When Cybersecurity Becomes a National Security Issue

Critical infrastructures, such as energy, transportation, communication, and healthcare systems, are attractive targets for cybercriminals. This is due to the fact that attacks directed at these infrastructures can have serious consequences, impacting the continuity of operations, security, economy, and societal well-being. It is not just the infrastructures at risk but also public health. Hence, it is urgent that industries and governments deploy comprehensive technological strategies to protect themselves. Earlier this year, Christopher Wray, director of the Federal Bureau of Investigation (FBI), referred to these attacks, saying that "cyber threats to our critical infrastructure represent real-world threats to our physical safety." Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), echoed that sentiment, stating, "cybersecurity is national security."
 
It is a reality, both in Mexico and worldwide, that everything is increasingly interconnected. This interconnection makes critical infrastructures closely interrelated, and a cyberattack on one can cause chain effects, spreading to other areas and generating a far-reaching systemic impact.

In January, news broke that the United States disrupted attempts by China to plant malware within criticalUS infrastructure systems, including water treatment plants. Cyberattacks against water systems can cause significant health effects, render property uninhabitable, and displace entire communities. The director of the FBI issued a strong warning about the threat that the US government received from Chinese cybercriminals, who are rumored to be intensifying their efforts to damage critical infrastructure, with water treatment plants, power plants, and natural oil and gas pipelines as primary objectives, thus raising concerns for the nation’s security and stability.

Previously, one of the most notorious cases was the Municipal Water Authority in Aliquippa, Pennsylvania, in the United States, which was the target of programmable logic controller (PLC) exploitation — common tools in the wastewater sector. Exploitation of PLCs and similar Operations Technology (OT) systems is not new, but these attacks leveraged direct internet accessibility, allowing control system assets to be accessed remotely. 

When PLCs are compromised, infiltrators can take control of motor and pump functions, manipulating chemical settings, with effects on water quality and safety being immediate or scheduled to cause disruptions in the future.

In Mexico, one of the most notorious cyberattacks on critical infrastructure was the attack against PEMEX in 2019. Cybercriminals compromised 5% of the institution's computing equipment, stealing information from 1,816 computers and demanding a US$4.9 million ransom. While OT has always been integral to sectors like utilities and manufacturing, previously considered safe from cyberattacks due to "air-gaps," the convergence of Information Technology (IT) and OT has changed the landscape.
 
It is common for software-based systems to be operational and left unattended for extended periods, sometimes up to 10 years. This situation has led to OT systems not being integrated into standard processes of periodic software updates, vulnerability assessments, and risk mitigation practices.
 
However, with the convergence of IT and OT in today's facilities, these devices are connected to the internet, no longer isolated, and exposed to threats such as exploiting known but unpatched vulnerabilities and deploying ransomware. The expanding complexity of the modern attack surface, including multiple cloud systems, numerous identity and privilege management tools, web-facing assets, and OT and Internet of Things (IoT) systems, makes reducing exposure more challenging. 

In many cases, the lack of efficient integration between IT and OT teams presents additional cybersecurity challenges. OT systems have yet to advance their security posture to match their IT counterparts. Moreover, IT and OT systems have their own goals, priorities, performance requirements, purposes, and life cycles.

Action must be taken to reduce cyber risk, as safeguarding critical infrastructure is a fundamental task. Any disruption in its operation can trigger devastating economic and social consequences. 

Many vital operating environments lack the formal systemic approach to assessing risk and continuous visibility needed to protect critical services and high-value targets. Defense involves not only a detailed understanding of the network but also maintaining operational integrity, protecting against various vulnerabilities.

Organizations and governments must address deeply entrenched people, process, and technology issues within both IT and OT. 
Now, what can be done to protect an OT environment? Several key elements need to be taken into account: 

1. Assessing security solutions for OT assets is crucial. This involves evaluating network and device security, ensuring visibility, protection against attacks, and control of the OT environment.

2. Maintaining detailed business visibility is essential. It requires keeping an up-to-date asset inventory to monitor the OT environment, including data such as user logins, firmware versions, and open ports.

3. Detecting blind spots involves identifying unsecured devices and their geographic location to prevent unauthorized access. This is achieved through detection mechanisms integrated into industrial controllers.

4. Protecting against malicious behavior and human error includes preventing unauthorized access to control devices through physical connection. Implementing measures to mitigate risks associated with human errors is equally important.

5. Improving efficiency in incident response entails contextualizing alerts with additional information obtained automatically from relevant devices. This allows for a faster mitigation of detected risks.

It is essential that cybersecurity experts provide up-to-date information on attack trends and defensive measures, enabling governments to make informed decisions for attack prevention.

In short, now more than ever, OT systems require specialized solutions to maintain their security and reliability. However, it is necessary to constantly evaluate all aspects of the system in converging environments, including IT, OT, IoT, and cloud, to ensure comprehensive protection against cyberthreats. Modern exposure management platforms can provide a global measurement of risk, facilitating the communication of consolidated reports to decision-makers in companies and organizations. Only in this way can the risks threatening industries and governments tasked with safeguarding the well-being of their population be effectively addressed.