Why Infrastructure Needs Better Cybersecurity

Posted by Infra on Wednesday, May 30th, 2018

Written by Devin Morrissey

Data breaches are no longer novel threats to security; instead they are a constant reality for individuals and corporations alike. The most common types of data hacks are those related to consumer behavior. Indeed, from scams that target small businesses to the largest data breaches to date, businesses are constantly targeted.

Infrastructure is also highly vulnerable to cybersecurity threats, and state and federal governments would do well to recognize the importance of strong data security.

Dr. Tahereh Daneshi writes for DeVry University, “73 percent of Americans have been victims of cyber crime.”

We would like to believe that websites hosting government infrastructure use security measures that can stand up to cybersecurity threats. Unfortunately, not only are the measures often laughably lax, they are sometimes nonexistent. If large retailers are rating above government in terms of cybersecurity — and they are — then we can only expect that 73 percent to continue to climb.

The Threats that Lurk

When hackers target financial institutions or retail organizations, it’s easy to understand the nature of the information that draws them in: sensitive personal information that can be utilized easily for monetary gain.

According to data recovery expert Jennifer Duits, “Cyber espionage is defined as the use of computer networks to gain illicit access to confidential information. This information is typically held by a business or government agency.”

Often, when government sites are the victims of cyberespionage, the end goal is to work up the food chain. Local government sites, often lacking the best protection, are typically connected to state sites or other large systems. Thus, they act as an entry point to gather invaluable information.

Notable cybersecurity breaches of government networks include:

Texas State: In 2011, a Texas state computer server was breached, compromising 3.5 million Social Security numbers and birth dates. At the time, it was one of the largest government hacks recorded.

National Archives and Records Administration: A malfunctioning hard drive was sent off premises in 2009 to the IT contractor GMRI. On it was the personal information of 76 million service members, and those records were stolen because the NARA failed to wipe the drive before sending it on its way.

U.S. Voter Database: The largest recorded government data breach transpired in 2015 when the information of 191 million individuals was exposed on the open internet. Reuters writes that it was because of, “an incorrectly configured database.”

The Nature of Cybersecurity in Infrastructure

Some hackers who endeavor to purposely target government infrastructure.  

Last year North Korea reportedly hacked a U.S.-based energy company, one of several targeted in an information collecting effort.

Chris Bing writes for CyberScoop, “Compromised computers were disconnected from the firm’s industrial control systems — typically used in manufacturing plants or throughout the electrical grid to serve power to customers. The hacking operation was likely only focused on reconnaissance and to gain a preliminary foothold inside a shortlist of important American critical infrastructure companies.”

While information gathering was the assumed motive, one can’t help but recognize the threat that hackers could potentially pose to American power. A widespread blackout could have detrimental impact.

Similarly, in March, Russian hackers targeted both the U.S. power grid and aviation network.

According to Jennifer A. Dlouhy and Michael Riley for Bloomberg the hackers were, “Conducting a broad assault on the U.S. electric grid, water processing plants, air transportation facilities and other targets in rolling attacks on some of the country’s most sensitive infrastructure.” They go on to report that the attacks happen hundreds of times a day.

Indeed, a government alert noted that “government entities and multiple U.S. critical infrastructure sectors” were targeted. It’s certainly not the first time, and it will probably not be the last time.

The unfortunate truth is that surveying the history of data breaches exposes the fact that much of the information has been compromised because professionals haven’t applied the core elements of a strong cybersecurity protocol. For infrastructure to remain safe, organizations and individuals within the field must be educated and apply the correct processes to ensure that accidental leaks become a thing of the past.

When Lily Hay Newman outlined for Wired recent findings on the failures of government cybersecurity she wrote, “The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT.”

Infrastructure websites are often low-hanging fruit for hackers because they house sensitive information, but they use weak cybersecurity as defense.

The Right Cybersecurity for Infrastructure

There are some key components that the infrastructure industry must pay attention to if it is going to turn the tide of data breaches. Websites need to focus on two primary things:

  • Education: The most important thing for a site’s ability to remain safe is the knowledge and education that the employees associated with the site have. If those employees lack the tools to understand how hackers work and what real cybersecurity looks like, the issue will never be resolved.
  • Software: Government infrastructure must make the appropriate commitment to ensuring that all devices and software are constantly updated with the most current, relevant form of software to ensure that hackers can’t gain access to systems via loopholes. Just as infrastructure employees need intellectual tools, they need the right technology as well. Informed employees with no means of applying what they know are useless to an organization’s security efforts.

Both the education and the software connected to cybersecurity point to a central theme of authentication: Compromised passwords are a primary means of attaining sensitive information.

According to Michael Chertoff and Jeremy Grant for the Harvard Business Review, “In response to the increased frequency of authentication-based cyber attacks, governments around the world are pursuing policies focused on driving the adoption of multi-factor authentication (MFA) solutions that can prevent password-based attacks and better protect critical data and systems.”

Ideally, as infrastructure leaders acknowledge the need for increased cybersecurity, they will make the necessary changes to prevent criminals from access stolen information.

Infrastructure and Cybersecurity Legislation

In late 2017, the House passed a bill written by Homeland Security Committee Chairman Michael McCaul. The bill essentially asks that a portion of the Department of Homeland Security be restructured into the Cybersecurity and Infrastructure Security Agency (CISA).

According to McCaul, “With the advancement of technology and our increased dependence on computer networks, nation states, hackers, and cybercriminals are finding new ways to attack our cyber infrastructure and expose vulnerabilities. This realignment will achieve DHS’s goal of creating a standalone operational organization, focusing on and elevating its vital cybersecurity and infrastructure security missions to strengthen the security of digital America and our nation’s critical infrastructure.”

Of course, both legislative bodies of Congress and the President must approve the bill before the President would be able to sign it into law. But, it is a step in the right direction.

It would be unwise for security and infrastructure leaders alike to fail to recognize that the only way to combat the growing risk of cybersecurity is to meet it head-on with better policies and tactics at every level of government.

While an ironclad security system for websites and the information they store is not currently available, there are absolutely steps that can be taken so that there is less risk and more certainty of safety across the board.

Devin Morrissey is a freelance content creator, and he prides himself on being a jack of all trades. His career trajectory is more a zigzag than an obvious trend, just the way he likes it. He pops up across the Pacific Northwest, though never in one place for long. You can follow him more reliably on Twitter.

Tags: , , , ,

Comments are closed.

Follow InfraUSA on Twitter Facebook YouTube Flickr

CATEGORIES


Show us your infra! Show us your infra!

Video, stills and tales. Share images of the Infra in your community that demands attention. Post your ideas about national Infra issues. Go ahead. Show Us Your Infra!  Upload and instantly share your message.

Polls Polls

Is the administration moving fast enough on Infra issues? Are Americans prepared to pay more taxes for repairs? Should job creation be the guiding determination? Vote now!

Views

What do the experts think? This is where the nation's public policy organizations, trade associations and think tanks weigh in with analysis on Infra issues. Tell them what you think.  Ask questions.  Share a different view.

Blog

The Infra Blog offers cutting edge perspective on a broad spectrum of Infra topics. Frequent updates and provocative posts highlight hot button topics -- essential ingredients of a national Infra dialogue.


Dear Friends,

 

It is encouraging to finally see clear signs of federal action to support a comprehensive US infrastructure investment plan.

 

Now more than ever, our advocacy is needed to keep stakeholders informed and connected, and to hold politicians to their promises to finally fix our nation’s ailing infrastructure.

 

We have already engaged nearly 280,000 users, and hoping to add many more as interest continues to grow.

 

We require your support in order to rise to this occasion, to make the most of this opportunity. Please consider making a tax-deductible donation to InfrastructureUSA.org.

 

Steve Anderson

Managing Director

 

SteveAnderson@InfrastructureUSA.org

917-940-7125

InfrastructureUSA: Citizen Dialogue About Civil Infrastructure