DHS Pushed for Critical Infrastructure Protection

TUESDAY, APRIL 12, 2022


The U.S. Government Accountability Office recently released a report urging the Department of Homeland Security to take action to better protect the nation’s critical infrastructure. The GAO notes in its report that while most critical infrastructure is privately owned, it is vital for the public and private sectors to work together to protect it.

“The nation's critical infrastructure consists of physical and cyber assets and systems that are vital to the United States. Their incapacity or destruction could have a debilitating impact on security, national public health and safety, or national economic security,” wrote the GAO.

“Critical infrastructure provides the essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Protecting this infrastructure is a national security priority.”

According to the GAO, utilizing high-risk updates from September 2018 and March 2021, four major cybersecurity challenges that the federal government faces have been identified:

  • Establishing a comprehensive cybersecurity strategy and performing effective oversight;
  • Securing federal systems and information;
  • Protecting cyber critical infrastructure; and
  • Protecting privacy and sensitive data.

Additionally, the report calls on the Cybersecurity and Infrastructure Security Agency to take actions to improve its priority setting efforts for the protection of critical infrastructure. Last month, the GAO released six recommended actions for CISA to prioritize assets and systems for protection efforts in the National Critical Infrastructure Prioritization Program:

  • Improve its process for identifying critical infrastructure priorities to better reflect current threats;
  • Seek input from states that have not provided recent updates on identifying critical infrastructure;
  • Involve stakeholders in the development of the National Critical Functions framework;
  • Document goals and strategies for the National Critical Functions framework;
  • Improve efforts to coordinate cybersecurity services; and
  • Share regionally specific threat information.

Through the National Critical Infrastructure Prioritization Program, CISA identifies a list of systems and assets that would cause national or regional catastrophic effects if destroyed or disrupted. The list is updated annually and used to inform the awarding of preparedness grants to states.

However, concerns were raised over the program earlier this year when GAO spoke to CISA and other critical infrastructure stakeholders, stating that the results were of little use and the relevance of criteria used to add critical infrastructure to the list was questioned.

In total, GAO reports it made 11 recommendations to DHS, which the department intends to implement by the end of 2022. These include completing CISA transformation activities and ensuring effective guidance and support from sector risk management agencies.

“We have long stressed the urgent need for effective cybersecurity to protect critical infrastructure, as underscored by increasingly sophisticated threats and frequent cyber incidents,” wrote Chairwoman Yvette Clarke, Ranking Member Andrew Garbarino and members of the subcommittee.

“Recent events— including the ransomware attack that led to a shutdown of a major U.S. fuel pipeline, cyber threat actors who obtained unauthorized access to a U.S. water treatment facility in an attempt to increase the amount of a caustic chemical that is used as part of the water treatment process, and a cyberattack campaign again U.S. government agencies and other entities—have illustrated that the nation’s critical infrastructure continues to face growing cyber threats.”

The full report can be viewed here.

Recent Cyberattacks on Infrastructure

In February last year, a water treatment plant in Oldsmar, Florida, reported that a hacker had breached its computer networks and changed the level of sodium hydroxide from 100 parts per million to 11,000 per million.

Sodium hydroxide—also known as lye—is commonly used at water treatment plants to control the acidity of drinking water and remove metals. However, too much of the chemical can make the water dangerous to drink.

After it appeared that the hacker had left the system, the operator immediately returned the sodium hydroxide to the previous levels, ensuring that no harm would come to the public or the drinking water. However, to put local residents at ease, Gaultieri noted that even if the operator hadn’t been present, the issue would have been caught during a secondary chemical check when the water is moved to holding tanks.

Since the incident, Oldsmar local authorities alongside the Federal Bureau of Investigation and the U.S. Secret Service have been investigating the hack. At the time, investigators were unsure if the hacker originated within the U.S. or somewhere outside of the country.

In the past year, American cybersecurity firm Mandiant told Bloomberg that hacker attacks against industrial systems have increased, with hackers mostly engaging in limited-impact operations. Other experts have pointed out that industrial control systems have become more of a target since its transition in becoming more interconnected within the OT environment and connected to the IT environment as well.

The increase in vulnerability is also attributed to the shift of operations to more remote environments in wake of the ongoing coronavirus pandemic.

To mitigate these issues, President Biden noted on increasing cybersecurity, noting that the Department of Homeland Security issued 25 advisories listing various industrial control systems that could be vulnerable to hacking.

By April, Neuberger told reporters that the government was undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks. The goal is to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity.

Following that announcement, the White House launched a 100-day initiative aimed at protecting the country’s electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks.

While additional measures are being taken, other industry leaders have reported that they’re disappointed, however not surprised by the uptick in attacks.

A few months later, on May 7, Colonial Pipeline reported that it was the victim of a ransomware attack on its corporate computer systems. Slightly different from an average cyberattack, ransomware attacks are usually conducted by criminal hackers who scramble data with an encryption and paralyze victim networks. The hackers typically leave instructions on the infected computers and/or demand a large ransom payment in exchange for decryption codes.

Following the attack, private cybersecurity firm FireEye/Mandiant was hired to manage the incident response investigation. Although, the Federal Bureau of Investigation had already confirmed DarkSide ransomware as the ones responsible for the attack.

At the time, Cybersecurity technology company Cyberreason also weighed in on information about DarkSide, noting that the organization is newer but had previously targeted domain controllers using double extortion methods, meaning that they encrypt data of the target, while also exfiltrating data threatening to make it public.

As a result of the incident, Colonial Pipeline reported that some of its company information and technology systems were affected. In a statement, the company noted that once it realized what was happening, it moved proactively to move systems offline and halted its pipeline operations, which transport more than 100 million gallons a day.

On the morning following the attack, the White House reported that President Joe Biden was briefed on the incident and that federal government agencies ranging from the Department of Energy to the Transportation Security Administration would also be working with Colonial Pipeline and the Cybersecurity and Infrastructure Security Agency to assess the implications of the attack, restore operations and avoid disruptions to the supply.

In additional efforts to help mediate any potential supply issues, the Biden administration issued an emergency waiver extending hours for truck drivers delivering fuel across 17 states, including several across the southeastern U.S. that depend on the pipeline for fuel. According to additional reports, the government was also planning to conduct various scenarios and work in conjunction with state and local authorities.

The following Sunday, Colonial Pipeline was reported to have restored some smaller, lateral lines between terminals and delivery points. On Monday, the company resumed limited shipments, delivering fuel from North Carolina to a terminal in Maryland under manual controls while existing inventory is available.

Contrary to reports that followed the ransomware attack story saying that Colonial had no intentions of paying and extortion fee, that Friday the pipeline company submitted to paying DarkSide nearly $5 million (75 Bitcoin) in order to restore the country’s largest fuel pipeline.

According to reports, in an effort to get gasoline and jet fuel flowing again to major cities along the East Coast, Colonial paid the ransom in a difficult-to-trace cryptocurrency. Once accepted, DarkSide provided Colonial with a decrypting tool to restore its disabled computer network.

Around 5 p.m. that Wednesday, fuel shipments were officially resumed to normal operations.

In January, a U.S. senior administration official announced that Russia's domestic intelligence agency has arrested the hacker responsible for the attack. Multiple people were reportedly detained who were associated with REvil, the type of ransomware that caused the attack.

Recent CISA Guidance

In January, CISA, the FBI and the National Security Agency issued a joint Cybersecurity Advisory warning of Russian cyber threats to critical infrastructure in the United States.

The CSA provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques and procedures, and provides detection actions, incident response guidance and mitigations. The agencies encourage critical infrastructure cybersecurity communities to “adopt a heightened state of awareness” against the threats.

While no specifics about the threats were mentioned, the CSA was released “to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats.” The release outlines several mitigation strategies to reduce risk of compromise, including:

  • Be prepared: Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain and exercise a cyber incident response plan, resilience plan and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline;
  • Enhance your organization’s cyber posture: Follow best practices for identity and access management, protective controls and architecture and vulnerability and configuration management; and
  • Increase organizational vigilance: Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.

According to reports, the guidance arrived after White House National Cyber Director Chris Inglis testified before Congress in November that there was a “discernible decrease” in the number of cyberattacks against U.S. companies that could be traced back to Russia, with no clear reason behind the decrease.

Multiple cyberattacks by Russia-based groups against U.S. companies happened last year, including against Colonial Pipeline, meat producer JBS USA and IT group Kaseya.

On Feb. 18, the CISA released a new Insight, “Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure,” providing owners and operators guidance on how identify and mitigate the risks of influence operations that use mis-, dis- and malinformation (MDM) narratives.

According to the release, recently observed foreign influence operations abroad how quickly these techniques can be employed to target and disrupt U.S. critical infrastructure and interests. CISA says that the document is intended to raise awareness, outline steps to mitigate the effects of MDM and implement an MDM incident response plan.  

On Feb. 26, CISA and the Federal Bureau of Investigation issued a joint Cybersecurity Advisory guiding organizations on how to detect and protect their networks from destructive malware. These malwares, WhisperGate and HermeticWiper, were both used to target organizations in Ukraine.

CISA recommends that organizations assess and bolster their cybersecurity, while there is no specific threat to the U.S. at this time, by:

  • Enabling multifactor authentication;   
  • Setting antivirus and antimalware programs to conduct regular scans;   
  • Enabling strong spam filters to prevent phishing emails from reaching end users;   
  • Updating software; and   
  • Filtering network traffic.

In addition to the CISA Insight and advisory, the agency has updated its “Shields Up” webpage to include new services and resources, including recommendations for corporate leadership and actions to protect critical assets. The technical guidance page details other malicious cyber activity affecting Ukraine, with resources to assist organizations against these threats.

   

Tagged categories: Government; Infrastructure; Infrastructure; NA; North America; Program/Project Management; Project Management; Safety; Security; Technology

Join the Conversation:

Sign in to our community to add your comments.