FPC Blog

Cyber Protection of US Critical Infrastructure


 Our previous blog US Critical National Infrastructure… examined physical attacks on the US utility sector and technologies that may be developed to provide energy fallback in case of attack on the US grid. In today’s increasingly digital landscape we must also delve into cybersecurity challenges to our physical, business and intellectual infrastructure. 

Naturally the mention of cybersecurity feels buzzworthy, a current hot topic. Imagine young upstart black hat hackers in a basement breaking through corporate code to steal millions of dollars through phishing and email scams, with unwitting employees falling for the ruse. While such scenarios do play out under cyber threats, the more sinister threats seem to be less showcased. We need to properly define what cyber security entails. The US National Institute of Standards and Technology (NIST) cites cyber security as “prevention of damage to, protection of, and restoration of computers, electronic communication systems, wire communication…to ensure its availability, integrity, authentication, confidentiality and nonrepudiation.” 

This definition lacks any mention of protection of the supply chain, physical edifices and intellectual property that are controlled, monitored and managed by computerized communications. Our understanding of negative cyber influence and attacks on national physical infrastructure needs improvement. 

  • We have a plethora of thought leadership on cybersecurity and the issue of remote work. However, much research was needed to find practical solutions to cyber and information security breaches to critical infrastructure. CyberArk’s Strengthening Critical Infrastructure Security presents viable solutions to cyber issues with actual physical infrastructure: 
    • May 2021, DarkSide, a Russian cyber-criminal syndicate, carried out a ransomware attack against a large oil pipeline operator that disrupted fuel supplies and triggered panic buying and widespread gasoline shortages across the southeastern United States.
    • June 2021 REvil, another Russian ransomware group, attacked a large meat producer, forcing the company to shut down plants in the U.S., Canada and Australia, impacting national food supplies and meat prices. 
    • February 2021 a US domestic hacker compromised a US Water treatment facility to increase sodium hydroxide content in water supply by 100x – potentially poisoning 15,000 Floridian citizens. 
  • Information Technology/Operational Technology has created cyber risk: 
    • Utilities and manufacturers are converging OT networks and IT networks to reduce expenses, simplify operations and support industrial IoT (IIoT) initiatives. 
    • Historically, business application traffic flowed over a separate enterprise IP network. If an external threat actor managed to breach the enterprise network, they had no way to access the OT network. 
    • The convergence of IT and OT networks eliminates the “air gap” between the two environments, providing a pathway for external threat actors to gain access to industrial control systems and wreak havoc. 
    • Historically, industrial control systems were based on proprietary hardware and special-purpose software. Today, they run on Linux-based commodity servers and leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software supply chain attacks. 
  • Zero-trust security is a necessary solution for prevention against cyber-attacks: 
    • A Zero Trust approach protects modern operating environments by assuming all identities are implicitly untrusted and must be authenticated and authorized. 
    • Unlike a traditional perimeter-based security model, a ZeroTrust architecture:
      • Protects cloud-based IT and OT systems as well as on-premisesIT and OT systems
      • Defends against inside threats as well as external threats
      • Provides inherentsecurity for remote workers and mobileusers
  • Privileged Access Management is crucialfor protection incybersecurity:
    • An optimal privileged access management solution:
      • Automatically updates and rotates credentials based onan organization’s defined policy tomitigaterisk in the eventcredentials are compromised.
      • Supports multi-factor authentication to positively identify privilegedusers,mitigate the risks ofcredentialtheftandprevent unauthorized access to privileged accounts.
  • As someone who has been involved and influenced by the FinancialPolicy Council (FPC) a 501 (3) (c) Think Tank that conducts research and analysis on a variety of issues, such as social, economic, and environmental topics, Irecognize the need to promote better cybersecurity practices among individuals and businesses.This includes implementing strong password policies and regularlyupdating software to mitigate the risk of cybercrime. With daily attacks on the nation’s power grids, just one failure could have longstanding and horrific effects. To protect sensitive information,businesses should consider using a digital vault to securely store passwords, secrets, SSH keys, and other credentials used by people,applications,and machines.

In addition, in collaboration with the FPC, Ihave identified business risks ofcybercrime via patent theftand types of intellectualproperty infringement.According to a 2017 reportby the Commission on the TheftofAmerican Intellectual Property, such cybercrime costs range from US$225 billion to US$600 billion. Industries most affected by patent theft include technology, pharmaceuticals, and manufacturing. It is interesting to note that we do not need to look outside for terrorist theft of intellectual property. Large multinational companies like Microsoft, Facebook, and Google intellectual property infringement practices reflect a growing lack of corporate morality in the US. The FPC is quite discerning with regards to suggestions that smaller companies investigate the Litigation Financing industry as a way for them to help fund their legal expenses when taking legal action against large companies for patent and other intellectual property infringement. Some companies that have done this include Uniloc USA Inc., Rembrandt Technologies LP, Oracle America, Inc., and InterDigital Communications LLC. 

Overall, cybercrime is on the rise at a double-digit percentage pace. Global spending on cybersecurity exceeded US $170 billion in 2022, is increasing by 13% and will likely continue to be a high-growth industry for years. Private sector cyber development drives this growth with cyber companies such as CrowdStrike Holdings (CRWD) and Splunk (SPLK) are financial and business outperformers in zero-trust security and infrastructure monitoring. First Trust NASDAQ CEA Cybersecurity ETF (CIBR) comprises 37 cyber stocks and is the largest to consider. For cyber risk via patent infringement, individuals can invest in litigation finance fund. These funds typically invest in a variety of cases, including patent infringement and other forms of intellectual property infringement, and offer returns based on the success of the cases. Additionally, individuals can also invest in individual cases by purchasing shares directly from the plaintiff or defendant in a case. The notable litigation finance funds include Burford Capital, Gerchen Keller Capital, Validity Finance, and JuriVest.

We absolutely need more development of and investment in cyber initiatives to improve the protection of US national and business infrastructure in an increasingly threatened digital landscape! I welcome all constructive dialog on how we can improve US infrastructure and supply chain security on all fronts, and we encourage open collaboration for development via the Financial Policy Council.