Cybersecurity and Infrastructure Security Agency (CISA) is a branch of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection for critical infrastructure organizations across all levels of government. Critical infrastructure — the organizations, systems, and networks that comprise the backbone of the US — must be secured because any cyber attack could significantly impact our way of life, including public health and safety, were CI organizations compromised in any way, shape, or manner.
CISA plays a pivotal role in ensuring the continued availability and integrity of the nation’s critical infrastructure. In particular, it focuses on enhancing the resilience of critical infrastructure organizations with strategic guidance, leadership, and coordination.
CISA’s Top Critical Infrastructure Protection Initiatives
It’s vital to appreciate that not only are critical infrastructure sectors essential to our way of life, but they are also interconnected. Disruption to one of these sectors is likely to have a significant impact on others.
With a focus on federal network protection, CISA works with private sector partners to support critical infrastructure sectors’ attempts to reduce cyber risks.
In addition to these critical partnerships, it plays a key role in securing the dot-gov and dot-com domains.
CISA’s top initiatives for protecting critical infrastructure are as follows:
Identifying ransomware as a key threat to critical infrastructure, CISA created stopransomware.gov as a central hub for alerts and guidance for individuals and businesses in the public and private sectors.
JRTF and JCDC
It created the Joint Ransomware Task Force (JRTF) with the FBI to coordinate the government’s response to the threat from ransomware.
CISA appreciates that gaps in knowledge and information-sharing make it more difficult for individuals and organizations to protect themselves and each other from cyber threats.
To address this, it also established the Joint Cyber Defense Collaborative (JCDC), through which cyber defense experts from public and private sectors share real-time threat intelligence and insights to increase awareness and reduce cyber risks.
CISA’s Shields Up campaign focused on protecting critical infrastructure from the threat of Russian cyber attacks, strengthening the cybersecurity policies and practices of major industrial control systems and pipeline operators.
The agency’s “Cybersentry” capability enhances cyber threat detection for operational technology networks in critical infrastructure.
Cybersecurity Advisor Program
CISA leads the Cybersecurity Advisor Program (CAP), promoting and facilitating cybersecurity awareness.
Cybersecurity Performance Goals
Following Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 2021), CISA worked with the National Institute of Standards and Technology (NIST) to develop voluntary, minimum cybersecurity performance goals (CPGs) for all critical infrastructure organizations, regardless of their size or specific sector with critical infrastructure.
The CPGs are based on existing cybersecurity frameworks combined with real-world threats and CISA’s observation of adversary tactics, techniques, and procedures (TTPs).
While neither comprehensive nor compulsory, CISA’s CPGs aim to be broadly applicable to all critical infrastructure sectors, deliver meaningful improvements to critical infrastructure security, work as a component for measuring cybersecurity maturity, and map generally to NIST cybersecurity frameworks.
Ransomware Vulnerability Warning Pilot (RVWP)
Motivated by cyber attacks targeting critical infrastructure, the aims of CISA’s early-warning system —- the Ransomware Vulnerability Warning Pilot — are two-fold.
- To improve the visibility of vulnerabilities in the attack surfaces of critical infrastructure organizations by scanning the Internet-exposed networks on their systems
- To assist and facilitate proactive vulnerability mitigation and remediation.
The 16 Critical Infrastructure Sectors
CISA has identified and helps protects 16 critical infrastructure sectors:
CISA handles the Sector Risk Management Agency’s responsibilities for the chemical sector on behalf of the Department of Homeland Security (DHS), helping develop tools and resources to build cyber resilience.
CISA improves cyber resilience in commercial facilities — public spaces — and helps provide strategies to prevent coordinated attacks.
The agency oversees the implementation of a risk management framework that can help protect the evolving communications sector.
Here, CISA identifies and focuses on the manufacturing industries that are the most vital to the US economy and where cyber threats pose the most risk. It helps these organizations by performing risk assessments and helping mitigate the impact of cyber threats.
CISA aims to protect assets in the Dams sector from technological events, as well as those caused by natural disasters and human error.
Defense Industrial Base
CISA’s work protecting the Defense Industrial Base extends to more than 100,000 organizations and subcontractors to the US Government’s Department of Defense (DoD).
Protecting the federal agencies and supply chains in this sector is critical to national security and the safety and success of current and future military operations worldwide.
CISA supports emergency services with physical and virtual resources. It will also assist with remediation efforts following a disaster or emergency.
This is a well-known component of critical infrastructure, not least of all because it has been a common target for cybercriminals. CISA’s support and strategic direction here can make a significant difference to national security.
CISA works to protect financial institutions from cyber attacks, helping not only to protect assets but also to maintain their integrity and availability.
Food and Agriculture
Most of the critical infrastructure organizations in the food and agriculture sector are in the private sector. CISA offers these businesses resources and strategic guidance, and it facilitates collaboration with the goal of remediating cyber risks.
CISA helps identify and assess the risks of local, state, and federal government buildings and spaces. This sprawling infrastructure requires CISA’s risk-based management to address their significantly different needs, vulnerabilities, and threats.
Healthcare and Public Health
The healthcare sector is one of the top targets for cybercriminals, combining large amounts of sensitive data, many legacy systems, and complex infrastructure with people’s reliance on these businesses.
CISA addresses response and recovery requirements after cyber incidents and other disasters or emergencies.
The US is increasingly reliant on information technology. CISA addresses this by prioritizing the identification and mitigation of cyber threats and vulnerabilities.
Nuclear Reactors, Materials, and Waste
CISA is an integral part of protecting the integrity of this essential and potentially dangerous sector, which has many important applications, including power, the generation of alternative fuel, and cancer treatments.
A cyber attack that affects the transportation system poses a significant threat to most sectors. Millions of people rely on the transportation sector daily, so CISA prioritizes ensuring the continued availability of transport systems.
Waste and Wastewater
Clean water is essential to human life, making the waste and wastewater sector a key component of our critical infrastructure.
Cyber Attacks on Critical Infrastructure
Whether the attack is from an individual or sponsored by a nation-state, whether motivated by money or furthering a political agenda, critical infrastructure is an attractive target for cybercriminals because of the high stakes.
There is the potential for threat actors to make significant amounts of money and cause massive disruption by attacking any of the 16 sectors CISA has identified as critical to the US way of life.
The US Intelligence Community confirmed that China would likely launch a cyber warfare or cyber espionage campaign against the US if it considered that a major conflict with the US were imminent. It also stated that China’s cyber attacks could disrupt critical infrastructure services, including rail systems and oil and gas pipelines.
The Top Threats to Critical Infrastructure
The following cyber threats are the biggest risks to critical infrastructure today:
Malware / Ransomware
Malicious software, particularly ransomware, has proven to be a major risk to critical infrastructure. Colonial Pipeline paid threat actors $5 million against FBI policies to end the shutdown, demonstrating how unprepared many critical infrastructure owners are for such cyber attacks and how devastating and disempowering they can be.
Considering the vital nature of businesses in the critical infrastructure sector, it’s essential that they give the threat from ransomware and other dangerous malware the attention they deserve.
Supply Chain Attacks
Targeting the suppliers of a nation’s critical industries is a key way in which attackers aim to compromise critical infrastructure. Such an attack is more likely than many others to be motivated by a political agenda.
Supply chain attacks can be interesting to nation-states that wish to gain unauthorized access to information systems in federal agencies and DoD subcontractors, as well as financial institutions. In addition to the potential for data breaches, the disruption of a supply chain attack can be significant in itself.
Distributed Denial of Service (DDoS) attacks, in which a threat actor uses malware-infected machines to overwhelm a target server with false requests, can cause significant disruption to critical infrastructure. Although no data is stolen, any downtime due to a DDoS attack can be extremely detrimental.
This type of attack can cause massive revenue loss due to business disruption as organizations and their cybersecurity operations get overwhelmed. They increase risks to public safety and national security when the target is any of the 16 critical infrastructure sectors.
There is a good chance that a DDoS attack may play a part in a wider, multi-faceted, and coordinated cyber attack, given its ability to distract and engage the resources of cybersecurity teams.
Cybersecurity best practices can significantly reduce the risk of data breaches. Furthermore, cyber resilience initiatives can help businesses bounce back more quickly, restore their systems from backups, and continue business operations, limiting the financial and reputational damage from data breaches and the risk to public safety.
Top Vulnerabilities in Critical Infrastructure
While cyber threats are risks such as hackers, vulnerabilities refer to the issues that hackers could exploit to compromise a system or network.
Vulnerabilities are often errors or oversights that need to be fixed to prevent cybercriminals from taking advantage of them. The most common vulnerabilities in critical infrastructure organizations are as follows:
Insufficient Policies and Procedures
While many individuals think of software as the solution to cybersecurity issues, the development of thorough information security policies and procedures is key to strengthening cybersecurity.
Without a framework, established practices, and written policies to support a company’s cybersecurity strategy, its efforts are more likely to be marred by gaps, inconsistent implementation, misunderstanding, and negligence.
Policy making, testing, and regular reviews are essential to ensure that everyone handling sensitive data follows the strategy and tactics set out by the organization.
Making a cloud storage server accessible to the public could be disastrous in the critical infrastructure sector. Policies and procedures help organizations avoid configuration errors that could lead to critical data leaks and breaches.
Especially in manufacturing, operational technology is more connected than ever. Systems that were traditionally siloed are now far more likely to be connected to the internet and each other, making them more vulnerable to cyber attacks and modification or sabotage by hackers.
Lack of Encryption
In the event of a data breach, encrypted files have a chance of remaining confidential because hackers would require the correct decryption key or sophisticated methods to decrypt the data.
Remediating Vulnerabilities in Critical Infrastructure
CISA identifies the following key ways organizations should improve their security postures.
Prioritize Cybersecurity in New Technology
Rapid implementation of new technologies has tended to outstrip cybersecurity considerations. Software developers often race to be the first to create and facilitate new ways of working, and security has suffered as a result.
CISA identifies that cybersecurity needs to be built into new technology — not tacked on as an afterthought. When implementing new technologies, organizations in critical infrastructures must prioritize analyzing cybersecurity and management implications over the obvious advantages of new software and hardware at face value.
The rapid implementation of IoT technology is an excellent example of how introducing new technology without adequate security considerations can harm a firm’s security posture.
Many IoT devices are manufactured as cost-effectively as possible. As a result, they not only lack adequate built-in security but also the capacity to support security upgrades. Where there is password capability, many businesses fail to change the default settings.
The result is a significant increase in an organization’s attack surface, with the introduction of multiple vulnerable endpoints lacking sufficient security controls and yet connected to each other and the network.
Develop Cybersecurity Cultures
CISA acknowledges that while immediately actionable security controls offer fast, meaningful improvements to networks and systems, critical infrastructure should nonetheless prioritize the longer-term process of developing a cybersecurity culture.
A cybersecurity culture means eradicating silos. Cybersecurity can no longer be considered an IT problem or the responsibility of technical departments.
With a mature cybersecurity culture, staff throughout the company and at every level is more aware of suspicious activity, such as phishing and spear phishing attempts, which are vectors to ransomware.
With engagement from boards of directors, cybersecurity awareness and training becomes company-wide until every person in the organization:
- Realizes they are stakeholders in cybersecurity
- Knows the importance of cybersecurity
- Prioritizes data protection and the security of operational technology
People will always be a major factor in actions that cause or prevent data leaks and data breaches. Prioritizing cybersecurity awareness throughout an organization mitigates vulnerabilities and introduces a new or stronger layer of defense against cyber attacks and accidental data loss.
CISA aims to help critical infrastructure organizations face and remediate cyber risks by facilitating their coordination and information sharing.
With proactive collaboration, using stopransomware.gov and threat intelligence systems, such as CVE and RVWP, critical infrastructure owners can stay ahead of many cyber threats and help others do the same.
Collaboration is critical to defending organizations from cyber threats. The cyber threat landscape changes at such a rapid pace that critical infrastructure businesses must use all resources at their disposal to remediate known vulnerabilities and exposures while becoming more proactive and able to defend against emerging threats.
Cyber resilience is a key ability cited by CISA that can help critical infrastructure businesses in the face of the increasingly complex cyber threat landscape.
With cyber criminals becoming more organized, the growing sophistication of their tools and methods, and the added threat from nation-sate sponsors and cyber espionage, critical infrastructure must not only work on preventing cyber attacks but also preparedness so that they can restore systems and continue to function in the increasingly likely event of a cyber attack.
Building cyber resilience includes creating, assessing, and maintaining off-site data backups. Also vital is the development and maintenance of a detailed, documented incident response plan that clearly identifies roles, responsibilities, and steps to take during critical incidents prioritized according to ongoing cyber risk assessments.
An Example of a Cyber Attack on Critical Infrastructure
The Colonial Pipeline attack is an excellent example of how a cyber attack on critical infrastructure can have a profound and wide impact felt for many years.
CISA describes the Colonial Pipeline attack as a watershed moment in the history of cybersecurity. It spurred the Biden-Harris Administration to improve the US’s preparedness for cyber attacks, with a focus on critical infrastructure owners and operators.
Attackers the FBI identified as DarkSide breached the Colonial Pipeline system by exploiting a legacy Virtual Private Network (VPN). The system did not require multi-factor authentication (MFA), so it required the breach of a single layer of security: a password.
The attack led to the shutdown of key delivery conduits to the East Coast for several days and caused fuel shortages, panic-buying, and a spike in gasoline prices,
In addition, other attacks on CI around the world include Ukraine’s power grid attack in 2015, San Francisco’s Light Rail System attack in 2016, and CPC, a Taiwanese public sector energy company that was breached in 2020, are among the victims of cyber attacks targeting critical infrastructure.
Critical Infrastructure was also disrupted by the infamous SolarWinds hack. According to a security firm involved in the investigation of the breach, more than a dozen critical infrastructure organizations across the manufacturing and energy sectors were compromised due to running this vulnerable third-party software used for managing Microsoft environments and widely used by federal agencies.