In observance of National Critical Infrastructure Security and Resilience Month, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence, released guidance to assist critical infrastructure owners and operators to detect and mitigate efforts by foreign intelligence entities to disrupt U.S. critical infrastructure. As a nation, continued cyber and physical threats to critical infrastructure Americans rely on daily are being observed. U.S. adversaries and their foreign intelligence entities understand the importance of the critical infrastructure sectors and how degrading them could hinder the national response to events.
“U.S. adversaries and their foreign intelligence entities (FIEs) a understand the importance of these sectors and how degrading them could hinder our national response in the event of crisis or war, given that harm to these sectors could cause panic, erode confidence in the government, and complicate leadership decision-making,” the agencies identified in a document titled ‘Safeguarding Our Critical Infrastructure: Vigilance Makes a Difference.’
FIEs exploit and attack U.S. critical infrastructure in many different ways. They research their collection targets, exploit cyber networks, and leverage known and zero-day vulnerabilities for sustained system access. They conduct physical reconnaissance, employ insiders, and secure access through strategic investments. Additionally, they compromise supply chains by embedding malicious hardware, firmware, and software to disrupt or destroy interconnected services.
Efforts by foreign threat actors to damage U.S. critical infrastructure sectors could impact U.S. national and economic security and public health and safety by disrupting, degrading, or denying essential services to citizens and businesses, including during emergencies and disaster recovery. It may also complicate U.S. military mobilization efforts; collect sensitive data related to infrastructure systems and networks; harm the U.S. economy by disrupting utility operations and financial services; and disrupt national and global commerce by impeding communications, transportation, and shipping logistics.
Activities targeting U.S. critical infrastructure are often observable. Spotting and reporting these indicators can help authorities stop potential attacks. Some of the possible targeting signs may include unexplained systems and communications outages or unusually high equipment failure rates; unusually high cyber activity from unknown parties; or employees exceeding their access privileges, asking for sensitive, internal, and proprietary information unrelated to their job responsibilities.
Also, outside parties seeking to tour facilities or asking probing questions about sensitive, internal, and proprietary information; attempts to recruit technical experts, including through invitations of foreign travel, employment offers, and financial incentives in exchange for proprietary information; and unsolicited offers to establish joint ventures with companies tied to foreign governments or state-owned enterprises.
U.S. critical infrastructure owners and operators are not helpless and can focus on safeguarding their critical environments. A couple of corporate security measures cover identifying ‘crown jewels’ and developing strategies to prevent or mitigate their loss; implementing an enterprise-wide security posture, ensuring collaborative efforts between security, cyber, IT, insider threat, legal, human resources, and procurement components; and developing organization-wide emergency response plans and conduct periodic tests and exercises.
These facilities must build resilience and redundancy into operations to withstand cyber disruptions; maintain an ‘anomaly’ log to track irregular incidents to potentially spot malicious trends; and report anomalies to the FBI Field Office or CISA Central.
To counter insider threats, they could establish an insider threat training and awareness program within the organization and conduct regular workforce training. They also can conduct background checks and vetting, including pre-employment screening and continuous monitoring, where possible; maintain access controls and monitoring, including the least privilege principle, segregation of duties, and robust logging and monitoring systems to detect unusual or unauthorized access patterns; and maintain physical security practices to limit and monitor access to sensitive areas and devices.
Critical infrastructure owners and operators must also ensure supply chain visibility by maintaining a comprehensive inventory of all vendors, partners, and third-party services used; and implementing vendor risk management, including conducting due diligence, developing risk assessments, and using vetted vendors with recognized security certifications. They must also implement a robust patch management process to ensure that software and systems, including those provided by vendors, are regularly updated with the latest security patches.
These installations must also incorporate security requirements, such as incident reporting, into third-party contracts and monitor compliance throughout the lifecycle of a product or service. They must also conduct oversight of vendor access controls and grant access only to the data and systems necessary for their role (e.g., implement role-based access controls) and separate vendor access from internal systems to limit the potential impact of a breach. Furthermore, they must support secure software development and vendor adherence to secure development practices.
Earlier this month, the U.S. Department of Homeland Security (DHS) released recommendations for the secure development and deployment of artificial intelligence (AI) in critical infrastructure. The ‘first-of-its-kind’ resource was crafted for all levels of the AI supply chain—cloud and compute providers, AI developers, critical infrastructure owners and operators—as well as civil society and public sector entities that protect consumers. In collaboration with industry and civil society, the alliance proposes new guidelines to promote responsible AI use in America’s essential services.