Ransomware Threat To Critical Infrastructure Is A New Priority

By: Danielle Jablanski

Governments and providers of critical services have observed a barrage of ransomware attacks on the healthcare sector with growing concern for their own operations. In a ransomware attack, hackers infiltrate an organization’s critical systems or data and hold it hostage as a means of extorting payment. Often, the identity of the attacker remains unknown for months after the attack. On November 16, 2020, Americold, one of the largest cold storage warehouse chains in the US, became ransomware’s latest victim. The attack affected Americold’s communications, inventory, and operations, which is particularly concerning as cold storage facilities will be integral to the rollout of COVID-19 vaccines.

US Government Proposes Sharper Cybersecurity Policy in 2020

This attack brings three recent federal mandates into greater focus. In May 2020, President Trump signed an executive order directing the US Department of Energy to work with the private sector to address threats to the bulk-power system (BPS), defined as facilities and control systems necessary for operating interconnected transmission networks. The executive order targets foreign adversaries by placing restrictions on the procurement of BPS components as a function of stricter cybersecurity measures, requiring increased public-private cooperation to be successful.

In October, the US Department of the Treasury’s Office of Foreign Assets Control issued guidance on ransomware incident response dissuading payment. It suggests that an organization may be held liable for aiding and abetting a sanctioned entity “even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited.” This advisory is an attempt to thwart lucrative and expanding ransomware attacks; however, it may result in longer and more expensive remediation depending on the ramifications of halted business operations for the victim.

The IoT Cybersecurity Improvement Act of 2020, which passed unanimously in the Senate on November 17, establishes baseline cybersecurity provisions for federal IoT devices. This bill sends a clear message to vendors that rushing to market without security and privacy considerations is no longer a viable business model. However, this bill could signal a boon for vendors in major critical infrastructure markets that are adopting widespread IoT innovations for edge computing, asset management, consumption monitoring, field operations, and more.

What Should Critical Infrastructure Owners and Operators Do?

As the government works to combat overarching cybersecurity risks to critical infrastructure, the bottom line is that cybersecurity decisions are business decisions. Businesses cannot wait to invest until after a major incident. Guidehouse Insights recommends that executives consider the following:

• Even if your cybersecurity budget and spend are low, designate leaders within your organization who are responsible for being in the know about your own networks and endpoints and the broader global threat landscape.
• Your cyber risk profile is unique to your organization. Global trends may not always pair exactly to your top risks. Many organizations fear a WannaCry scenario where ransomware spreads indiscriminately from system to system through a computer worm and may overlook the potential for a surgical attack on their organization.
• Consider outliers statistically as part of risk assessments. If the worst-case, least likely scenario is just that, it may not fit into your day-to-day security strategy, priorities, and budget decisions.
• Consider avenues for sharing information, even with competitors, about similar threats, challenges, and trends. Awareness is key.

Implementing policy and regulation only goes so far, as cyber criminals and foreign adversaries continue to adapt their tactics to meet objectives. The onus is on managers of critical infrastructure to take cybersecurity seriously and to begin taking a holistic approach to securing critical systems and data. For electric utilities, Guidehouse Insights suggests starting with its new report, Hardening and Securing Utility Control Systems.