Not If, But When: Critical Infrastructure Protection and Resilience
By Bill Brink
Let’s examine your morning routine. Your alarm blares. You turn on a light and brush your teeth. Perhaps you check the weather, scan your email and scroll through Instagram. Be honest.
Downstairs, you turn on the stove to fry some eggs before starting your commute. Lots of red lights today. After a quick stop at the ATM, you boot up your office computer.
Electricity, water, Internet access, heat, transportation, financial services – you needed them all within the first two hours of the day. Essential services like these are referred to as critical infrastructure, and they comprise the framework upon which we rely to live our lives. Their criticality makes them juicy targets for bad actors, who no longer have to attack them physically: These days, hackers can, and do, disrupt infrastructure with little more than an Internet connection. California hospital systems, Ukrainian power grids, the world’s largest supplier of beef, and Saudi oil companies have all fallen victim to cyber breaches.
“You don't need to be physically alongside someone to find a vulnerability,” said Randy Trzeciak, the Director of Heinz College’s Master of Science in Information Security Policy and Management program. “You could be across the world. And there are lots of threat actors that are willing to advertise their services for fees to exploit a target, if you are so inclined.”
Trzeciak also serves as the Deputy Director of Risk and Resilience in the Software Engineering Institute, a federally funded research and development center at Carnegie Mellon University. The SEI studies critical infrastructure software and cybersecurity, and works with government and businesses to protect it. Governments, companies and cybersecurity personnel who protect critical infrastructure should view the challenge as an iterative process. They must also battle the threat on two fronts, preventing cyber attacks while preparing contingency plans for the inevitable successful intrusion.
“For cybersecurity, it’s not a matter of ‘if.’ It’s ‘when,’” said Professor Brett Tucker, SEI's Technical Manager of Cyber Risk and an adjunct professor at Heinz College. “You can imagine that the tactics, the techniques, what our adversaries are using, are going to be effective some of the time. And to be honest with you, they don’t have to operate to the same moral values or standards as we do.”
What is critical infrastructure?
Everything society needs to function: energy, healthcare, food, water, transportation, communications, financial services, the military. In the United States, 15 Cabinet departments, the General Services Administration and the Environmental Protection Agency oversee 16 sectors of critical infrastructure. Threat actors, be they the intelligence services of nation-states, gangs of hackers interested in turning a profit or simply people who want to watch the world burn, understand the potential for chaos if they can disrupt or disable critical-infrastructure organizations.
A dam in New York state, Israeli water systems and San Francisco’s light-rail system have all found themselves victims of attacks. In 2021, hackers stole and encrypted data from Colonial Pipeline, which provides roughly half of the East Coast’s gas, diesel and jet fuel. This type of attack is called ransomware; Colonial eventually paid nearly $5 million in Bitcoin to get its data back.
Sometimes the adversary wants information rather than money. China hacked Lockheed Martin and stole intel related to the F-35 Lightning fighter jet. And sometimes the hacker wants to harm an adversary, as Russia has done repeatedly to Ukraine and its allies this year.
So how do those charged with protecting critical infrastructure prevent attacks? With good hygiene.
In the same way that showering and brushing our teeth keeps us healthy, making certain digital habits and procedures de rigueur will block a good chunk of attacks.
“There are just fundamental things you do so that you don’t stink, so that you don’t lose your teeth, if you will,” Tucker said. “And that could be a strong password, or it could be the fact that I use multi-factor authentication for all my log-ins.”
Protocols like erecting firewalls between different portions of a system, frequently backing up data and restricting user access all qualify as cyber hygiene. So does patching software in a timely manner, doubly important because of the way software is currently produced.
“Software vendors basically push the product out and patch them later,” said Rahul Telang, the Heinz College Trustees Professor of Information Systems. “If a car vendor had to recall a car and fix it, it would cost them money. But software, they’re perfectly OK with a bug recall because they can always patch it.”
“Software vendors basically push the product out and patch them later," Heinz College Professor Rahul Telang said.
Trzeciak referred to a phenomenon known as “Vulnerability Exploit Wednesday,” the day after the fourth Tuesday of the month when Microsoft releases its latest updates. Access points are now public knowledge, and if not quickly addressed, they become liabilities. Factors like the pandemic, which forced people to work from home on the same network as their unsecured smart fridge, exacerbated the issue.
“More and more adversaries are targeting home devices to create distributed denial-of-service attacks,” said Trzeciak, referring to the practice of commandeering computers and devices and directing their traffic toward a target network to overwhelm it and shut it down.
Effective cyber hygiene will stonewall lower-level attempts: A study sponsored by the government of the United Kingdom found that a popular UK protection plan blocked about two-thirds of attacks on small- to medium-size businesses. But eventually, critical infrastructure will find itself in the crosshairs of a bad actor who is well financed, well trained and patient. Like the Russian Foreign Intelligence Service.
Multiple layers of defense
SolarWinds, an information technology company based in Austin, Texas, produces an IT management system called Orion. More than 33,000 clients use the Orion platform, including the U.S. Departments of Treasury, State and Homeland Security; the National Nuclear Security Administration; and the Pentagon.
In 2020, Russian intelligence hacked it. They inserted malicious code into legitimate software updates and, once those updates were installed, finagled access to 250 different networks.
“If you want to disrupt critical infrastructure, it’s really hard to attack all the tier-one targets,” said Matt Butkovic, a Heinz College professor and the Director of Cyber Risk and Resilience Assurance in the CERT Division of the Software Engineering Institute. “Well, you attack all the tier-two targets, tier-three targets, to use them to attack the tier-one target.”
This strategy is why all sectors of critical infrastructure, from nuclear power plants and the defense industrial base down to the local water and sewer authority, must prioritize both protection from attacks and resilience for when they occur. One size does not fit all. Fortune 50 banks possess more resources to devote to the issue than a hydroelectric dam in Oregon, but the same principles apply to both.
Securing critical infrastructure requires vigilance in a dynamic threat landscape. Cybersecurity will never be solved, right? So we shouldn’t look at it as a solvable problem.Matt Butkovic, Heinz College professor and the Director of Cyber Risk and Resilience Assurance in the CERT Division of the Software Engineering Institute
Hundreds of protocols exist. Their developers christened them with names like FIPS 199 and SP 800-53, opaque to the point of being humorous. Thankfully, Hollywood simplified the concepts for us.
Think of the defenses of Winterfell in Game of Thrones: Dothraki horsemen with flaming swords, trenches, spikes, dragons. Or the underground chambers in Harry Potter: Intruders had to play chess, subdue a troll and pass a deadly potion test to enter. It’s called “defense in depth,” and secure organizations protect themselves with a digital version of it.
“What’s most important should be protected with multiple layers of defense, and multiple layers of detection capabilities as well,” Trzeciak said.
Deploying defense in depth requires organizations to identify their most valuable asset. Is it a product? Information? A service? A physical location? Cyber defenses must be structured to slow a successful attack enough to relocate the crown jewels, or shut down the system and engage a backup.
“The best option is to have a plan,” Telang said. “If something goes wrong, do you have an alternative mechanism to get running?”
In 2005, Alessandro Aquisti and Ralph Gross used facial-recognition software to examine photos mined from social media and dating sites. They linked faces with names, and, drawing upon their previous research on the predictability of social security numbers, they inferred SSNs from faces. They didn’t always get all nine numbers, but they got enough that a strong computer could brute-force its way to the answer.
Research by Heinz College Professor Alessandro Acquisti has revealed the ease with which sensitive information can be inferred.
Imagine this method applied to an employee with high-level access to a sensitive aspect of a critical infrastructure organization. Hackers might not have to storm the castle if they can find someone with the key.
“An attacker may start from two or three pieces of data,” said Aquisti, the Trustees Professor of Information Technology and Public Policy at Heinz College. “Each of them is not particularly sensitive, not even uniquely identifying, but the combination of these pieces of information – once you link them together – becomes uniquely identifying and becomes so sensitive.”
This technique is called “whaling”: targeting someone with broad access, either with a phishing email or by triangulating their publicly available material.
“Some information might lead the attacker to be able to answer challenge response questions,” Aquisti said.
Now for the scary part
Surely in the year 2022, battalions of software engineers are pouring over the ramparts to help, taking advantage of the ubiquity of cyber and the salaries that come with it. Right?
“We’re finding that there’s not enough cybersecurity professionals,” Trzeciak said. “There are some estimates that project up to a million unoccupied jobs globally in cybersecurity today, projected to increase in the next three to five years.”
More important to critical infrastructure than the code underlying the defenses is the human who wrote it. Every 100,000 lines of code contain an estimated seven errors; heaven knows how many undetected vulnerabilities exist. Cyber defense also necessitates strong organizational design.
“People try to answer it with more technology,” Tucker said. “And I think that’s where Heinz actually can deliver greater value, because we are teaching our students not only the technology and how to leverage it, but we also emphasize the importance of good policy.”
Tucker wrote a process model for the Software Engineering Institute called OCTAVE FORTE (FOR The Enterprise) to help organizations evaluate their risks and bridge the gap between executives and practitioners. Heinz College partnered with Chubb Insurance to create the Cyber COPE Insurance Certification Program, designed to teach insurance agents the best practices in cybersecurity risk management, governance and operations.
Butkovic and his colleagues created the Cyber Resilience Review for the Department of Homeland Security, and the ES-C2M2, which stands for Electricity Subsector Cybersecurity Capability Maturity Model, for the Department of Energy. Last March, Heinz College partnered with DHS to create “Hacking for Homeland Security,” which provides students the opportunity to work on a real-world challenge with DHS’s Cybersecurity and Infrastructure Security Agency.
Despite the efforts of the best and the brightest in Silicon Valley and elsewhere, the challenge of protecting critical infrastructure continues to grow.
“Securing critical infrastructure requires vigilance in a dynamic threat landscape,” Butkovic said. “Cybersecurity will never be solved, right? So we shouldn’t look at it as a solvable problem.”