Tag Archives: Operational Technology

The Process-Oriented View: CISO Visibility During an OT Attack

Posted on by
Reply

When a cyber incident occurs in an operational technology (OT) environment, understanding what is actually happening can become difficult. Control systems may continue to display normal readings even if attackers have begun manipulating logic or feedback within Programmable Logic Controllers (PLCs) or Human-Machine Interfaces (HMIs). Operators see stable values while underlying conditions start to diverge from what is shown on screen.

If process data at the controller level is falsified, every connected monitoring and cybersecurity tool reflects the same false picture. At that point, the Chief Information Security Officer (CISO) and operations team lose reliable visibility into the physical process that underpins production and safety.

The choices that follow each carry risk:

  • Shutting down operations may prevent escalation but could also cause costly downtime if the intrusion is contained to the network.
  • Continuing to operate may expose critical assets to damage if the manipulation extends to the process layer.

A recent cyber event at Norway’s Risevatnet dam illustrates this limitation.
During the incident, operators lost visibility into parts of the control system, yet intrusion detection and monitoring tools reported no anomalies. The breach was discovered only when on-site personnel noticed irregular behavior in equipment operations.

This outcome speaks to a broader issue in OT cybersecurity. Network-based detection tools can confirm whether communication channels are functioning, but they cannot independently verify whether the process data itself is genuine.  If attackers manipulate information within PLCs or HMIs, every connected dashboard, alarm and analytic layer reflects the same falsified values. In effect, the system becomes blind at the moment visibility is most needed.

The Risevatnet case shows how quickly a cybersecurity failure can become an operational one. When control room data appears normal, incident response slows and decisions depend on incomplete or misleading information. Without a way to validate what is happening at the physical process level, teams must rely on manual observation or external cues, a reactive approach that offers no real protection in complex or distributed environments.

SIGA’s SigaML², available through Carahsoft, addresses this visibility gap by providing an independent, out-of-band view of the industrial process. The system collects unfiltered electrical signals directly from field I/Os (data that cannot be spoofed or altered) and applies multi-level analytics across Purdue Levels 0–4 to detect anomalies and false-data injections in real time.

Its components work together to create an evidence-based view of the process:

  1. SigaGuard sensors capture raw electrical data directly from equipment.
  2. SigaGuardX software correlates Level 0-4 information to identify inconsistencies and possible manipulations.
  3. S-PAS simulation tools allow cybersecurity and operations teams to rehearse attack scenarios and refine incident response playbooks.

These capabilities give CISOs and plant operators verifiable insight during an active incident, helping determine whether an event is operational or cyber in nature and guiding containment or recovery actions.

Regulatory frameworks including Network and Information Security Directive 2 (NIS2), Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the latest National Institute of Standards and Technology (NIST) guidance highlight the importance of process-level monitoring and validation.

As oversight expands, CISOs and plant operators are expected to provide verifiable evidence of what occurred during an event, more than network logs or alarms.
Meeting that requirement depends on having data sources that remain trustworthy even when control networks are compromised.

SigaML² provides that capability, giving security and operations teams a direct, unaltered view of the physical process when clarity matters most.

Explore how SIGA’s cyber-physical security solutions empower CISOs with greater visibility during OT attacks. Visit Carahsoft’s SIGA solutions page to discover how your agency can enhance its infrastructure resilience.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SIGA, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Securing Operational Technology with Cyber-Informed Engineering

Posted on by
Reply

Cyber-Informed Engineering (CIE) is an initiative by Idaho National Laboratory with funding from the Department of Energy (DOE). The goal of CIE is to secure physical operations through the combination of cybersecurity and engineering approaches. Today, engineering mitigations are used from time to time to address cyber risks but are used neither universally nor systematically. CIE recognizes the importance and necessity of using both engineering tools and conventional cybersecurity designs to secure operational technology (OT) networks.

Protecting Critical Infrastructure

Access to OT information in IT networks, very often through PI servers, is essential to many kinds of business automation, such as automatically ordering spare parts or scheduling maintenance crews. However, because all modern automation involves computers, as businesses continue to automate processes more targets for cyberattacks are created. In addition, data in motion is the lifeblood of modern automation, but all cyber-sabotage attacks on OT systems are information, and every connection between systems and IT/OT networks is an opportunity for attacks to spread. Thus, the more automation is deployed, the more opportunities are created to attack the ever-increasing number of targets. Cybersecurity is an issue that becomes steadily more pressing as businesses automate.

The IT/OT boundary, where PI servers tend to be deployed, is very often a consequence boundary. Worst-case consequences on the OT network are very often dramatically different and more severe than consequences on IT networks. Worst-case business consequences often include expensive incident response costs, such as businesses having to buy identity fraud insurance for customers whose information was leaked into the Internet. On the other hand, worst-case consequences for OT networks in a power plant or a high-speed passenger rail switching system often include threats to worker and public safety, or to the availability of critical infrastructure services to the nation. When worst-case OT consequences are unacceptable, engineering-grade protections must be deployed at the IT/OT interface to prevent worst-case scenarios from being realized.

Waterfall Security OT and Cyber-Informed Engineering Blog Embedded Image 2024

Conventional OT Security Programs

Using exclusively IT style mitigations to protect critical OT networks is often not enough—when public safety or critical infrastructures are at risk, it is not enough to hope that cyberattacks can be detected before they compromise critical infrastructure. It is not enough to hope that if detected in time, an incident response team can be assembled fast enough to prevent consequences. Engineering-grade designs are expected to reliably perform critical physical operations within a specified threat environment until the next scheduled opportunity to upgrade defenses, with a large margin for error.

The Threat Landscape

Remote-controlled attacks are the modern attack pattern used by hacktivists, ransomware criminals and nation-states. Modern remote-controlled attacks use social media research and clever phishing emails to trick potential victims into revealing passwords or opening malicious attachments. Once remote attackers gain a foothold in their target network, they control the compromised machine remotely, using it to attack other machines through layers of firewalls, including the IT/OT firewalls deployed to send OT data into PI servers to enable IT/OT integration. Attackers then repeat, spreading further until they reach essential OT systems or valuable information that a business would be willing to pay to recover.

‘Living off the land’ is another type of remote-controlled attack seen recently. After gaining a foothold in an IT network, attackers erase all hint of their presence, including any malware that was used to gain their foothold. Eventually compromising the IT domain controller, attackers create their own remote access and credentials. These new accounts look like a normal employee logging in; no alarms are raised as the attackers use normal operating system tools in their attacks, making them extremely difficult to detect.

Unbreachable Protection with Unidirectional Gateways

In the face of sophisticated remote-control attacks, safe integration of critical OT networks with PI servers and other business automations must involve network engineering. The most common approach to network engineering is to protect the IT/OT consequence boundary with a Unidirectional Gateway. The gateways are a combination of hardware and software; the software makes copies of PI and other OT servers from OT networks, while the hardware allows information to travel in only one direction, from the OT network out to the IT network. The gateways move OT data out to where the enterprise can use it while preventing any remote-control attacks or attack information getting back through into the OT network. Even if a deceived insider carries a piece of malware into an OT network and inadvertently activates it, that malware cannot connect out to the Internet through the gateway, much less receive any attack commands from the Internet.

Increasingly, critical infrastructures are expected to have OT networks that operate reliably and independently of the IT network, even when the IT network is compromised. A Unidirectional Gateway provides OT data to PI servers and other business automation, with no ability for malware, remote-control commands or other attack information to penetrate the gateway into operations. By eliminating the risks associated with firewalls at the IT/OT consequence boundary, industrial enterprises can be confident of the integrity of their OT systems, even in the face of the most sophisticated of modern, network-based attacks.

As Cyber-Informed Engineering emerges as the most important change in OT security in a decade, Waterfall Security’s Unidirectional Security Gateways, certified to be truly unidirectional, are leading the world in safe IT/OT and OT/cloud integration, even in the face of the most sophisticated of cyber threats. Watch our webinar “Cyber-Informed Engineering for OT Security and AVEVA PI Users” to see how Waterfall’s solutions enable safe IT/OT integration and protect safe and reliable physical operations, especially for AVEVA PI installations.

Critical Infrastructure in Cybersecurity: Innovation for the Transportation Sector

Posted on by
Reply

In 2021, the presidential administration passed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, aiming to bolster the cybersecurity posture of critical infrastructure in the United States. Various agencies, such as the Transportation Security Administration (TSA), Department of Transportation (DOT) and the Cybersecurity Infrastructure Security Agency (CISA), have been working to continuously improve the security of the transportation sector, which oversees the movement of people and goods across the country.

The Transportation Sector

Within the transportation sector, initiatives have been taken to help fund cybersecurity improvements in an array of subsectors. The transportation sector includes:

  • Aviation: Approximately 450 commercial airports, 19,000 airfields, air traffic control systems, heliports, landing strips, joint-use military airports, sea plane bases, manned and unmanned recreational aircraft and flight schools[1]
  • Highway and motor carriers: Managing roadways, bridges, tunnels and commercial vehicles such as motorcoaches and school buses traffic management systems
  • The maritime transportation system: Approximately 95,000 miles of coastline, 361 ports and over 10,000 miles of navigable waterways
  • Mass transit and passenger rail: Terminals, operational systems, transit buses, monorails, trolleys and rideshares
  • Pipeline systems: Carriers of natural gas, hazardous liquids and various chemicals
  • Freight rail: Major carriers, smaller, active railroads, freight cars and locomotives
  • Postal and shipping: Regional and local couriers, mail management firms, charters and delivery services[2]

Carahsoft Cybersecurity for Transportation Blog 4 Embedded Image 2023Security Directives

Due to persistent threats to the cybersecurity of critical infrastructure, including the transportation sector, the TSA issued multiple security directives for various transportation types, including railways and pipelines. These new directives require agencies to develop approved implementation plans that will help improve cybersecurity resilience, proactively assess the effectiveness of cybersecurity measures and prevent the deterioration of infrastructure.

The directive also requires that entities regulated by the TSA proactively work to implement amendments in the directive, including to:

  • Develop network segmentation policies so that Operational Technology (OT) can continue working, even when compromised
  • Prevent unauthorized access to critical infrastructure systems by enabling control access measures
  • Identify vulnerabilities and implement security patches for operating systems, applications, drivers and firmware to reduce the risk of exploitation
  • Detect malicious software and unauthorized access on Information Technology (IT) or OT systems and report designated incidents to CISA
  • Isolate infected systems from uninfected systems to limit the spread of malware, deny further access and to preserve evidence of compromise[3]

A similar initiative, introduced by the DOT in 2022, aims to improve security awareness amongst employees. All DOT network users are required to complete the DOT’s Security Awareness Training, which is inspired by various federal requirements and the DOT Order on Department Cybersecurity Policy. The training measures employees’ knowledge in cybersecurity, including password and PIN protection and basic security for information systems.[4]

By striving to improve the security posture of the transportation sector, the TSA, DOT and CISA endeavor to protect the safety of the nation.

Cybersecurity Funding for the Future

The DOT has also introduced measures to improve the national security posture. To leverage funding from bipartisan infrastructure, the U.S. Transportation Secretary Pete Buttigieg announced up to $45 million in grants for various University Transportation Centers (UTC). These grants will be utilized to improve the cybersecurity resilience of agencies affiliated with roads, bridges, rail, shipping and airspace. One of these grants will go to Clemson University to lead a consortium focused on cybersecurity research and development. Another of these grants will go to Prairie View A&M University to improve technology in the transportation system, including data related to artificial intelligence and environmental resilience.[5]

Ever since the Colonial Pipeline attack of 2021, as well as other attacks on the cybersecurity of critical infrastructure of the United States, various agencies have done their part to improve the nation’s security. Through CISA’s hard work to create cybersecurity guidelines and cross-sector performance goals and the Federal Government’s generous grants, the nation’s critical infrastructure is postured to increase security and resolve potential crises.

This blog is the final installment in our four-part series, which examines cybersecurity initiatives inspired by The White House’s National Security Memorandum. The first three parts covered the basics of critical infrastructure cybersecurity, an overview of the Water and Wastewater Sector, and an overview of the Electric and Utility Sector.

 

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio. 

 

Resources:

[1] “National Infrastructure Protection Plan,” Transportation Systems Sector, https://www.dhs.gov/xlibrary/assets/nipp_transport.pdf

[2] “Transportation Systems Sector,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector

[3] “Security Directives and Emergency Amendments,” Transportation Security Administration, https://www.tsa.gov/sd-and-ea

[4] “FY 2022 Department of Transportation Security Awareness Training,” Federal Motor Carrier Safety Administration, https://www.fmcsa.dot.gov/safety/fy-2022-department-transportation-security-awareness-training

[5] “U.S. Department of Transportation Funds Innovative Research Providing Vital Training for Next Generation of Transportation Leaders,” U.S. Department of Transportation, https://www.transportation.gov/briefing-room/us-department-transportation-funds-innovative-research-providing-vital-training-next

Critical Infrastructure in Cybersecurity: Modernizing the Electric and Utilities Sector

Posted on by
Reply

After the ransomware attack on Colonial Pipeline in 2021 and other notable events, the presidential administration has diligently worked to improve the cybersecurity posture of critical infrastructure in the United States. Several Government agencies, such as the Department of Energy (DOE) Cybersecurity, Energy Security and Emergency Response (CESER), the National Security Agency (NSA), Cybersecurity Infrastructure Security Agency (CISA), and private sector Electric & Utility Industry have joined to refine and boost cybersecurity in the Electric and Utilities sector.

Standards for the Electric and Utility Sector

Since 2021, the White House has put forth the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, an initiative that aims to safeguard the critical infrastructure of the nation. The Memorandum specifies that the Electricity Subsector was the pilot effort in its Initiative. In acknowledgement of the Memorandum, at least 150 electric utilities have or will adopt operational technology (OT) and Industrial Control Systems (ICS) security and improved the visibility, detection and monitoring of critical electricity networks. Further reinforcing the memo, in March of 2023, the Presidential Administration announced a national cybersecurity strategy that strives to create a secure digital ecosystem reinforced with the National Cybersecurity Strategy.

Control systems experts that work with DOE CESER, CISA and the NSA have developed a set of ICS security considerations. These considerations aim to enhance and monitor the detection, mitigation and forensic capabilities for OT owners and operators.

The ICS/OT cybersecurity evaluating and monitoring technology guidelines are recommendations rather than mandates. They include but are not limited to:

  • Building technology for ICS networks with integration compatibility for ICS protocols and communications
  • Adding sensor-based continuous network cybersecurity monitoring, detection and facilitation of response capabilities for both ICS and OT
  • Creating a collective defense capability framework for software so that Federal Government partners and trusted organizations can share insights and detections
  • Utilizing passive deployment and isolation technologies to protect sensitive information
  • Securing technology against access credential misuse[1]

These guidelines aim to improve system security and visibility with Government partners.

Carahsoft Cybersecurity for Utilities Blog 3 Embedded Image 2023Financing the Security Movement

To help fulfill the National Security Memorandum promise, the current administration has released the Bipartisan Infrastructure Law, which authorizes up to $250 million to enhance the cybersecurity resilience of rural, municipal, and small private electric utilities. The Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) Program has utilized the law to help improve energy systems, processes, assets, incident response and cybersecurity skills in eligible agencies within the utility workforce. Nearly one in six Americans live in remote or rural communities with inadequate funding and infrastructure for updated technology and modern systems.[2] The RMUC Program pledges financial and technical assistance to help these communities, as well as small investor-owned electric utilities, to improve vital security functions such as operational capabilities and to provide cybersecurity services access and threat-sharing programs.  In August 2023, the program pledged a prize pool of $8.96 million dollars in competitive funding and technical assistance to enable municipal and small investor-owned utilities to advance their training and cybersecurity.[3]

By ensuring secure and reliable power to all customers, RMUC will help finance cybersecurity, as well as help fulfill another of the current administration’s goals of a net-zero carbon economy by 2050.

Cleaning Up Energy

In developing the clean energy sector, the Administration aims to mold the digital ecosystem to be more defensible, resilient and aligned with American values. This strategy will invest in the future by defending the energy sector and reinforcing clean-energy critical infrastructures.[4] To aid in the battle for clean energy through cybersecurity innovation, Clean Energy Cybersecurity Accelerator (CECA) will make cybersecurity accessible via collaboration with public and private expertise. To do so, CECA will assess all ICS assets that are connected to a utility’s infrastructure. Any ICS with potential wide-reaching impact is evaluated against physical and virtual attacks in a test lab, allowing CECA to mend any security holes. Aiming to achieve carbon-free electricity by 2035, the DOE has announced hundreds of funding opportunities, including funding for the Fossil Energy and Carbon Management (FECM) office.[5]

Through the collaboration of several key Government agencies and the tech industry, the Electric and Utilities sector is on the way to being secure, reliable and accessible to all.

The first two parts of this four-part blog series covered the basics of critical infrastructure cybersecurity, as well as an overview of the Water and Wastewater Sector. Following this third part, the fourth and final blog will dive deeper into the Transportation sector.

 

To learn more about how agencies can bolster their cybersecurity efforts within critical infrastructure, visit Carahsoft’s Cybersecurity Solutions Portfolio.

Sources

[1] “Considerations for ICS/OT Cybersecurity Monitoring Technologies,” Office of Cybersecurity, Energy Security and Emergency Response, https://www.energy.gov/ceser/considerations-icsot-cybersecurity-monitoring-technologies

[2] “Biden-Harris Administration Launches $250 Million Program to Strengthen Energy Security for Rural Communities,” Department of Energy, https://www.energy.gov/articles/biden-harris-administration-launches-250-million-program-strengthen-energy-security-rural

[3] “New Prize Supports Rural and Municipal Utilities in Strengthening Cybersecurity Posture,” NREL, https://www.nrel.gov/news/program/2023/new-prize-supports-rural-and-municipal-utilities-in-strengthening-cybersecurity-posture.html

[4] “Fact Sheet: Biden-Harris Administration Announces National Cybersecurity Strategy,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

[5] “Funding Notice: Critical Materials Innovation, Efficiency and Alternatives,” Energy.gov: Office of Fossil Energy and Carbon Management, https://www.energy.gov/fecm/funding-notice-critical-materials-innovation-efficiency-and-alternatives

The Basics of Cybersecurity for Critical Infrastructure

Posted on by
Reply

In July 2021, the presidential administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As these systems are a part of daily life, any damage to them would be a significant threat to national security. To prevent a national crisis, the administration launched an effort to improve cybersecurity across critical infrastructure sectors. The first part of this four-part blog series will cover the basics of critical infrastructure cybersecurity. Subsequent blogs will dive deeper into the Water and Wastewater, Electric and Utility and Transportation sectors respectively.

Carahsoft Cybersecurity for Critical Infrastructure Blog 1 Embedded Image 2023Realities of Critical Infrastructure Environments

Increasing Industrial Control Systems (ICS) security ranks is a top priority to protect critical US infrastructure and national security. ICS is an information system that is used to control industrial processes such as manufacturing, product handling, production and distribution. These information systems can face a variety of threats from foreign and national bad actors who aim to gather intelligence and disrupt critical functions. With evolving technology, ICS operators must ensure that they implement new cybersecurity functions when connecting Operational Technology (OT) and Internet of Things (IoT) devices to Information Technology (IT) systems.

Best security practices for ICS include:

  • Restricting logical access to the system’s network and activity through protections such as firewalls to pause network traffic
  • Implementing unidirectional gates
  • Restricting physical access to the ICS devices and network to avoid disruptions to the system’s functionality
  • Securing all ICS individual components
  • Protecting against unauthorized data changes through network oversight
  • Having a response plan for potential incidents[1]

CISA’s Cybersecurity Performance Goals

Section 4 of the National Security Memorandum required the Department of Homeland Security to create baseline cybersecurity guidelines.

To further advance this, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of initiatives for agencies to implement that would strengthen their security systems. Every day, CISA works with ICS asset owners and operators to help them identify, protect against and detect cybersecurity threats, as well as to enhance ICS technical, analytical and response capabilities. CISA is working hard with critical infrastructure organizations to improve on the common issues they see, including:

  • Without basic security protections and foundational measures, critical infrastructure systems are vulnerable to exploit by methods that are easily preventable.
  • Limitation of resources continues to be a challenge for small- and medium-sized organizations.
  • There are inconsistencies in the standards for cyber maturity across the various critical infrastructure sectors, leaving security gaps that can be exploited.
  • Cybersecurity in IT systems are prioritized, leaving OT systems overlooked and outdated.

CISA offers a wide array of resources to help critical infrastructure organizations. These include the 2022 Cybersecurity Performance Goals—the CPGs. The CPGs are intended to be both voluntary and not comprehensive. It is not a mandated act for agencies to implement, nor does it consist of every helpful cybersecurity practice for every organization. Rather, they are intended as a beginner guideline that can be communicated to a non-technical audience. The CPGs were set as a baseline set of cybersecurity practices that are broadly applicable across critical infrastructure and have known risk-reduction value for IT and OT owners. And lastly, the CPGs stand out from other control frameworks by not only considering practices that address risk to individual entities, but also the aggregate risk to the nation.[2]

The Cross-Sector Cybersecurity Performance Goals provide a set of IT and OT cybersecurity practices that will help organizations increase cyber resilience in their Critical Infrastructure systems. CISA has organized the practices into 8 categories:

  • Account Security
  • Device Security
  • Data Security
  • Governance and Training
  • Vulnerability Management
  • Supply Chain / Third Party
  • Response and Recovery
  • Other

In March 2023 CISA released and updated version of the CPGs to include a key updates from the October 2022 guidelines.

  • The CPGs have been reordered to fit the NIST CSF functions, and accompanying documents have been adjusted to reflect this.
  • The Multifactor Authentication (MFA) goal has been updated to reflect the most recent CISA guidelines.
  • To aid in organizations’ recovery planning, CISA added a goal based around GitHub feedback.
  • There were slight changes made to the glossary to not only reflect the previously listed changes, but to acknowledge additional stakeholders who’ve contributed to the guidelines.

To better connect with the greater community, there are now additional opportunities to provide input on the goals CISA discussion page. CISA welcomes feedback from partners in cybersecurity and critical infrastructure communities.

Check back to read our second installment of this critical infrastructure series that will cover the best cybersecurity practices in the water and wastewater sectors.

 

To learn more about protecting agencies against cyber-attacks, visit Carahsoft’s Cybersecurity Solutions Portfolio.

 

Resources:

[1] “Recommended Cybersecurity Practices for Industrial Control Systems,” CISA, https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf

[2] “Cross-Sector Cybersecurity Performance Goals,” CISA, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

Ransomware in Healthcare and Utilities

Posted on by
Reply

Carahsoft Ransomware Cybersecurity Blog Series Blog 2 Embedded Image 2023

The past two years have seen relentless cyberattacks employed by hostile nations to disrupt American security, public health and the economy. The current U.S. administration has announced its emphasis on fighting ransomware particularly within these critical infrastructures. New regulations are underway for 4 of the 16 sectors including healthcare and water, which is a part of the utilities sector.[1] In anticipation of the coming changes, here is a look into the current state of ransomware in healthcare and utilities, both of which have experienced some of the worst cyberattacks in recent years. By understanding the challenges in these fields, IT administrators can work to evaluate their individual organizational cybersecurity status and start to resolve issues before the enforcement of the new regulations begin.

USE CASE: HEALTHCARE

Unlike ransomware attacks on other sectors, cyberattacks within healthcare are threat-to-life crimes instead of economic crimes because they impede hospital operations and critical patient care. Ransomware attacks by foreign cybercriminals on hospitals are analogous to military strikes against healthcare facilities, which violate international warfare laws. Because of this, it is not only an IT system concern but a healthcare-wide risk that must be addressed with grave importance.

Recent Attacks

In 2020, Universal Health Services network was hacked by the Ryuk variant of ransomware resulting in all its IT systems shutting down and operations stopping at 250 hospitals. According to a Department of Health and Human Services (HHS) report, the incident ultimately cost $67 million in lost revenue and recovery although $26 million was covered by cyber insurance.[2]

The devastating ransomware attack against Scripps Health in May 2021 cost the company $112.7 million with over a month of cleanup and extensive revenue loss. [2]  In light of this rise in attacks, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and HHS all issued admonitions that hospitals and health systems be on alert and strengthen their ransomware protection and emergency plans.[3]

Impact

On average, the HHS reported that each healthcare cyberattack cost $10.10 million including the ransom, business loss and remediation costs, ranking it as the most expensive sector for cyberattacks across all industries.[4] This is 41.6% higher than in 2020.[2]  Often, criminals target the healthcare sector because of the quantity and sensitivity of data available. Hospitals are also particularly susceptible due to the complexity of the IT infrastructure, 24/7 operations and the strong repercussions to the reputation of the organization, making them more likely to pay the ransom if an attack happens. Many healthcare organizations also employ a lot of legacy equipment and software as well as perform extensive amounts of file-sharing with many vulnerable endpoints. These areas are a security concern but some of these older systems are also imperative for regular operations and certain medical software to run.[4]

In addition to the immediate disturbance of operations, all of these hacks expose millions of patient records. For the general population, these healthcare breaches have tripled in their impact between 2018 and 2021, with 14 million people affected to now over 45 million. According to the HHS, healthcare institutions faced 373 ransomware attacks from January to July 2022.[2]  Cyber disruptions’ impact through delayed care in areas with poorer healthcare is magnified even more. Northwell Health’s Senior Vice President and Chief Quality Officer Mark Jarrett says: “Clinicians in general tend to think of this as an information technology issue, and it really isn’t. It’s a patient safety issue.”[5]

Carahsoft Ransomware Cybersecurity Blog Series Blog 2 Infographic Image 2023

Post-Attack Measures

Because of the unfortunate success of ransomware within healthcare, many institutions are seeking cyber insurance to offset the cost. The high number of incidents, however, has made it more difficult to obtain coverage until substantial cyber security defenses are in place.[6] While 79% of healthcare organizations possess cyber insurance, nearly all of them have had to improve their cybersecurity strategies to maintain coverage including incorporating new technologies, more employee training and other system process changes.[6]

The Censinet and the Ponemon Institute report, “The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” noted that most healthcare institutions budget 3-4% of IT spending towards cybersecurity while financial firms spend an average of 6-14% to combat cybercrimes.[7] When healthcare systems invest in more cyber defenses, the overall impact of ransomware is dramatically lessened. For institutions with fully deployed cyber security measures, an IMB Security’s annual breach report discovered a 65.2% reduction in average breach cost and 74-day shorter detection and containment cycle versus companies without. This decreased the cost from $6.20 million to $3.15 million for those with security and a breach lifecycle of 323 days down to 249.[2] These results speak to the importance of implementing comprehensive cybersecurity protection and remediation tools in the healthcare sector.

USE CASE: UTILITIES

Similar to healthcare, ransomware attacks to the utilities sector are not just costly and inconvenient, they also impede critical infrastructure and have a wide impact radius to public health, safety and the companies’ bottom line. Utilities also underscore every aspect of daily life through electricity, oil, water and natural gas.

Recent Attacks

In May 2021, the Colonial Pipeline attack brought ransomware in utilities to the forefront of the public eye. The incident affected 45% of the fuel supply used on the U.S. East Coast, which generated a steep price increase and public panic.[8] Within two hours of access, the cyber criminals immobilized 100GB of critical data. As a result, the 5,500-mile pipeline system was closed for six days until the company paid $4.4 million in cryptocurrency as ransom. Reuters lists this cyber event as the most disruptive ransomware attack on record.[9]

Following the Colonial Pipeline hack, Congress issued a strong cybersecurity measure requiring critical infrastructure organizations to report an attack in three days and any payment of the ransom within one day. The goal is to increase information sharing and better equip the government to assist in these situations.[10]

Another large cyberattack in 2021 occurred in Florida when cybercriminals infiltrated the water treatment facility’s network through dormant software and spiked the sodium hydroxide level to 100 times its usual amount. Although the attack was detected and neutralized, the event unveiled a huge vulnerability in U.S. water systems due to minimal IT budgets, staffing shortages causing maintenance delays, outdated cybersecurity systems and other factors, making it easier for cybercriminals to breach the system unnoticed. Shortly after the news of the Florida water hack, three additional water treatment plant attacks across the country that had not been reported came to the surface.[11] Research indicates that this situation represents a consistent trend. Although large attacks on well-known businesses are often featured more in the news, small businesses experience more ransomware attacks but they commonly go unreported.[12] The limited resources available often make smaller local government and enterprises a preferred target for ransomware because it is more difficult for them to recover from an attack, thus making them more likely to pay the ransom quickly.[13]

Impact

Carahsoft Ransomware Cybersecurity Blog Series Blog 2-2 Infographic Image 2023

These major attacks in 2021 followed an already heightened evaluation of utilities’ security due to Executive Order 13636, which initiated the National Institute of Standards and Technology (NIST) Cyber Security Framework of 2014,[14a] and the America’s Water Infrastructure Act of 2018,[14b] which required water systems threat risk and resilience assessments to be completed between March 2020 and June 2021.

Post-Attack Measures

Utilities companies often rely on a data backup strategy that replicates the system to a second data center if the primary server fails. This setup works well for natural disasters, but companies must be aware that the infection can also be duplicated on non-segmented backup copies which hackers prioritize attacking as well.

Within the electric power sector, operational technology (OT) is widely spread across data centers’ locations and connected through dedicated cables which allows additional control over networking. This however, increases the attack surface and restricts the network’s ability to adapt and reroute traffic to another safe location in the event of a cyberattack, because the system is hardwired to be isolated.[15] Companies must be careful not to assume the direct lines would be inherently secure and should continue to conduct system monitoring especially as these networks start connecting to other systems. In addition to geographical and system complexities, many utility organizations also have decentralized cybersecurity leadership, which can contribute to post-attack confusion and a lack of clarity on the recovery plan.[16]

While demonstrating the return on investment (ROI) of cybersecurity strategies can be a challenge until an attack has occurred, experts highlight the value of these measures by pointing out the impact that a compromised system can have on a company and the general public.[9]  With cybersecurity, success is ultimately demonstrated by the absence of cyber incidents. In the past, this led to a reluctance to invest in necessary cyber measures; however, this awareness is shifting as more companies are joining the initiative to secure their systems and networks.

In July 2022, national security advisors announced additional cybersecurity requirements will be instituted soon by the Environmental Protection Agency (EPA) to defend national water systems from hackers.[17] To prepare for these new guidelines, companies within the utilities sector must evaluate their systems and work to improve their defenses and recovery plans now in the face of ransomware attacks.

LOOKING AHEAD

Critical infrastructure across the country has been overwhelmed by the influx of ransomware and data breaches. Looking at the data projections for the coming years reveals that these intrusions will continue to grow at an alarming rate. While legislation develops to address the current cybersecurity gaps, sectors like healthcare and utilities must actively take initiative to address system weaknesses and make it more difficult for cybercriminals to infiltrate. Investing in the necessary changes and updates is crucial for U.S. critical infrastructure organizations before their individual institutions become the next target. Now more than ever is the time to modernize infrastructure, get ahead of cyber requirements and build resilience against the threat landscape.

 

Learn about steps to address these cybersecurity concerns whether in healthcare and utilities or across all sectors in our Ransomware Security Strategies Blog. Find our full Ransomware Series here.

 

Resources

[1] “FACT SHEET: Biden-⁠Harris Administration Delivers on Strengthening America’s Cybersecurity,” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/11/fact-sheet-biden-harris-administration-delivers-on-strengthening-americas-cybersecurity/

[2] “Healthcare data breach costs reach record high at $10M per attack: IBM report,” Fierce Healthcare, https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report

[3] “Ransomware attacks on hospitals could soon surge, FBI warns,” CNET, https://www.cnet.com/news/privacy/fbi-warns-imminent-wave-of-ransomware-attacks-hitting-hospitals/

[4] “Ransomware 101 For Healthcare,” Forbes, https://www.forbes.com/sites/forbestechcouncil/2022/08/16/ransomware-101-for-healthcare/?sh=3bb3ca785b86

[5] “The pandemic revealed the health risks of hospital ransomware attacks,” The Verge, https://www.theverge.com/2021/8/19/22632378/pandemic-ransomware-health-risks

[7] “Ransomware in healthcare: it’s a matter of life and death,” NTT, https://services.global.ntt/en-us/insights/blog/ransomware-in-healthcare

[8] “Everything You Need to Know About Ransomware,” Ransomware.org, https://ransomware.org/

[9] “Ransomware Attacks in the Energy Industry,” CDW, https://www.cdw.com/content/cdw/en/articles/security/ransomware-attacks-energy-industry.html

[11] “The Critical Need to Protect Critical Infrastructure: Spotlight on Utilities,” Spy Cloud, https://spycloud.com/protect-critical-infrastructure-utilities-ransomware-ato/

[12] “How Utilities Can Reduce the Risk of Ransomware Attacks,” Energy Central, https://energycentral.com/c/pip/how-utilities-can-reduce-risk-ransomware-attacks

[13] “Ransomware Hits U.S. Electric Utility,” Trend Micro, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-hits-u-s-electric-utility

[14a] “NIST Releases Cybersecurity Framework Version 1.0,” NIST, https://www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framework-version-10#:~:text=In%20February%202013%2C%20President%20Obama,help%20organizations%20manage%20cyber%20risks

[14b] “What Does the New American’s Water Infrastructure Act (AWAI) of 2018 Mean to You?” Crawford, Murphy & Tilly, Inc., https://www.cmtengr.com/2019/08/20/americans-water-infrastructure-act/

[15] “How energy and utility companies can recover from ransomware and other disasters using infrastructure as code on AWS,” AWS, https://aws.amazon.com/blogs/industries/how-energy-and-utility-companies-can-recover-from-ransomware-and-other-disasters-using-iac-on-aws/

[16] “Ransomware and Energy and Utilities,” AT&T Business https://cybersecurity.att.com/blogs/security-essentials/ransomware-and-energy-and-utilities

[17] “White House Official: EPA to Issue Cybersecurity Rule for Water Facilities,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/epa-issue-cybersecurity-rule-water-facilities-white-house-official/375098/

Infographic Resources:

[6] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[10] “Looking Back at the Colonial Pipeline Ransomware Incident,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/looking-back-at-the-colonial-pipeline-ransomware-incident

“The 2021 Ransomware Risk Pulse: Energy Sector,” Black Kite, https://blackkite.com/wp-content/uploads/2021/09/The-2021-Ransomware-Risk-Pulse-_-Energy-Sector.pdf