New tech—and new mindsets—can thwart cyberattacks on critical infrastructure

If there were an intensive care unit for infrastructure, it would be packed with victims of cyberattacks. In 2021, the Colonial Pipeline oil pipeline system, JBS meat-processing company, and New York’s Metropolitan Transportation Authority (MTA) have all fallen prey to ransomware attacks, in which cybercriminals installed surreptitious software and held computer systems hostage, demanding hefty ransoms.

But ransomware is only one weapon in a growing arsenal for potential cyberattacks on critical infrastructure, wherein malicious hackers attack the networked systems of physical assets. Even more concerning than attacks for profit motives are attacks intended to cause harm.

In February 2021, for example, hackers penetrated the systems of a water-treatment plant in Oldsmar, FL, where they attempted to poison the local water supply. Specifically, they hijacked the software that controls chemical additives and used it to increase the amount of lye—the main ingredient in liquid drain cleaners—to 100 times its normal level. Although the attack was detected and corrected before the water supply was tainted, the consequences could have been dire.

“I believe the next Pearl Harbor, the next 9/11 will be cyber,” said Sen. Angus King, testifying at a July US Senate hearing addressing cybersecurity vulnerabilities in infrastructure.

Because cybersecurity breaches can go unnoticed and are often unreported, it’s difficult to assess the true size of the problem. Still, the picture isn’t pretty. Cybersecurity firm Deep Instinct claims there are “hundreds of millions” of attempted cyberattacks every day. The company reportedin a recent study that in 2020 alone, there was a 358% increase in general malware and a 435% increase in ransomware.

“The problem is not limited to the sheer volume of attacks,” says Deep Instinct CEO Guy Caspi. “Our study shows that the sophistication of attacks has grown with advanced evasive tactics that make detection much more difficult.”

For cyberattacks on critical infrastructure, the best way to counteract increased sophistication is increased innovation, according to Si Katara, co-founder and president of HeadLight, a provider of photo-based infrastructure-inspection technology.

“The threats occurring in the world today are growing in an exponential way,” Katara says. “To find the antidote, we have to move the ball forward with security in a way that keeps pace with—and hopefully outpaces—the speed at which those threats are evolving. If we don’t accelerate innovation around security, it will be to our peril.”

Because cybersecurity is a digital problem, it requires digital solutions. But technology alone won’t stifle cybercriminals who have infrastructure in their crosshairs. What’s needed, experts argue, is a 360-degree approach to innovation that marries new tools with people, processes, and perspectives.

To protect their assets, owners and operators of critical infrastructure must first understand what makes them so vulnerable in the first place.

It starts with their intrinsic value as targets. Infrastructure is essential—from roads and bridges to power plants and water utilities—which means there are significant consequences if they go offline. With economies and even lives hanging in the balance, criminals assume that desperate stewards will pay large sums to protect vital assets. And, often, they do.

And so, legacy systems, largely not designed with cybersecurity in mind, endure. “The problem with these old, monolithic legacy systems is that they’re difficult to modernize,” Katara says. “If you want to update a piece of it, you have to redeploy the whole thing. So these monolithic systems get updated with duct tape and Band-Aids. But as time goes on, the ratio between the original system and duct tape flips, and, eventually, you end up with more duct tape than original system, which creates weak points. Along comes a modern cyberattack that hits you right in those weak points, and down goes the entire monolith.”

The solution is a modular instead of monolithic approach to technology, according to Katara, whose HeadLight visual-based inspection technology is cloud-based and open-architected so it can communicate with legacy systems without being dependent on them. “That makes it a lot easier to isolate and update components to keep things working smoothly,” he says. “When there’s a new innovation, you don’t have to tear out the whole monolith. You can simply take out a single piece and plug in the new component.”

This is especially valuable from a security standpoint. When one of HeadLight’s customers was the victim of a cyberattack, its legacy systems were forced offline for four to six weeks. Meanwhile, projects using HeadLight continued unscathed.

“Because it functioned independently, HeadLight was unaffected by the cyberattack that occurred,” Katara says. “And as soon as the IT team was able to restore its legacy systems, all the data and information HeadLight had collected and stored was able to be synced back up with those systems securely.”

Modular architecture is one example of innovation in infrastructure security. Another is intrusion detection, according to cybersecurity researcher Kevin Heaslip, a professor of civil and environmental engineering at Virginia Tech.

Heaslip says intrusion detection represents an innovation in thinking—approaching a common problem from a fresh perspective. In this case, that means pivoting from a posture of stopping cyberattacks to a posture of managing them.

“We have to stop thinking that cyber systems can ever be secured completely,” Heaslip says. “The term that’s being used for that is ‘zero trust.’ We have to assume that at some point people are going to be able to penetrate our systems. And if that’s the case, maybe we should be thinking less about stopping hackers and more about how to detect when they’re coming in and what changes they’re making to systems while they’re there.”

To that end, Heaslip’s current research focuses on using 3D modeling to create digital twins of cyber-physical systems and machine learning to map those systems for change detection.

“If an attacker has a better understanding of your system than you do, then you’re not going to be able to defend yourself,” he says. “We’re using machine learning to build a baseline for how the system operates when there aren’t attacks against it so we can detect changes when there are.”

Specifically, Heaslip is working with the US Department of Energy to secure the charging systems for electric vehicles. “We’re modeling the vehicle, the charger, the grid, and the interactions between those three systems to understand where the attack vectors could be,” he says. “We’re most worried about an attack that starts in a vehicle or charger, then propagates through the grid to disrupt the power throughout an entire region.”

Eventually, the goal is to create self-healing systems that can detect intrusions and then execute automated mitigations and repairs. “There are billions of probes and attacks that happen every day on our networks, and we don’t have enough skilled people to be able to respond to each of them,” Heaslip says. “So in the long-term, we need to use automated features to combat these attacks.”

Despite its reputation for Luddism and its allegiance to legacy systems, the public sector makes important contributions to cybersecurity innovation, according to Dr. David Mussington, executive assistant director for infrastructure security at the US Cybersecurity and Infrastructure Security Agency (CISA). Although most cybersecurity innovations originate in the private sector, he says government can help catalyze them through collaborative coworking.

“From a critical-infrastructure perspective, there is a public-private partnership for applying and codiscovering solutions,” Mussington says. “We talk to industry directly about the risk concerns they have, and we interactively develop and advocate for solutions aligned with best practices. Those best practices come from industry—from companies that are leaders in their field—but also from places like NIST [National Institute of Standards and Technology], with whom we collaborate to make sure cybersecurity standards are translated into formats and services that industry can use and innovate in.”

Energy infrastructure is different from water infrastructure, which is different from transportation infrastructure. Through CISA and its stakeholder engagement organization, the federal government can be a neutral channel to distribute knowledge across sectors to codify best practices and stimulate new ideas.

“Domain expertise about your business is not the same as domain expertise about cyber risks to your business,” Mussington says. “CISA specializes in cyber-risk awareness—awareness of what tactics, techniques, and procedures adversaries might use to undermine critical infrastructure—and we can use that specialty to reinforce business-risk concerns with overarching operational-risk concerns from the government perspective. And we can do that with a cross-sector perspective.”

A cross-sector perspective is especially valuable in the context of ubiquitous computing. “At CISA, we spend a lot of time thinking about cyber-physical convergence,” Mussington says. “It’s one thing to have a critical system like a car, a bridge, or a tunnel. It’s quite another when you put communications infrastructure inside that physical system. Suddenly, you’ve got much more complexity, with different kinds of risk concerns and prioritization that need to be harmonized. That cyber-physical nexus really hits home with the Internet of Things, where you are propagating computing technologies into a large number of systems that typically were not networked before.”

Failure to recognize the cyber-physical convergence can have disastrous consequences for critical infrastructure, but using it as the basis for innovation can bear tremendous fruit.

“We can actually be more secure and more efficient at the same time,” Katara says. “We just have to let go of the status quo.”