What if you couldn’t use the technological systems on which you rely every day? I’m not referring to your smartphone or laptop computer, but all of the systems that many of us take for granted and don’t think about.
What if you weren’t able to turn on the lights or power your refrigerator? What if you couldn’t reach emergency services when you dialed 911? What if you couldn’t get into your bank account, get safe drinking water, or even flush the toilet?
Critical infrastructure, according to Canada’s National Strategy for Critical Infrastructure, refers to the processes, systems, facilities, technologies, networks, assets, and services that are critical to the public’s health, safety, security, or economic well-being, as well as the effective operation of government.
Disruptions to these systems, particularly those caused by cyberattacks, can have disastrous consequences. This is why these systems are referred to as critical infrastructure.
Table of Contents
A Series of Assaults
The vulnerability of critical infrastructure has received a lot of attention in the last six months. This has been fueled by a series of high-profile cyberattacks on critical infrastructure sectors.
It was revealed that CNA Financial Corp., one of the largest insurance companies in the United States, was the victim of a ransomware attack in late March 2021. As a result, the company’s systems and networks were disrupted.
A ransomware attack on Colonial Pipeline halted plant operations for six days in May 2021. The attack caused a fuel shortage and price increases in the eastern United States.
A ransomware attack hit JBS USA Holdings, Inc., one of the world’s largest meat producers, a few weeks later, in June 2021. This attack disrupted supply chains in Canada, the United States, and Australia.
In June 2021, the Martha’s Vineyard and Nantucket Steamship Authority was the victim of a ransomware attack, which disrupted ferry services and caused delays.
Insecure Infrastructures
On October 14, 2021, the United States Cybersecurity and Infrastructure Security Agency issued Alert AA21-287 in response to cyberattacks on the financial, gas, food, and transportation sectors.
The alert highlights the vulnerability of yet another critical infrastructure sector. It warns of “ongoing malicious cyberactivity” directed at water and wastewater treatment plants. Exploits of internet-connected services and outdated operating systems and software, as well as spear phishing and ransomware attacks – all of which have been seen in recent cyberattacks – are examples of these activities.
According to the alert, these cyber threats could have an impact on water and wastewater facilities’ ability to “provide clean, potable water too, and effectively manage their communities’ wastewater.”
Factors of Vulnerability
The importance of combating cyber threats to critical infrastructure is widely acknowledged. However, today’s infrastructure is far from secure. This is due to several interconnected factors that combine to form a perfect storm of exposures.
To begin with, many of our most critical systems are extremely complicated. As the number of devices and connections in these systems increases, so does their complexity.
Second, many of these systems combine insecure, out-of-date legacy systems with new technologies. These new technologies promise advanced analytics and automation, among other things. They are, however, sometimes linked and used in insecure ways that the original designers of the legacy systems could not have imagined.
Taken together, these factors indicate that these systems are far too complex to be fully comprehended by a single person, a group of people, or even a computer model. This makes it difficult to identify flaws that, if exploited – accidentally or intentionally – could result in system failures.
Examining real-world complexities
We are developing solutions to address the fragility of critical infrastructure in Carleton University’s Cyber Security Evaluation and Assurance (CyberSEA) Research Lab. The goal is to increase the security and resilience of these critical systems.
The complexities of critical infrastructure can result in unexpected or unplanned interactions between system components, referred to as implicit interactions.
The use of implicit interactions has the potential to have an impact on the safety, security, and dependability of a system and its operations. Implicit interactions, for example, can cause system components to interact in unexpected – and often undesirable – ways. As a result, unpredictability in system behavior allows attackers to damage or disrupt the system and its operations.
At CyberSEA, we recently performed a cybersecurity analysis on a real-world municipal wastewater treatment system, identifying and measuring characteristics of the system’s implicit interactions. This was part of our ongoing research, which was conducted in collaboration with the University of Illinois at Urbana-Critical Champaign’s Infrastructure Resilience Institute.
Our analysis discovered a significant proportion of implicit interactions in the system, with approximately 28% of these identified vulnerabilities indicating that they were ready for attackers to exploit and cause damage or disruption in the system.
Glimmer of Hope
Implicit interactions were discovered in real-world critical infrastructure systems, according to our research. According to feedback from the wastewater system operators in our case study, our approaches and tools are useful for identifying potential security issues and informing mitigation efforts when designing critical systems.
This could be a ray of hope in the fight against critical infrastructure cyber threats. It is necessary to continue developing rigorous and practical approaches to address increasingly critical issues in designing, implementing, evaluating, and assuring the safe, secure, and reliable operation of these systems.
A more robust infrastructure will result in fewer threats to our security and access to services, ensuring our well-being as well as the efficient operation of our governments and society.