to its knees for days, and lost more than $300 million after Kremlin-backed hackers implanted malware in accounting software belonging to an unrelated company in Ukraine. The popular software cleanup CCleaner was victimized by a massive, worldwide attack on its software supply chain that infected 2.2 million customers with a backdoor. Hackers specifically targeted 18 companies, including Google, Microsoft, Sony, and Intel. These examples underscore the escalating asymmetric attacks against companies in critical infrastructure areas such as the financial, energy, information technology, and communications sectors.
Such destructive attacks are often carried out by hostile foreign intelligence services that execute blended operations, fusing attacks in four areas: cyber technology; supply chains; cyber-physical (cyber systems that control physical functions such as power stations); and people, either witting or unwitting. China, Russia, Iran, and North Korea pose the greatest cyber threats to the United States. Advances in technology such as wireless and the Internet of Things introduce new vulnerabilities, increase the risk of compromise, and provide adversaries more venues for attack.
Innovative technology is being built and fielded at an unprecedented rate with little or no security protection. The complexity of technological advances—both in the tools themselves and the methods used to compromise them—requires a much greater technical and cyber awareness and new cybersecurity mitigations than what was required even five years ago. In mitigating these risks, it’s important to understand that threats to cyberspace and the supply chain are often intertwined. There is a cyber threat to your supply chain and a supply chain threat to your cyber operation. Attacks occur throughout the supply chain life cycle—development through sustainment.
Continuous review of the enterprise wide security posture is essential
The small company can be a vulnerability for larger companies they support. Small companies often lack funds for robust cybersecurity, can represent a single point of failure, or unwittingly enable adversaries to laterally access higher value targets in the supply chain. I recommend organizations designate a single individual—a “Chief Risk Officer”—to supervise the enterprise-wide security effort, incorporating human resources, acquisition, security, information technology (IT) systems, training, legal, and other appropriate personnel. It’s important for the Chief Risk Officer to determine what matters most to the organization by identifying and prioritizing the organization’s “crown jewels”—information and assets that, if damaged, destroyed, or stolen, would significantly harm the enterprise (e.g., products, production techniques, software, and customer information)—and then protect them. Organizations need to emphasize “security hygiene” by using the latest IT operating systems that typically include updated security features. Employees should use “strong,” unique passwords and they should be regularly changed. And always avoid the temptation to open email attachments or click links from unknown senders.
Insider threat programs within organizations can identify anomalous behavior, contextualize it, and facilitate an appropriate organizational response. As part of an insider threat program—and consistent with policy and applicable privacy and civil liberties laws and regulations—an organization may wish to monitor user activity on all IT systems. While an enterprise audit watches IT activity, the purpose of monitoring user activity is to identify and contextualize anomalous human behaviors indicative of problems beyond the systems, including threats to organizational resources, self, or to others.
It’s also important to remember that employees can pose a threat even after they’ve left the organization, which is why it’s prudent to implement formal out-processing procedures. These can include exit interviews to assess an employee’s potential risk to the organization, a written reminder to the individual about residual security responsibilities, and, most importantly, terminating access to facilities and network accounts.
Essential to protecting critical infrastructure is engaging the workforce to create a culture of awareness of everyone’s role to protect the organization. Leaders need to effectively address poor management practices, strive to reduce unnecessary stress in the workplace, and actively promote a sense of organizational citizenship. Additionally, it’s vital that an organization’s policies are consistent with current privacy laws, and protect the legal rights and civil liberties of the workforce.
Finally, continuous review of the enterprise wide security posture is essential. Organizations should conduct table top exercises to develop and run an “insider driven” worst case scenario and—based on lessons learned—improve internal processes. It is imperative that we raise awareness about the vulnerabilities of our critical infrastructure. You can find out more about how to address the threats and learn more about the National Counterintelligence and Security Center online at NCSC.gov.