During World War II, the U.S. Army Air Forces twice targeted ball bearing factories in Schweinfurt based on the thesis that disrupting manufacturing operations would have an impact on Germany’s ability to produce many forms of war fighting machinery.
This pattern is playing out today in the cybersecurity world, where an attack on one industry spill has broader ecosystem implications. The Colonial Pipeline cyberattack impacted American Airlines operations in Charlotte Douglas Airport. The Russian NotPetya cyberattack against Ukraine leaked onto the internet, affecting supply chains globally.
At the S4 Conference in 2023, Josh Corman talked on stage about the potential for cascading failures. Cybersecurity and Infrastructure Security Agency’s National Critical Functions were born out of the need to coordinate cybersecurity across critical infrastructure sectors. In his talk, Josh walked through how in order for the healthcare sector to deliver the National Critical Function of “Provide Patient Care,” hospitals need support from several critical infrastructure sectors, including water, energy, transportation and emergency services.
If a critical cyber incident against a single pipeline or shipping company can have pronounced supply chain implications, what would a cyber incident across multiple segments of the economy look like? The implications could be profound.
What’s more vexing is that this is not a new problem. SQL Slammer seized up an estimated one of every 1,000 computers worldwide more than 21 years ago. Unlike the CrowdStrike bug, on which the company was grilled before Congress last week, Slammer was an intentional exploit that had a patch available for over six months. Though there are certainly differences between the two events, software doesn’t care about intentions, motives or geopolitics.
Digital technology has proliferated into every facet of our lives that we rely upon including automobiles, water utilities, power generation and medical devices, with tremendous societal benefits. Research from Claroty’s Team82 demonstrates that insecure code and misconfigurations that have always riddled software exist in technology that can cause impact in the physical world. It is not an overstatement that the implications to national security, economic security and public safety are vast and potentially devastating.
Though the CrowdStrike event caused personal inconveniences and businesses suffered losses, the world has already moved on. However, before we close this brief chapter in our digital history, this is an important moment for reflection and action for businesses and governments alike to prevent a broader and more painful event in the future.
Cyberattacks against cyber-physical systems: a shifting red line
Every single water treatment facility, electric utility, manufacturing plant, and office building — including military bases and hospitals — uses digital equipment to achieve important objectives. These connected devices are called cyber-physical systems, or CPS, and have the ability to gain insight into conditions or actuate changes in the physical world. The reality is that there are billions of tiny computers supporting every aspect of our lives today, with tremendous advantages for society. However, the soft underbelly of this digital society is digital risk, and we’ve seen cybercriminals and nation states leverage the flaws in our digital lives to cause harm.
The first notable attack against CPS was the Stuxnet malware in 2014, that stymied the Iranian nuclear enrichment program by causing the centrifuges to spin wildly out of control — while the gauges suggested everything was running normally. Other incidents have marked the past decade, including Industroyer, the Russian malware that in 2016 took down for an hour part of the energy grid serving the Kiev area in Ukraine; the Iranian attempted attack on Israeli water utilities in 2020; and the Chinese breaches into U.S. critical infrastructure including power and water utilities in 2023.
What is most important regarding some of these incidents — and especially the inadvertent ones such as the CrowdStrike bug — is that cybercriminals and adversarial nation states leverage these as an opportunity to understand the gaps in critical infrastructure resilience, how private and public sector entities respond and the impact to national security, economic security and public safety.
China has started expanding its objectives from espionage to burrowing into U.S. critical infrastructure and military infrastructure, to take out the U.S.’s warfighting capability and sow confusion domestically in case of a conflict. The reality is that the digital infrastructure that provides so many societal benefits is also our digital Achilles’ heel. We should view the creeping line of information technology attacks shifting into CPS and affecting the real world for what it is: a red line that our adversaries will continually cross to accomplish their objectives.
The CrowdStrike bug: keeping perspective while understanding the broader implications
Let’s be clear: The CrowdStrike bug was no more and no less than a mistake coupled with gaps in a quality assurance process. Mistakes happen, even to the best-in-class organizations. However, something has changed in terms of our digital dependence over the past several years. Unlike IT systems, the physical side of a cyber-physical system may be an oil pipeline, a foundry or a patient in a hospital. The physical consequences of failure are broader and more perilous than ever before.
Though the attacks against CPS are infrequent, we need to keep in mind that many of the systems that manage or control them run on the Windows operating systems. In addition to the fact that more than 25% of the 1,181 vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog are based on the Windows operating systems, even more complicating is the necessary culture of change aversion in operational technology, and long technology obsolescence periods of industrial equipment creating greater cyber risk. What if a nation-state directly targeted CPS in the U.S. critical infrastructure in ways that were more difficult to recover from than the CrowdStrike bug?
What can be done?
Despite the high cyber risk associated with many CPS, this insecure infrastructure deployed in asset-intensive enterprises and government facilities will take years to replace. In the meantime, there are three key actions that need to be taken:
- Operationalize compensating controls. With an asset inventory and a clear understanding of known good communication patterns, organizations can make advancements on the implementation of compensating controls such as network segmentation or secure access, limiting the ability of machines or users to connect to these vulnerable systems.
- Expanding secure-by-design into CPS. In April 2023, CISA elevated a known yet critical concept of Secure by Design, which should be expanded and focused around CPS with medical device manufacturers and automation vendors.
- Adopt secure-by-demand programs. CISA recently introduced Secure by Demand, a body of work that provides asset owners recommended questions that should be asked of their software vendors before, during, and after procurement to shape market forces toward the production of more secure software.
Though the adoption of CPS drives innovation and efficiency, the nature of these assets create new forms of risk. If one link of a global supply chain fails, the failure can cascade to other industries and impact critical services. The CrowdStrike incident was not a malicious attack, yet a simple, faulty content update in a ubiquitous cybersecurity tool caused some airlines, emergency services and hospitals to figuratively fall over. Disruption is a real threat to economic and national security, and we must understand the role CPS play in the smooth execution of everyday society.
Grant Geyer is chief strategy officer at industrial cybersecurity firm Claroty Ltd. Previously he was an executive-in-residence at Scale Venture Partners, and also was an executive at RSA and Symantec and served as a military intelligence officer for the U.S. Army. He wrote this article for SiliconANGLE.