In the pre-pandemic days when I attended in-person energy and sustainability trade conferences, nearly every presentation about cyberattacks on the electricity grid pointed to the Russian hacking of the Ukraine grid as the most nefarious case study. The attack disrupted electricity supply to consumers and hit three major Ukrainian electrical distribution systems. As it turns out, the overall damage from the attack was not catastrophic, impacting 230,000 people for a period of 1-6 hours. Post-attack forensics suggest that the attack was intended to cause much more damage and disruption.

Over the past year, cyberattacks in the U.S. have elevated the attention and awareness of this not so “invisible crime”:

1) The Colonial Pipeline cyberattack disrupted one of the nation’s largest oil and gas pipeline transmission and distribution systems. Colonial Pipeline confirmed paying $4.4 Million dollars in ransom to have the hackers clear the cyberattack.

2) The Pinellas County Oldsmar, Florida water treatment plant cyberattack dramatically raised the levels of sodium hydroxide (lye) in the water to unsafe levels (thankfully, it was not distributed to consumers)

3) Municipalities including Baltimore and Atlanta have been crippled by targeted ransomware attacks where a “ransom” is demanded to clear the hack. In many cases those ransoms have been paid.

None of the above is a big surprise to experts in the field. One of my collaborators, Craig Reeds of Forescout Technologies, is a long-time expert in the cybersecurity field. In our discussions, he has highlighted a number of key trends. Many of the attacks on critical infrastructure such as water treatment plants and energy companies are focused on revenue, billing, and payment systems. Follow the money, which is exactly what ransomware attacks do by disrupting the back-office systems, disabling revenue flow, and jeopardizing privacy of personal identifiable information (PII). Ransomware attacks form a relatively simple (and profitable) business model for the attacker and are often easier to implement than disruption of operating assets. Furthermore, many entities are paying the ransom that is demanded-----even as the ransom per cyberattack is rising.

From my vantage point, resiliency and cybersecurity are often seen as separate threats to critical infrastructure; however, my view is changing and so too is that of the U.S. government.

The American Water Infrastructure Act of 2018 requires all drinking water supply facilities in the United States to perform Risk and Resiliency Assessments and to develop corresponding Mitigation Plans. The EPA supplied Risk and Resiliency Analysis Template provides a framework for this risk assessment. First, the facility risk is analyzed by multiple asset categories including:

a) Physical Barriers,

b) Source Water,

c) Pipes and Constructed Conveyances, Water Collection, and Intake,

d) Pretreatment and Treatment,

e) Storage and Distribution Facilities,

f) Electronic, Computer, or Other Automated System

g) Monitoring Practices

h) Financial Infrastructure;

i) The Use, Storage, or Handling of Chemicals,

j) The Operation and Maintenance of the System

For each of these categories Risk and Resiliency Assessments are performed for two major areas: 1) Malevolent Acts; and 2) Natural Hazards. Unsurprisingly, natural hazards are broken out by type of natural disaster like hurricane, flood, earthquake, tornado, ice storm, and fire. Malevolent Acts include Physical Sabotage and Water Contamination, but also include multiple kinds of cyberattacks. Excluding cyberattacks from a Risk and Resiliency Assessment is underestimating resiliency risk. Furthermore, as industrial control systems in critical infrastructure become increasingly prevalent, cybersecurity risk becomes a higher probability risk than natural disasters.

The high-profile cyberattacks over the past year and the associated significant economic loss have caught the attention of Corporate America, who are now taking a hard look at control systems and strategies to protect those systems from interruption. Unfortunately, the availability of competent and qualified cybersecurity experts is sorely lacking as technology and hackers continue to become more advanced. Nevertheless, there are many service and software providers that specialize in cybersecurity protection that can assist critical infrastructure providers.

A holistic view of critical infrastructure resiliency is, in my view, an optimum approach to protecting these assets. A starting point for any cybersecurity risk analysis is physical protection. Similarly, most natural disaster risks to a facility are in the form of physical disruption. In my view there is emerging a rapid convergence of resiliency risk across cybersecurity and critical infrastructure hardening and protection. Critical infrastructure like power plants, electric grids, water and wastewater treatment plants, hospitals, and transportation systems will all benefit from an integrated approach to resiliency risk analysis and corresponding mitigation plans - especially as digital industrial control systems become so integral to facility operations.

Critical Infrastructure, Resiliency, and Cybersecurity - The Convergence is ON

Drought: California’s Perennial Problem