A ransomware attack that led to the shutdown of the Colonial Pipeline, which transports half of the US east coast’s fuel, has brought to light the nation’s weakness when it comes to critical infrastructure. The incident has many Americans asking questions about whether their fuel, water, and electricity are safe from cyber attacks. Experts, for many years prior to this event, have repeatedly answered this question with a resounding “No”.
So what is the government’s role in securing critical infrastructure, particularly President Joe Biden? What actions can and will he take to protect US critical infrastructure?
So far, the Biden administration has…
- Issued an executive order setting basic software security standards for critical infrastructure
- Started a 100-day plan to assess and address cybersecurity risks to the US electric system
- Launched three research programs to develop new safeguards against physical and cyber threats to the energy sector
- Taken legal action against hackers
Up until now, standards for cybersecurity in critical infrastructure have been too lax, and have largely been decided by private utility companies. Cybersecurity experts have for years cited the need for improved security, but their calls to action have largely been ignored.
Will Biden’s actions be enough to spur critical infrastructure companies to secure their software and networks from attack? We’ll discuss his plans in detail.
Executive order
Biden’s executive order creates security standards for federal agencies and contractors who develop software for critical energy infrastructure.
Security measures like two-factor authentication will be mandatory to access critical infrastructure endpoints through the web. Software vendors will only receive access to infrastructure systems when deemed strictly necessary. Those vendors’ supply chains will also undergo scrutiny to ensure no attacks make their way through the supply chain. Any vulnerabilities must be reported.
The order sets up an information-sharing system that lets the NSA share threat intelligence with private companies, and vice-versa. It might also waive restrictions that currently prevent the NSA from monitoring networks on US soil.
The executive order implements penalties for vendors who fail to comply, such as banning sales of their software to the federal government.
The order creates a standard playbook for responding to cyber incidents. Although only federal agencies will be required to comply, private companies can use the playbook as a template.
Lastly, the order establishes an incident review board to investigate major attacks on infrastructure.
Critics point out that while these measures might thwart less sophisticated cyberattacks against poorly secured systems, they probably wouldn’t do much to stop more advanced adversaries.
100-day plan
Biden’s 100-day plan is mainly focused on electric companies. The initiative seeks to enhance the cybersecurity of industrial control systems (ICS) and the electric grid supply chain. It’s a coordinated effort by the Department of energy, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA).
The aim is to modernize ICS defenses against cyber attacks. It also:
- Encourages electric companies to implement or improve detection, mitigation, and forensic capabilities
- Includes concrete milestones over 100 days for electric companies to deploy near-real-time situational monitoring and response capabilities in critical ICS and their networks
- Reinforces and enhances the cybersecurity posture of critical infrastructure information technology networks
- Includes a voluntary industry effort to deploy technologies to increase the visibility of threats in ICS systems
Additionally, the initiative seeks input from industry experts on how to best secure ICS systems and the energy supply chain.
Research programs
The Department of Energy, under the Biden administration, launched three new research programs intended to address “potential global supply chain security vulnerabilities, protecting critical infrastructure from electromagnetic and geomagnetic interference, and building a research and talent pipeline for next-generation cybersecurity.”
- The first program uses analytics to test third-party tools used by energy sector partners for security issues. This testing will make it easier to identify and address vulnerabilities within industrial control systems before bad actors can exploit them.
- Electromagnetic pulses (EMPs) and geomagnetic disturbances (GMDs) might sound like attacks out of science fiction, but those are exactly the sort of threats the second research program addresses. Nine pilot projects are underway, according to the DOE. This research will help develop methods to protect and mitigate impacts on energy infrastructure.
- The DOE plans to work with US universities to develop new cyber defense technologies and foster a pipeline to train the next generation of cybersecurity experts in the energy sector. New funding opportunities for university-industry partnerships are planned in the coming weeks as of time of writing.
Going after hackers
The Biden administration takes legal action against cybercriminals whom it can identify. The US Justice Department regularly indicts malicious hackers from other countries including Russia, China, Iran, and North Korea.
Unfortunately, a small fraction of cybercriminals are actually identified, and even fewer make it to trial in the USA. Instead, the US might impose sanctions or travel visa restrictions, but the effectiveness of these actions is questionable.
The Biden administration hopes to push hacker havens like Russia into prosecuting cybercriminals, though this seems unlikely given the current geopolitical climate.
Lastly, the Biden administration wants international law enforcement to hold cryptocurrency exchanges liable for money laundering and know their customer (KYC) laws. Cybercriminals, particularly ransomware hackers, often demand payment from victims in cryptocurrency. Cryptocurrency can be difficult or even impossible to trace without help from the bank-like exchanges that facilitate the exchange of cryptocurrency to fiat currency.
The premise is simple: if you can’t prevent an attack, at least prevent the attacker from reaping the profits.
Courts seem poised to support Biden’s push for better oversight and regulation of cryptocurrency. A California court recently ordered cryptocurrency exchange Kraken to hand over information on large transactions to the IRS.
Critical infrastructure companies must be on board
Attacks on critical infrastructure have been fairly rare to date, but incidents like the Colonial Pipeline attack and an attack on a Florida water supply system show just how devastating they could be.
Biden’s plans to protect critical infrastructure are a step in the right direction, but they won’t be a silver bullet by any means. The onus is still largely on private companies to implement good cybersecurity and operational security. Many question whether Biden’s actions will be enough in the face of a coordinated nation-state attack.
More broad-sweeping solutions have been proposed. Some believe the US needs government-run Cold War-era command-and-control centers to head off incoming attacks. Others propose a cyber defense strategy based on retaliation instead of deterrence.
Biden will have to balance surveillance concerns, costs to businesses, and compliance burdens with the nation’s cybersecurity demands. Given the potential ramifications of another attack, we expect to see the President move quickly on his plans.