Part 1: Why Cyber Risk in Critical Infrastructure Needs to be Understood and Prioritized
The following is part one of a multi-part series focusing on cyber risk highlights in critical infrastructure.
We are living in a new normal where our increased digital dependence can lead to physical destruction and interruption of critical infrastructure. Stories once read in science fiction novels just a few decades ago are now becoming realized cyber risk scenarios. Recent cyber-attack consequences have impacted society, resulting in unfortunate realities: no gas, no meat, and no critical healthcare are just a few examples. The year 2020 will be remembered as the point of no return, not only for the millions of lives lost due to the global COVID-19 pandemic but for an intense period of mass digital destruction. During the height of the pandemic, the FBI reported cyber-attacks increased 400%. Cybercriminals and nation-state actors took advantage of remote work, supply-chain uncertainties, rising inflation, and global political tensions to succeed in disrupting critical infrastructure. Work-life changes tilted the balance of entire economies, reshaped how business is done, and created a paradigm shift in how humans operate and process information. Many of these changes have been difficult to reverse, and the advantage continues to favor the cybercriminal.
Critical infrastructure will remain a lucrative target, both for cybercriminals and nation-state groups. During the past several years, the consequences of disrupting necessary services and goods often resulted in more victims paying a ransom. Fortunately, the impacts of recent ransomware events were not at a grand scale, yet severe enough in size and scope to dominate entire news cycles in the mainstream media. As a result, we’ve witnessed a period of intense public and private collaboration to find new and better solutions. The US government has taken action to strengthen the Nation’s critical infrastructure sectors and minimize future casualties and loss of life from future cyber events. Electricity and water sectors have established 100-day plans through the collaboration of public and private enterprises in 2021. More sectors are to follow with their own prioritized plans. The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed into law and now requires private-sector entities to submit reports to the Cybersecurity and Infrastructure Security Agency (CISA) when they suffer cybersecurity incidents or make a ransomware payment. And the Securities and Exchange Commission is proposing legislation requiring public companies to report cyber risk in financial terms. All these initiatives share a common theme of increased planning and preparation to ensure cyber-readiness. Ultimately, the results of these new efforts will create a more resilient critical infrastructure ecosystem for future generations.
Critical Concepts in the Margins of Mainstream Conversations
The consequences of gas supply shortages in the above paragraph reference the Colonial Pipeline attack of May 2021. The fact that a single point of compromise disrupted 45% of the Nation’s gas supply not only raised public anxiety but caused concern in the information security community. Such a drastic consequence from a single cyber-attack reaffirmed the importance of understanding Systemically Important Critical Infrastructure.
The concept of systemically important critical infrastructure was mentioned in the US Cyberspace Solarium Commission’s 2020 report as “the entities, responsible for the most important critical systems and assets in the US, that would be granted special assistance from the federal government as well as assume increased responsibility for additional security and information security requirements that are vital to their unique status and importance.”
Why We Are Writing this Critical Infrastructure Blog Series
In this blog series, we argue protecting systemically important critical infrastructure requires a more scalable and efficient methodology to understand the impact of cybersecurity attacks and to prioritize countermeasures. Indeed, low-probability and high-impact scenarios such as the Colonial Pipeline event require enhanced methods for evaluating the consequences of cyber risk.
To keep pace with the velocity of cybersecurity attacks, we propose a unique approach to cyber risk quantification: focusing on the consequences of cyber threats to communicate cyber investments in a financial context. Other approaches may get tangled in a “probability trap” that places too much emphasis on likelihood reduction, which has limited usefulness for decision- makers who control resource allocation, including funding for cyber initiatives. The result of our approach: decision-makers get efficient and actionable information to do a cost/benefit analysis of proposed cyber investments in their “native” language. Other methodologies may have benefits when evaluating multi-year investments, but it requires significant resource and learning-curve investments, which may not be useful for quickly ramping up a quantitative approach. On the other hand, our consequence-based approach provides quick results (in as little as two days) and can jump-start a quantitative approach to cybersecurity. Legacy methods to quantify risk are not likely to disappear as a purposeful tool for some organizations, but as we have validated with owners and operators of critical infrastructure, a consequence-based approach founded on real-world threat scenarios can bring the purported benefits of older methods to organizations with limited resources.
Having adequate cyber insurance is also an integral component of a cyber-resilience strategy. But insurance programs rely heavily on potential loss determination to provide coverage. Cyber risk quantification ensures an organization can work with providers to implement the most optimal insurance coverage to indemnify cyber risk. The right quantification method—one that is focused on calculating the financial impact of cyber risk—is the best tool for working with insurance providers to build a portfolio of coverage that protects the entire balance sheet of the enterprise—and specifically the assets a critical infrastructure organization needs to thrive.
A less vulnerable time in history is highly unlikely. This weekly blog series will cover the challenges ahead as the Nation collectively ramps up its cyber-readiness efforts to protect critical infrastructure, the importance of understanding what’s at stake, the challenges ahead, and a few hard realities such as—
- Part 2: Why cyber-attacks target critical infrastructure control systems, not data.
- Part 3: How ransomware attacks create collateral damage.
- Part 4: Why preparing for cyber-attacks is highly dependent on mastering the basics first
- Part 5: Our thesis—how new approaches to cyber risk quantification can improve critical infrastructure resilience, including the increasingly publicized cyber insurance coverage conundrum.
Stay tuned every week as we go into the cybersecurity risk highlights for critical infrastructure and what you can do today to be prepared for unforeseen circumstances malicious actors are plotting against you.