Critical Infrastructure Organizations Warned to Upgrade Systems and Software
In one of the most clear-eyed and sobering assessments of the cyberthreat China poses to our nation’s critical infrastructure, the country’s foremost cybersecurity leaders recently testified that the Chinese Communist Party (CCP) has the ability to wreak nation-wide havoc on our critical infrastructure should it so decide. At a January 31, 2024 hearing held by the House Select Committee on the CCP, Federal Bureau of Investigation (FBI) Director Christopher Wray, Cybersecurity and Infrastructure Security Agency (CISA) Director Jennifer Easterly, Office of the National Cyber Director (ONCD) Director Harry Coker and the Commander of U.S. Cyber Command, General Paul Nakasone, each painted a bleak picture of China’s intent and capability to harm the homeland.
Committee Chairman Mike Gallagher (R-WI) opened the hearing asserting, “In the past few years our intelligence and cybersecurity agencies have discovered that the CCP has hacked into American critical infrastructure for the sole purpose of disabling and destroying our critical infrastructure in the event of a conflict.” Arguing that the U.S. and China are in a competition for global dominance, Director Wray stated, “The CCP’s dangerous actions—China’s multi-pronged assault on our national and economic security—make it the defining threat of our generation.”
Director Easterly warned that China will strike “through the disruption of our pipelines, the severing of our communications, the pollution of our water facilities, the crippling of our transportation modes, all to ensure that they can incite societal panic and chaos and deter our ability to marshal military might and civilian will. The threat is not theoretical.” She points out that Chinese cyber actors no longer conduct cyber operations just to gather intelligence or steal intellectual property but have evolved into “burrowing deep into our critical infrastructure to enable destructive attacks.”
Moreover, the CISA Director warned that the leaders of the private entities that make up much of the nation’s critical infrastructure need to “double down on resilience and expect an attack.” Easterly further admonished, “Every CEO, every business leader and every board member of a critical infrastructure company needs to recognize that cyber risk is business risk.”
Declaring that “cybersecurity is national security,” Easterly suggested that critical infrastructure entities get to know their local CISA offices and avail themselves of the free cybersecurity services they provide. For critical areas of infrastructure including water treatment plants, energy sources, ports and transportation systems, the response to the cyber threat is to identify vulnerabilities, ensure system and vendor obligations and to upgrade operational and information technology systems and software. “The truth is, Chinese cyber actors have taken advantage of the very basic flaws in our technology. We’ve made it easy on them.” To make it less easy, critical infrastructure operators can:
Identify Vulnerabilities. For some time, CISA has recommended vulnerability scanning and publishes a Known Exploited Vulnerabilities Catalog. The first step may be a 3rd party forensic and vulnerability investigation.
Enforce System and Vendor Obligations. For critical infrastructure organizations, many systems and software rely on vendor-supplied agreements with limited obligations and technical and functional specifications that on a rolling basis are out-of-date and unable to address the key information security concerns. A review of the vendor and supplier agreements should include:
- Up-to-date information security requirements;
- Periodic third-party assessments and reporting;
- Service Level Agreements that impact both operational uptime and system integrity; and
- Protections for organization data, access, and to ensure effective compliance with contract information security requirements.
System and Software Upgrades. Where the organization has determined that software and a system must be upgraded, the solution might include software improvements and patches or procuring a replacement system.
In an effort to address these challenges, Section 1517 of the 2024 National Defense Authorization Act (NDAA) directs the Secretary of Defense to create a pilot program to assess “how to prioritize restoration of power, water, and telecommunications” for military installations “in the event of a significant cyberattack on regional critical infrastructure that has similar impacts on State and local infrastructure.”
On a state-by-state basis, several states have ongoing initiatives to provide funding for the necessary system and software improvements to protect critical infrastructure. In 2024, for example, California introduced new bills that would increase cybersecurity funding, AB1812 and SB917.
By understanding the threats, taking them seriously and effectively upgrading or replacing systems and software, owners/operators of critical infrastructure can defend against the looming cyberthreats from the PRC and increasing threats from hackers worldwide.