Electricity, our financial institutions, and our transportation infrastructure, are things that permeate our lives each day, and are all dependent on the internet. Having a resilient infrastructure in critical areas is not only crucial to the everyday lives of citizens, but our national security. The theme of Week 5 looks at the role of cybersecurity in keeping our phone lines, running water, traffic lights, and other critical infrastructure secure.
What is critical infrastructure exactly? The DHS defines critical infrastructure as “sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety or any combination thereof.”
Basically, critical infrastructure either: (1) supports some basic necessity of modern life, like electricity or (2) it is a big organization that would impact a lot of people.
There are 16 critical infrastructure sectors
- Chemical. Basic chemicals, specialty chemicals, agricultural chemicals, pharmaceuticals and consumer products.
- Commercial Facilities. Entertainment, gaming, lodging, events, public assembly, real estate and sports leagues.
- Communications. Internet, telephone and cable wired lines, wireless frequencies (cellphones) and satellites (GPS, DirecTV, satellite phones).
- Critical Manufacturing. Primary metals, machinery, electrical equipment and transportation equipment.
- Dams. Hydroelectric power, water supplies, irrigation, flood control, river control and recreation.
- Defense Industrial Base. Design and production of military weapon systems.
- Emergency Services. Police and fire departments, medical services and public works.
- Energy. Electricity, oil and natural gas.
- Financial Services. Banking, credit, investment and insurance.
- Food and Agriculture. Farms, livestock, restaurants, food manufacturing, processing and storage.
- Government Facilities. Federal, state, local and tribal government buildings.
- Health Care and Public Health. Hospitals, clinics, mental health, youth care and family services.
- Information Technology. Hardware, software, systems and services.
- Nuclear Reactors, Materials and Waste. Reactors, enrichment and nuclear medicine.
- Water and Wastewater Systems. Water treatment, storage, drainage and sewage.
If you work in any industrial setting — whether it is a farm, doing facilities work on buildings, working in a factory or in other skilled labor jobs like plumbers, electricians or HVAC specialists — pay attention to any devices you interact with, especially if they are internet-enabled.
Why would someone want to target a HVAC system? In 2013, Target was actually compromised through their HVAC system, exposing 110 million people while using a third-party company to manage their HVAC systems that were not properly protected from the rest of their network. Hackers were then able to break into the network using malware, exposing the card processing system.
While Target is an example of someone using an ICS as a pivot point to reach other critical infrastructure, what about someone using a primary network? In March of 2016, hackers took control of hundreds of PLCs that governed the flow of toxic chemicals that were used to treat water at a regional water utility. The cyber thieves took advantage of the water company’s poor security architecture that had multiple internet-facing systems with high-risk vulnerabilities on the same network as their SCADA platform. The actors were actually able to change flow rates of the toxic chemicals.
Luckily, the alert system provided the water treatment facility enough time to reverse the chemical flow changes, minimizing the impact on the facilities customers and saving hundreds of thousands of lives from danger.
Because the energy grid is so complex, managing it requires constant planning and coordination. Complicating matters, cyber threats to the grid are not static. They evolve — and so must the industry’s efforts to prepare.