We're Better Together

In 2015, the University of Cambridge put out a risk report exploring what might happen if part of the United States power grid went down. Based on their analysis, we could expect economic loss, an end to the insurance industry, interruptions in communications, transportation and basic necessities. As this information age rages, the need to protect our data is quickly becoming more and more difficult to achieve.  By 2025, humanity's collective data will reach 175 zettabytes -- the number 175 followed by 21 zeros.  Since cybercriminals hope to acquire and manipulate information, keeping it secure is imperative.

How Real is the Threat?

• Security attacks increased 31 percent from 2020 to 2021, according to Accenture's "State of Cybersecurity Resilience 2021" report.  
• Ransomware attacks, like the Colonial Pipeline, attack have increased 100 percent in the first half of 2021, according to cybersecurity firm Fortinet.   
• Chinese state-sponsored hackers targeted India's power grids.  "We believe this targeting is instead likely intended to enable information-gathering surrounding critical infrastructure systems or is pre-positioning for future activity," according to report from cybersecurity firm, Recorded Future. 
• Utility companies and key oil and gas transportation hubs are on high alert as Russian hackers have been probing energy infrastructure’s digital networks for weak points. “We are on super high alert,” said Thad Hill, CEO of Texas power giant Calpine, adding that he has been closely monitoring Russia’s cyber actions.  Texas may be targeted to halt or slow oil and gas shipments or diminishing production of a refinery’s products.  “Texas has some key export facilities for liquid natural gas — at a national security level, there are a couple sites that we all freak out about,” Robert M. Lee, Chief Executive Officer and Co-Founder, Dragos, Inc said. “If you took down one site, you don't get fuel exports out to certain countries.”  However, Chris Bronk, a cybersecurity professor at the University of Houston, is more concerned about an attack on electrical systems.
• Schneider Electric and Omron were compromised by the infamous 'Pipedream' electrical grid malware.  The malware was detected by U.S. security firm Dragos earlier this year but has not been found ‘in the wild,' that is, not yet active or found on devices belonging to users.
• According to the Department of Homeland Security, advanced technology in quantum computing poses new risks of breaking encryption methods widely used to protect data.  

Knowing is Only Half the Battle.  

Addressing the threat and taking preventative measures is the next step.  Top cybersecurity firms monitor and report vulnerabilities and holes in a companies’ cyber-defenses. However, security firms are not bulletproof.  Cybersecurity firm Palo Alto Networks informed customers about several vulnerabilities that could allow a malicious actor to disable its products.  Security services must be monitored consistently, upgraded and on constant alert.  With all the data we are creating, there is only one place to large enough to store 175 zettabytes and that’s on the cloud.  John Morello, VP of Prisma Cloud at Palo Alto Networks, wrote in a report, that “an organization can never expect to be secure in the cloud due to its very nature: dispersed, rapidly evolving, and dynamically fluctuating within an organization.” He links the remedy to limiting access with effective identity and access management (IAM) policies. IAM technologies ensure that the right users have the appropriate access to technology resources. 

A Fortinet survey recently found that 73 percent of organizations had at least one intrusion or breach that can be partially attributed to a gap in cybersecurity skills. Something as simples employee training can close the gaps in security.   “At Fortinet we believe that all organizations should deploy awareness programs for all employees or users to truly protect their most important digital assets and as part of their security strategy,“ said David Lorti, Fortinet’s director of product marketing in a blog post.  They aim to change employee behavior, making them ‘more cyber aware.’  “Employees are constantly sharing data, and might not even know when they do so in a way that violates internal or external data compliance standards,” Hank Schless, senior manager, security solutions at Lookout, said. “Making employees aware of what qualifies as sensitive data, what the risks are of accessing that data from personal devices, and the tactics that attackers use to get their hands on it is a critical first handful of steps to take.” 

Takes One To Know One 

DHS Secretary Alejandro Mayorkas made a real push with several initiatives to increase security. 

1. To elevate the fight against ransomware.
2. To build a more robust and diverse cybersecurity workforce.
3. To mobilize action to improve the resilience of industrial control systems, in lieu of 2021 breaches at Colonial Pipeline and Florida water treatment facility.
4. To increase the cyber resilience of the Nation’s transportation systems – from aviation to rail, pipelines, and the marine transport system.

In May 2021, Mayorkas launched a program to hire 200 new cybersecurity personnel across the Department by July 1.  But the end of the sprint, the Department of Homeland Security hired and onboard 293 cyber professionals.  Most notably, the DHS developed an Honors Program to recruit recent graduates with degrees in cybersecurity-related fields.   Most hackers don't earn very much money. According to a study by the Institute for Application Security in Germany, the average data miner earns less than $6 per day. But high earners can make more than $166,000 on a single hack.  While a government job can’t compete with the high-end earners, it can definitely offer a decent wage for an honest day’s work.

Better Together

To reduce the threat and prevent crippling attacks, how soon should public policy step in?  Would companies welcome the help or resent the gesture?  U.S. government agencies already have preparedness plans for disasters, emergencies and cyberattacks.  Taking a more aggressive role in building cyber-defenses Biden put cybersecurity as a top priority at all levels of the government.  The Department of Homeland Security (DHS) hopes ‘to build a culture of preparedness through insurance, mitigation, continuity and grant programs.’ They will also identify opportunities to strengthen infrastructure resilience through partnerships, in both the public and private sectors.  The Department of Energy (DOE) announced a partnership with cybersecurity provider, Dragos, Inc., to improve security and increase visibility through an information-sharing network called Neighborhood Keeper.  ”As we continue to advance initiatives to improve cybersecurity situational awareness and joint collaboration, DOE applauds Dragos for building this community and its willingness to collaborate with DOE in the spirit of collective defense and national security," said Puesh Kumar, Director of DOE's Office of Cybersecurity, Energy Security, and Emergency Response.  The concept of sharing information may be the key to catching cybercriminals just like the invention of the car radio has helped police since 1929.

When the power is out as the result of a natural disaster or equipment failure, contingencies go live.  Utility companies send out crews and provide customers with an ETA on restoration.  When a utility is hit with a cyberattack, let’s hope they’re ready.  The United States Cybersecurity & Infrastructure Security Agency (CISA) launched The Regional Resiliency Assessment Program (RRAP) to assess specific critical infrastructure with security issues.  The program is driven by strong partnerships with federal, state, local and territorial government officials as well as private sector organizations like utility providers.  ‘Investing in critical infrastructure that can withstand and quickly recover from any and all threats is essential to maintaining the nation’s economy, security, and health.’