Is critical infrastructure vulnerable to catastrophic attack?

Government organizations across the country, from small towns in sparsely populated areas to major cities in swing states, have an incredibly high risk of cyber-attack in the months leading up to this year’s midterm elections. Critical infrastructure systems are particularly at risk, as the implementations of new ‘smart’ technologies have expanded the surface area for hackers.

The 2018 Government Cybersecurity Report provides findings on the overall health of cybersecurity for local, state, and federal government internet connected systems in the United States. The 2017 Government Cybersecurity Report looked at a comparison of government systems to other major enterprise industries to determine where public sector entities ranked versus the private sector for cyber security. This comparison helps provide a measure of the government sector’s effort to adhere to basic information security standards and practices.

How government cybersecurity posture compares to last year

{mosads}In 2017, the government as an industry ranked at the very bottom of the list as compared to other industries.  This indicated a higher risk for that industry, related to the susceptibility for successful hacking attacks and data breach incidents.

The original report highlighted President Trump during the administration’s first press conference, and the troubling findings about the government entities lowest ranking position were cited.

In 2018, U.S. government networks are no longer scored at the very bottom of the industry list. Having moved up to 11th place, it appears there are efforts underway to implement incremental improvements since the last report was published. Overall, the ranked entities are showing a 35.29 percent improvement in rank compared to 2017.

However, there is still a very long way to go to reach top ranking.

Government response time to incidents

In 2018, research found that 60 percent of information security issues remain undetected for more than a year. Even when security issues are known and acknowledged — it can take many months before the problem is actually fixed or remediated. The report measures response time to issues like the implementation of a patch for a known vulnerability, updates for old legacy software, or the removal of malware when an endpoint is infected.

Most large enterprises across all industries appear to have issues in their patching and response cadence, and it seems the government sector is significantly more impacted likely as a result of the heavy bureaucratic protocols in place at every level of process. While government employees and enterprise staff are restricted by paperwork and process — hackers are not and take advantage of slow patching cadences for leverage as a major attack vector.

Increasing network attack surface area

The rapid deployment of new technologies (such as IoT) into the government sector will continue to expand the attack surfaces that are available for attackers, and may provide pivot points into networks that were previously segregated from the public internet. New technologies can become legacy technologies in less than a years’ time, and the vectors of attack that emerge from exposed vulnerable network services and related web applications will continue to be of growing concern.

The definition of what is considered an accessible internet connected device continues to expand on a daily basis. An emerging trend across all industries has been the retrofitting of analog physical equipment with ‘smart’ technologies in order to facilitate transitions into the modern era.

Critical infrastructure systems such as power systems, water systems, traffic controls, public transit controls, chemical plants, and similar are constantly undergoing experimental implementations of “internet enabled” aka “smart” technologies that are designed for the purpose of “secure” remote access.

Conclusion

Recently, the Juniper Corporation published findings that indicate the financial repercussions of data breaches will skyrocket above $2 trillion annually by 2019 globally. Individual breaches are expected to cost affected entities $4 million or more, for each incident. The financial constraints on local and state governments oftentimes result in shortcomings of funding for cybersecurity initiatives — and the rising costs and frequency of breach incidents may be eventually used to justify budget allocations as the response to a security incident can be exponentially more expensive.

Going even further than just financial issues, the rampant, ever-growing trend of deploying remotely accessible Internet connected critical infrastructure seems to be creating an environment where malicious attackers can already, or will soon be able to, engage in a cyber attack that has catastrophic results – such as an attack on a transit system or air traffic control system — may cause loss of life at mass scale. Any national incident with enough shock to alter the public perception of safety and reality can alter the course of political developments for decades.

The implementation of properly deployed “defense-in-depth” and “layered security” concepts and technologies are significantly needed within the local, state, and federal government agencies. There is no cure-all solution that will prevent an attack from a determined adversary. However, the use of these methodologies will significantly lower risk and may provide early warning indicators of emerging problems. It is an unfortunate fact that all entities that have a large internet presence will likely experience a security incident eventually — what determines success in these cases are the speed of response, remediations, and implementations of controls for future mitigations.

The integrated use of various next generation technologies such network/application firewalls and endpoint protections will only go so far without the use of things such as external assessments and continuous risk monitoring solutions — and none of it will be effective if there is not an individual or team who owns the responsibility to ensure that their ecosystem has been locked down and secured effectively.

Alexander Heid is the chief research officer at SecurityScorecard, a cybersecurity firm focused on ecosystem risk management.