Shoring up defenses for power grids, water treatment plants and many other vital services will require deep understandings of networks and a massive team effort.
Power grids, water systems, transportation networks and other vital services are essential to communities but lack substantial cyber defenses. Their vulnerabilities make them tempting targets for nation-states and cybercriminal groups.
Volt Typhoon, a Chinese state-sponsored hacking group, already has footholds in multiple networks operated by critical infrastructure organizations with plans to move laterally through other networks, according to a recent warning from Cybersecurity and Infrastructure Security Agency (CISA). The group disguises its moves and facilitates attacks with a botnet of thousands of compromised internet-connected devices—but it's only one party going after critical infrastructure.
"The uptick in threats is because it's an easy target and impacts a lot of people. So rather than go after the hard target, they're going to go after these," Tony Parillo, Schneider Electric's Enterprise IT Global Head of Cyber Security, said.
Parillo joined Claroty Regional Vice President Public Sector Heather Young and OneNetworkConnection Founder Vice Adm. Timothy White for a panel discussion at the 2024 Axonius Adapt conference to outline how organizations can better protect critical infrastructure.
Understand the Threat
CISA says Volt Typhoon accesses IT networks to "pre-position" their malware to disrupt OT assets for physical-world impact for a future mission. Defending critical infrastructure will require an inventory and visibility of everything that touches IT and OT networks.
"Our pump systems for water filtration, our electric grids, even our emergency response systems, they could potentially—and most of them do—connect to networks," Young said. "And these networks are sprawling."
Assets can be spread geographically on decentralized networks operating mixes of legacy equipment and the latest technology. Schneider Electric, for example, has been manufacturing generators and other power grid products since 1830, and its equipment is used in 30% of buildings worldwide. Schneider aims to do its part by delivering products with up-to-date security patches, according to Parrillo. Whether devices remain secure depends on customers properly configuring devices and maintaining them.
"We all have to work together, and we all have to raise our game because they're always going to hit the weakest link," he said.
Know the Adversary's Mindset
“It's a little too much like Hollywood to say that a 13-year-old in the basement somewhere around the world can achieve effects at scale inside the United States, but it is technically absolutely possible," White, a former commander of U.S. Fleet Cyber Command and U.S. Tenth Fleet, told the audience.
Nation-state adversaries like China, Russia, Iran, and others view cyberattacks on critical infrastructure as valid military objectives. They invest resources in gaining access to these systems to project power and hamper rivals.
"Our adversaries have really taken the approach of collective offense," Young said. "That puts us in a position where we have to constantly be on defense."
Get Buy-in for Cyber Priorities
For too long, IT and OT systems security has been an underfunded afterthought instead of a strategic priority. "It's usually a cost center," White said. "It's not viewed as something that is necessary to the enterprise or the mission."
However, leaders often green-light security investments when they understand cyber incidents could pose existential threats to their organizations. Parrillo suggested listening to the perspectives of cross-functional leaders and explaining risks in terms familiar to their focus. For example, research and development teams often drive a company's next big initiative. Lax cybersecurity standards could allow intellectual property to be stolen and sold for pennies on the dollar compared to the company's investment.
A single IT team can't diffuse all threats. It’s important to build relationships across the organization to raise awareness of cyber issues and best practices for minimizing them.
Build a Bigger Team
Cybersecurity as a team sport isn't new, but experts suggest building a bigger team of close partnerships with outside groups. Federal agencies such as CISA and the Energy Department provide best practices and vital intelligence and coordinate incident response efforts.
"They are the only way that we can get a lot of corporations, utilities, manufacturers such as myself, etc., to work together and get in the same room and understand what the impacts will be and how we need to work together in the case of an emergency," Parrillo said.
Other public-private partnerships like information sharing and analysis centers (ISACs) can be valuable allies, but so can people who normally would be competitors, according to White. During his time at the Cyber National Mission Force, White saw the power of teams of "competi-mates" exchanging information to build a shared awareness of incidents.
"They come to you with Army camouflage or Navy camouflage … your Air Force blue. And they were good, but they were better when we deconstructed them and brought them into a joint force where we could share their perspectives in their teams," he said.
Picture What Winning Looks Like
In America, people take power for granted until it goes out, whether it's a cold snap that overwhelms a grid during a Texas winter or something malicious. Regardless of the cause, Parrillo said recovery should only take minutes or maybe hours. In a world of constant scans and probes, his best day is one where literally nothing happens.
For White, winning means never fighting a campaign because deterrence efforts keep adversaries away. "Winning would look like you never have to recover because you're never breached."
