How U.S. critical infrastructure can address cybersecurity concerns

SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available. 

I'm your host, Servaas Verbiest, and today I'm joined by Matt Parsons, Director of Network and Security Product Management at Sungard Availability Services, and we're going to be talking about U.S. critical infrastructure and cybersecurity. 

Matt, it's a pleasure to have you back on the show again. 

MATT PARSONS (MP): Thank you, Servaas. Always a pleasure. 

(SV): Awesome. I know this is a topic that's near and dear to your heart given some of the things we've seen recently with the attack on the Colonial Pipeline with ransomware, an attack that JBS experienced, and really just from an industry perspective, the influx of activity we're experiencing with customers coming to us to talk about how they can mitigate against cyber threats like this. You're even seeing the government step in, in certain circumstances. 

There's a new enhanced cybersecurity for water systems component that we've seen present in January. We're even seeing the Strengthening American Cybersecurity Act of 2022, which specifically talks about how critical infrastructure must report cybersecurity acts within 72 hours and ransomware payments within 24 hours to the CISA, which is an acronym that I didn't even know before I read that article, frankly.

The administration is urging critical infrastructure to even harden their cybersecurity posture further than they have in the past. Now, with the looming threat of cyber security attacks on U.S. critical infrastructure being very prevalent given current events and some of the other components that we've already covered, what has been the most concerning component about these recent attacks? 

(MP): For me, I think what's most concerning is the reality that our critical infrastructure is not secure and knowing the potential impacts a breach could have. With critical infrastructure, it's not just a single company or set of users that are impacted. There are financial, operational, even safety and health impacts that could potentially impact millions of people. 

For example, the Colonial Pipeline services almost half the fuel for the East Coast. There were tons of outages and disruptions due to the fuel shortage. It impacted the airline industry. There were a number of health and safety warnings issued due to people stockpiling fuel and storing it in plastic bags. 

JBS - the meat processing company - they supply one-fifth of the meat globally. They were shut down for about a week. They were the largest of only four producers of beef in the United States. And consider an attack on power infrastructure. Even though this wasn't a ransomware cyber incident, you look at the Texas winter storms as a litmus test that caused $195 billion of damage and over 200 lives lost because of that power outage. 

So if you were to look at a perfect storm of a coordinated attack, where maybe the power, food and fuel critical infrastructure were hit simultaneously, you can imagine the financial and health impacts that would have on millions of users, and I think that's what's really most concerning to me. 

(SV): There's no denying that, given the way the world has evolved, approaching strategic cyber warfare on critical infrastructure could put a nation in a position where, with focus divided, maybe they're easier to contend with. But I don't like to assume that's the only reason why these infrastructure entities are frequently targeted. 

Would you say it's solely the payout that they would receive if an attack goes well or do you think there are other things that come into play, like the attack surface that's exposed or the vulnerabilities that these organizations may have? 

(MP): There are a number of reasons why an organization could be targeted. Obviously, with a larger organization, there's going to be just more digital infrastructure and footprints that would allow more attack vectors that could expose them to hacks and breaches. I think specific to critical infrastructure, financial incentive is really a big, big target. 

Hackers are very smart about who they target and how their time is invested. They are most certainly looking at industry, company revenue, potential impact, if they have cyber insurance, what their coverage is, to really pick out targets, who they try to attack and how much they think they can get out of them. 

For example, the Colonial Pipeline paid out $4.4 million. JBS ended up paying out $11 million. So anytime you've got a very widespread, especially critical infrastructure type breach that you can deploy, your chances of getting a payout on that are going to be significantly higher than any other normal company. 

(SV): While I can understand, it's just business and even if there are political or other implications that impact a country's ability to support what it needs to, I'm sure there are components that make these pieces of critical infrastructure more vulnerable, right? What really puts them in a position where they are the most exposed? 

(MP): I think you touched on that earlier in that they are very large. By nature, they’re going to have a lot of digital assets, a large sprawl of different applications and systems, which just widens the attack vector. A lot of critical infrastructure also has a number of outdated systems. There are very old archaic pieces of hardware applications, which in and of itself, pose a greater risk for breaches and attacks. And really just the historic lack of regulation requiring security and processes around those infrastructures is kind of what has hurt them the most.

(SV): I won't deny that that makes for the perfect cocktail of vulnerability to put that flag up that says, “target me here.” But would you say that maybe there are some cultural or policy-based components inside an organization where, maybe they view it as, “hey, it's not broken, so let's not worry about it.” Or, “hey, let's adopt a model of M&M security where it's hard on the outside but soft in the middle, just because that helps us work within our budgets.” Or maybe is it something else? 

(MP): No, absolutely. You're gonna see a lot of cases where if it's not broke, don't touch it. A lot of folks think if the outside is secured, the inside is secure, which is absolutely not the case at all. 

(SV): Let's say you were in a position where you were working for one of these large providers of critical infrastructure. Where would you start? Because I have to imagine it's a pretty daunting task if you're trying to shore up the common vulnerabilities that will have the biggest impact during a cyber event. 

(MP): I think you have to start with a framework that can guide you holistically throughout the whole process. One of the more popular frameworks out there is the NIST cybersecurity framework, which breaks it out into a couple of different components. The first one is identify. You want to identify what processes and assets need protection. What data do you have and what critical infrastructure is important? Once you understand the threats and vulnerabilities and what systems you have, then you can move into protecting what you've identified. 

Protection involves a process of people, process and technology. So the technology side of it is going to be things like firewalls, IDS and IPS protection, web application firewalls, encryption, two-factor authentication, file integrity monitoring. These things in the security industry, you would think are normal everyday things you would see, but it's not common. 

The Colonial Pipeline hack actually was caused by a breach from a password that was compromised for a VPN user account. There's no two-factor authentication in there, which would have been able to prevent that hacker from getting in, whether the password was compromised or not.

On the process side of it, you want to make sure you've got best practices such as a zero trust model, you've got extensive network segmentation and change controls around all the security and network changes. On the people side of the house, you want to make sure that they're trained, that they’ve gotten awareness on email phishing, password policies, using VPNs on secure public networks and things of that nature. 

Behind the protect side of it, then there is the detect. We know that you can put all of the protection mechanisms in place, but it's not going to necessarily stop everything from getting in. You want to have a very good logging and managed detection and response framework to detect anomalies in the network, user behavior, abnormal logins, processes. 

This is a big piece of what the new regulations that the government came out with hit on. Just a quick list of some of the things I saw in that documentation: log retention and review, mandatory penetration testing, ongoing threat hunting, automation reports, SOC, ransomware vulnerability warnings and ransomware threat mitigation activities. For a lot of these things, they’re realizing that they should be a part of every organization's framework, especially critical infrastructure. 

Behind detect, there’s response. You want to have an instant response team or a plan of action so that if something is detected - there is a bit of abnormal traffic or something else odd - you've got the ability to quickly react to it, sandbox, isolate and mitigate any future spread of the breach. 

The last piece of it is recover. You want to ensure that, in the worst-case scenario, if someone happens to click that bad link or you get hit by that random zero day, that you've got off site, immutable backups that are sandboxed. You can bring those up in a clean, white glove type environment where you can do forensics, weed out any malware or patch any holes or attack vectors that were found and then bring all that recovered environment up in a clean bubble. 

(SV): Those are all good components when it comes to framework and training and tools and technology because there is no silver bullet. But what comes up pretty consistently, and I think is the most challenging piece of this, is that people element. Beyond training, instilling a culture that supports a good security framework. Typically the end user doesn’t get excited about the zero trust ladder or one more piece of technology that they have to touch in order to get into something that slows down access. So if you don't mind, in as concise a fashion as you can, how would you recommend addressing that cultural component?

(MP): I think awareness is becoming more and more profound with security. Not only with users and being more aware of what they're clicking on and what they're opening but even at a CEO, executive and board member level. In the past, they often viewed security as a cost, an unnecessary cost that drained and impacted revenue. Whereas nowadays, there has been more of a shift to executive leadership and board members asking about and wanting to invest dollars into security, not as a cost model, but as a way to protect the other 98-99% of their revenue. 

There's definitely been a shift in the industry and the people side of it that recognizes the criticality for security. 

(SV): That makes a ton of sense because now, to your point, it is a value add or even a strategic selling point, given the criticality of the services and even the data that's captured. It’s coming up more prominently in investor meetings and really being incorporated into a roadmap to build an organization, to the point where they're going to capture a greater share of the market and be viewed as an industry leader that a consumer feels comfortable consuming their services. 

Matt, I really appreciate the way that you ran through the critical infrastructure and how it relates to security and tried to break down some good takeaways for the listeners of the podcast to incorporate when they start to consider how they’re going to tackle this problem. Matt, once again, I thank you for taking the time to join us on the podcast. 

(MP): Thank you Servaas. It's always a pleasure.

(SV): That was Matt Parsons, Director of Network and Security Product Management at Sungard Availability Services. 

You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow. 

Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.

IT Availability Now is a production of Sungard Availability Services. 

I’m your host, Servaas Verbiest, and until next time, stay available.