The past 16 years, starting with the STUXNET worm up to the Colonial Pipeline attack, have shown us that critical infrastructure attacks can have significant real-world repercussions. One significant trend has been nation state actors and the increasing complexity of some of these attacks.
A key factor enabling this activity is the ability for nation state actors as well as some criminal groups to operate from within certain national borders without fear of repercussions. This affords them a great deal of time to establish infrastructure, plan, and carry out attacks over long periods. There is growing concern that much of our infrastructure is already compromised, either through software updates that have been compromised, as seen in the Solarwinds attack, or via back doors that have not yet been activated.
A joint report in March of 2024 by the National Security Agency (NSA), Federal Bureau of Investigation (FBI), along with other U.S. government and international partners warned that state-sponsored cyber actors known as Volt Typhoon from the People’s Republic of China (PRC) have pre-positioned themselves into U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of conflict with the United States or its allies.
This malware could be activated in coordination with other global events to cause a delay in response by shifting focus to chaos at home.
This type of threat raises a larger question around cyber threats against critical infrastructure that are enabled by foreign adversaries. Should these threats now be handled at a national level and possibly with active response similar to what would happen in a kinetic attack? Do we need state funded protective measures to assist commercial entities in the critical infrastructure space?
We have agencies such as CISA, NIST, FERC and TSA that put out advisories, track activity and publish compliance standards and guidelines for securing infrastructure. Other agencies such as the FBI, NSA, and Secret Service actively attempt to track and shut down infrastructure used by criminal groups. How far should some of these activities go as much of the infrastructure for nation state activities is beyond physical reach and criminal prosecution?
Today most commercial entities are faced with providing their own cyber protection at their own cost. This seems valid when dealing with normal criminal activity that would result in prosecution and apprehension. However does this model still hold true when defending critical commercial enterprises from nation state actors immune to prosecution, apprehension, and with state backed funding?
The Potential Role of Secure-by-Design & AI
Secure-by-design could play a role going forward if customers demand it or there are regulations to drive adherence to the practices outlined. Overall, this will require a shift in thinking from the ICS vendor side as they are mostly focused on efficiency and safety today. The legacy thinking was most ICS systems would have no connections or air gapped network connectivity, and any security on that side was an afterthought.
Even if ICS vendors adopted a secure-by-design strategy it would be a long process to see the benefits in the field due to the nature of deploying these systems. Many ICS deployments have a 10+ year cycle and don’t tend to be upgraded as often as IT gear. Newer systems would benefit, but existing deployments that are difficult or cost prohibitive to upgrade will still be vulnerable and require external protection.
Another possible solutions is artificial intelligence. For the good guys we’ve already seen AI/ML being used in identifying anomalies, detecting threats, and automating some responses. Going forward, AI could also be effective in finding and predicting attack vectors and assisting in hardening systems to withstand potential threats.
In the same way, state-sponsored hackers will have the resources to leverage AI in creating more sophisticated attacks, targeted spear phishing campaigns, and automating the exploitation of vulnerabilities quickly. Using AI to automate attacks for new vulnerabilities shortly after discovery will allow these threat actors to target systems before they can be patched or taken off line.
This issue of investment resources will also play a key role for critical infrastructure enterprises. Some investment will need to come from government programs for smaller entities, like water utilities deemed critical infrastructure. There could be a split between state/local and federal government funding, similar to the states funding the national guard and the federal defense budget.
In some senses the network and communication side of these assets is a new attack surface. We currently spend a defense budget to protect against physical attacks, so it only makes some sense to fund protection from online threats as well.
