Supply Chain Attacks and Critical Infrastructure: How CISA Helps Secure a Nation's Crown Jewels

Supply Chain Attacks and Critical Infrastructure: How CISA Helps Secure a Nation's Crown Jewels
What is Critical Infrastructure and Why is It Attacked?

Critical infrastructure is the physical and digital assets, systems and networks that are vital to national security, the economy, public health, or safety. It can be government- or privately-owned.

According to Etay Maor, Senior Director Security Strategy at Cato Networks, "It's interesting to note critical infrastructure doesn't necessarily have to be power plants or electricity. A nation's monetary system or even a global monetary system can be and should be considered a critical infrastructure as well."

These qualities make critical infrastructure a preferred target for cyber attacks. If critical infrastructure is disrupted, the impact is significant. In some cases, such cyber attacks on critical infrastructure have become another means of modern warfare. But unlike classic warfare, in these conflicts civilians and businesses are in the front line and become the targets.

Just a handful of recent prominent examples include attacks against Ukraine's power grid in 2015, the intrusion of the business network of Kansas's nuclear plant in 2018, and North Korea attempting to hack the SWIFT network to steal more than $1 billion. Not to mention the infamous Colonial Pipeline attack, which has become the poster child of critical infrastructure attacks.

Yet the goal of the attacks could vary. While some are indeed a way to prepare for future conflicts by testing capabilities and defenses, others might be motivated by financial gains, an attempt to steal data, gaining remote access or control, or disrupting and destructing services.

Etay Maor added "It's not just nation states who attack. It could also be cyber criminals who are looking to make a monetary gain or hacktivists."

How Critical Infrastructure is Attacked

There are a few types of attacks used on critical infrastructure. The main ones are DDOS, ransomware (through spear phishing), vulnerability exploitation, and supply chain attacks. Etay Maor commented: "Some of these techniques are harder to stop because they target humans and not technologies."

Spotlight: Supply Chain Attacks

Supply chain attacks are a key way to attack critical infrastructure. Just like bombings in WW2 targeted factories that provided supplies to the military, supply chain cyber attacks target the nation's critical infrastructure suppliers.

Etay Maor recalls, "I was at RSA security when they were hacked. I remember where I was sitting and what I was doing when I realized there was an attack. The internet went down and all the services started shutting down."

RSA was hacked not in an attempt to gain access to its own network, but rather as a way to breach government and military agencies, defense contractors, banks, and corporations around the world that kept their secret keys with RSA.

How to Protect Critical Infrastructure

One of the misconceptions of cybersecurity is that the more security products are employed, the better the security. But layered security that is made up of too many products could be counter-productive.

Per Etay Maor, "We ended up adding so many security products and processes into our systems in the past five-six years. What we did was add more fat, not muscle." The result of the dozens of integrated security products? Friction, especially when trying to correlate information from them.

Gartner tends to agree: "Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete."

The Role of CISA

The potential severity of attacks on critical infrastructure has driven nations to establish a cyber defense organization to defend their critical assets, and prepare for conflicts.

CISA (Cybersecurity and Infrastructure Security Agency) is the US's risk advisor. They provide support and strategic assistance to the critical infrastructure sectors, with a focus on Federal network protection. By partnering with private sector partners and the academy, they are able to provide proactive cyber protection.

Some of the key areas CISA focus on are coordinating and communicating cyber incident information and response to provide support, securing the dot-gov domain, assisting in protecting the dot-com domain to help the private sector, assisting in securing critical infrastructure, and painting a common operational picture for cyberspace.

One of the programs CISA is leading is the Cybersecurity Advisor Program. The program provides education and training for cybersecurity awareness. The advisors can help organizations by evaluating critical infrastructure cyber risk, encouraging best practices and risk mitigation strategies, initiating, developing capacity and supporting cyber communities and working groups, raising awareness, collecting stakeholder requirements and bringing incident support and lessons learned.

Building Cybersecurity Resilience

Cybersecurity resilience is key to preventing critical infrastructure attacks. Such resilience emerges from the actions organizations take. This includes activities like responding to adverse incidents and gaining visibility into the network, for example knowing which ports and services should be running and whether they are properly configured.

There are many misconceptions regarding the ability to build cyber resilience. Here are a few and how they re disputed:

  • Claim: Resilience requires a big budget.
  • Fact: Organizations don't need a big budget, they need to fine-tune the solutions they have.
  • Claim: There's a silver bullet cybersecurity solution.
  • Fact: The organization's focus should be on getting the "101" methods and practices in order, like network visibility and employee training.
  • Claim: We won't be targeted.
  • Fact: No organization is too small.
  • Claim: There's too much work to be done.
  • Fact: Nevertheless, it's important to research the solutions based on your own priorities.
  • Claim: It's not our responsibility.
  • Fact: Everyone is responsible
  • Claim: The government will save us.
  • Fact: The government's ability to succeed is based on the partnerships with the private sector and that sector's active participation in securing themselves.

To get started with building your own resilience, answer these three questions:

1. What do I know about the adversary?

For example, who the attackers are, how they operate, etc.

2. What does the adversary know about me?

In other words, which part of my network is exposed?

3. What do I know about myself?

The answer to this question provides information about what the network looks like and where it is vulnerable. In other words, this question is about gaining visibility into your own network.